A decision which has prompted much discussion in the last few weeks is that of the Irish Data Protection Commission (DPC), who issued a record fine against Meta Platforms Ireland Limited (Meta) in relation to its breach of Article 46(1) GDPR (international transfers) by continuing to transfer personal data to the United States (US) after the Court of Justice of the European Union decision in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.
After the results of the Schrems litigation, Meta made the transfers based on EU SCCs and had adopted supplementary measures in respect of the transfers but the DPC found that these were not enough to ensure an essentially equivalent level of protection for the data subjects.
Yet again, when the DPC’s ruling was reviewed by other data protection authorities, there was disagreement, this time over the question of fining Meta. The DPC considered that a fine would exceed what is “appropriate, proportionate and necessary” to address the infringement, but other data protection authorities disagreed. A referral was made to the EDPB, who considered that the infringement was very serious owing to the systematic, repetitive, continuous nature of the transfers and the following final decision was made:
- Meta must suspend all future transfers of personal data to the US within 5 months of the decision.
- Meta must pay a fine of EUR 1.2bn.
- Meta must bring its processing operations into compliance with Chapter V EU GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the EU GDPR, within 6 months of the decision.
Meta has already indicated in the press that it will appeal this decision and the related legal action will likely be lengthy and costly!
This decision should not be looked upon as a sign that all transfers to the US will be non-compliant, as this case has been in progress for 10 years, involves a very high profile company with huge volumes of traffic to the US and which is subject to the increased possibility of governmental access to users data without their knowledge (being classed as an electronic communications service provider). However, given the steps taken by Meta to try to protect the data which was transferred, some have been asking how much more could they have done to safeguard the transfers?. It is certainly a decision which is problematic for organisations in a similar sector who, along with many others, will be anxiously looking for the conclusion of the discussions on the EU/US adequacy decision, although, as mentioned in the article above, we are not quite there yet.
A copy of the decision can be found here.