At a Glance

• The Irish Data Protection Commission found Meta Ireland’s transfers of personal data to the U.S. to be in violation of the GDPR.
• Meta Ireland faces an administrative fine of EUR 1.2 billion — the largest GDPR fine issued to date by a significant amount.
• This decision will likely have implications for other international businesses that transfer personal data outside the EU/EEA based on SCCs.

On 22 May 2023, the Irish Data Protection Commission (DPC) issued Meta Platforms Ireland Limited (Meta Ireland) with a EUR 1.2 billion (approximately 1.3 billion U.S. dollar) fine for breaches of the GDPR with respect to EU-U.S. personal data transfers associated with its Facebook service. Meta Ireland has also been ordered to suspend all Facebook-related personal data transfers from the EU to the U.S., and to bring the processing of any previously transferred data into compliance. While it will take some time to digest the 200-page decision and its practical implications, initial key points are set out below.

The Decision

The decision relates to all Meta Ireland’s transfers of personal data to the U.S. which the DPC found to be in violation of Article 46(1) GDPR since 16 July 2020, i.e., the date on which the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II). The CJEU in its Schrems II ruling invalidated the EU-US Privacy Shield as a valid transfer mechanism for international data transfers and held that additional supplementary measures should be in place alongside standard contractual clauses (SCCs) if these are relied upon as a transfer mechanism. While Meta Ireland has effected the transfers on the basis of SCCs adopted by the European Commission (EC) (including those updated by the EC in 2021), and has implemented extensive supplementary measures, the DPC found that these arrangements did not sufficiently address risks to the fundamental rights and freedoms of data subjects. This decision marks the largest GDPR fine issued to date by a significant amount. By way of comparison, the now second largest is the EUR 745 million fine issued to Amazon in Luxembourg. 

Alongside imposing the administrative fine, the DPC made the following orders:

• Requiring Meta Ireland to suspend any future transfer of personal data to the U.S. within five months (made pursuant to Article 58(2)(j) GDPR).
• Requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR by ceasing (within 6 months) unlawful processing in the U.S. of personal data of EU/EEA users that has been transferred to date in violation of the GDPR, including data storage (made pursuant to Article 58(2)(d) GDPR). This essentially amounts to an order that Meta Ireland deletes all data that has been transferred to the U.S. since 16 July 2020. How this would work on a practical level remains to be seen.

Decision-making Process

During the course of the DPC’s inquiry, the cross-border processing under examination was such that a preliminary draft decision was circulated to other concerned supervisory authorities across the EU (CSAs) for the purpose of enabling them to express their views. A number of objections were raised, and it was not possible to reach a consensus on the subject matter of the objections. The DPC referred the objections to the European Data Protection Board (EDPB) for determination under Article 65 GDPR, with the EDPB’s decision being binding upon the DPC and all CSAs.

The EDPB adopted its (now published) decision on 13 April 2023, which directed that certain changes be made to the DPC’s draft decision. The EDPB also instructed the DPC to impose a fine on Meta Ireland and, based on the “high level of seriousness” of the infringement, the EDPB found that the starting point for calculating the fine should be between 20% and 100% of the applicable legal maximum.

Referring back to the EDPB’s judgement in its decision when determining the level of the fine, the DPC notes some of the aggravating factors identified by the EDPB, including that the infringement is of “significant nature, gravity and duration” and committed with “at least the highest degree of negligence.” Also taken into account were the financial position of Meta Ireland and the very significant turnover of the Meta Platforms, Inc. group of companies. 

Analysis of the Decision and Meta’s Response

This is yet another decision that highlights the ongoing discord between the approaches of the EDPB and supervisory authorities, which we have previously discussed in our blog post. There was (surprisingly) agreement between the DPC and EDPB in relation to the infringement itself, i.e., that even with supplementary measures, the reliance on the (both old and new) SCCs by Meta Ireland was insufficient to provide sufficient protection of the rights and freedoms of data subjects. However, only four of the CSAs took the view that Meta Ireland should be subject to an administrative fine for the infringement and just two of those CSAs also took the view that Meta Ireland should be ordered to take action to address the personal data it has already unlawfully transferred to the U.S. since July 2020, both of which were then ordered by the EDPB. By contrast, the DPC’s position was that the exercise of such additional corrective powers, beyond the suspension order, would exceed the extent of powers appropriate, proportionate and necessary to address the infringement. It is clear that the DPC’s orders made against Meta Ireland are only as a result of the binding nature of EDPB decisions.

According to the statement released by Meta, Meta Ireland will be appealing this decision and seeking a stay with the courts to pause the implementation deadlines. The statement also draws attention to the initial draft order by the DPC, which acknowledged that Meta Ireland had continued with EU-U.S. transfers “in good faith” on the basis of a mechanism found to be legal by the CJEU (i.e., the SCCs when implemented with additional safeguards in place), and which is relied upon by a significant majority of organisations seeking to transfer personal data outside the EU to destination jurisdictions with respect to which there is no adequacy decision in place.

Next Steps

This decision will likely have implications for other international businesses that transfer personal data outside the EU/EEA based on SCCs. Indeed, the DPC highlights in its published decision that while this decision is only binding on Meta Ireland, the implication is that any internet platform considered an electronic communications service provider under the FISA 702 PRISM programme may equally be in breach of the GDPR by transferring personal data from the EU to the U.S., even if this is done with the newly updated SCCs and additional safeguards in place. 

The DPC is clear in its decision that this does not directly constitute an outright ban on SCCs in all cases, because the CJEU ruled in Schrems II that such decisions as to the safeguarding of transferred personal data and any supplementary measures must necessarily be taken on a case-by-case basis. However, it is difficult to see how other organisations will be able to put in place effective measures to satisfy regulators, when the DPC and EDPB agreed that the extensive supplementary measures Meta Ireland had implemented (including internal policies, encryption of data in transit and challenging requests for data made by government agencies) were insufficient. It will be important for businesses to understand the specific issues which triggered Meta Ireland’s infringement and address any comparable concerns with their own transfer processes. Controllers must also be cognisant of their ongoing liability with respect to data that is being processed by its processors and sub-processors, in particular processing by large platforms, which may be more likely to fall foul. 

The anticipated adequacy decision for EU-U.S. data transfers, (the Data Privacy Framework/DPF), a draft of which was first published by the EC in 2022, aims to foster safe transatlantic data flows and may be a welcome development for businesses facing these issues. However, the draft DPF faces a number of roadblocks, for example, the EU’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) recently passed a resolution to stop the debate over the draft decision, stating that the proposed DPF and the Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities issued by President Biden in October 2022 do not provide sufficient privacy safeguards. There is a possibility that this most recent DPC decision will spur on European lawmakers to work to overcome any disagreements and implement the DPF quickly — to try to minimise business disruption — but equally this may bolster those who are critical of allowing personal data to be transferred from the EU to the U.S. (and similar jurisdictions) under any circumstances. During a press conference on the matter, a statement from a spokesperson for the EC signalled the ongoing political intent to see the DPF in place by summer — and there will be significant political pressure for this to be in effect before the deadline for Meta Ireland to comply with the DPC’s orders.