Irish Data Protection Commission Orders Meta Ireland to Suspend Facebook Data Transfers to the US and Imposes Record GDPR Fine of €1.2 Billion

Gail Crawford, Ian Felstead, Hayley Pizzey, Serrin Turner, Tim Wybitul
Latham & Watkins LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Latham & Watkins LLP

The final decision of the Irish Data Protection Commission (IDPC) [1] in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]

The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.

In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).

No objections were made by other European data protection authorities (CSAs) in relation to all this. However, a number of objections were made by CSAs requesting that the IDPC also make a further corrective order, and impose an administrative fine. These objections could not be resolved, and so were subject to the European Data Protection Board (EDPB) dispute resolution process under Article 65 GDPR.

The EDPB’s decision under Article 65(1) GDPR was adopted on 13 April 2023 (EDPB Decision).[4] It required that the IDPC make a further order requiring Meta Ireland to bring its processing operations into compliance with Chapter V GDPR (the Cessation Order) and that it impose a (very high) administrative fine.

The IDPC Decision was then adopted, on 12 May 2023, on the basis of the EDPB Decision. In addition to the Suspension Order, the IDPC made the Cessation Order and imposed an administrative fine of €1.2 billion.

Meta Ireland has already confirmed that it will challenge the IDPC Decision and the EDPB Decision, and seek a stay, in the courts — see Our Response to the Decision on Facebook’s EU-US Data Transfers. The legal challenges to these decisions are likely to take a number of years, and it remains to be seen what the courts will make of the numerous novel issues which will arise.

The IDPC also made clear that its reasoning may be equally applicable to any internet platform subject to the PRISM programme under Section 702 of the US Foreign Intelligence Surveillance Act 1978 (Section 702 FISA).[5] All such organisations might therefore fear equivalent enforcement action.

However, limited enforcement by EU supervisory authorities against other companies has taken place to date. Moreover, the European Commission (Commission) has already responded[6] to confirm its expectation that the EU-US Data Privacy Framework (DPF), which addresses the issues raised in the Inquiry and was agreed in principle in March 2022, “will be in place by the summer”. The Commission also confirmed that the new and enhanced safeguards provided pursuant to the DPF “will apply to all transatlantic data transfers, regardless of the transfer mechanism used”, including SCCs as well as the Commission’s impending adequacy decision under Article 45 GDPR.

In light of all this, it remains to be seen what action EU supervisory authorities might take against other companies engaged in EU-US data transfers going forward. It also remains to be seen if the unprecedented size of the fine imposed might be exceptional, or whether it heralds a new wave of huge GDPR fines.

Endnotes

[1] Latham & Watkins advises Meta on issues regarding EU-US data transfers, but any views expressed in this update are those of Latham & Watkins only.

[2] Meta Ireland is the entity that provides Facebook in the EU and EEA, and is the data controller for those users’ data.

[3] Available at: https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf.

[4] Available at: https://edpb.europa.eu/system/files/2023-05/edpb_bindingdecision_202301_ie_sa_facebooktransfers_redacted.pdf.

[5] IDPC Decision, at paragraph 10.11. Section 702 FISA applies to “electronic communications service providers”.

[6] Commission statement of 22 May 2023, reported by MLex at: https://content.mlex.com/#/content/1473084/meta-others-can-expect-eu-us-data-flows-deal-by-summer-bringing-legal-certainty-eu-commission-says (subscription required).

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Latham & Watkins LLP
Contact
more
less

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide