Meta Ireland was fined €1,2bn by the Irish Data Protection Commission for noncompliance with the GDPR in relation to transfers of personal data from the EU/EEA to the US
Meta Platforms Ireland Limited (“Meta Ireland”, formerly Facebook Ireland Limited) has been fined €1,2bn by the Data Protection Commission (DPC) in Ireland for transferring personal data from the EU/EEA to the US in relation to its platform Facebook without implementing appropriate supplementary measures. The DPC, which acts as the lead regulator for Meta in the European Union, found that the social media giant had failed to comply with Article 46 (1) GDPR requirements in connection with the CJEU judgement in the Schrems II case. According to the DPC press release, Meta has also been given five months to “suspend any future transfer of personal data to the US” and six months to cease “the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR”. This means that Meta will need to move any personal data of EU/EEA users currently stored in their servers in the US.
The Irish Data Protection Commission (DPC) found that Meta did not have proper safeguards in place for the transfer of personal data to the US and did not properly address the risks to data subjects involved.
Following the CJEU judgement in the Schrems II case, any transfers of personal data to a third country based either on Standard Contractual Clauses or Binding Corporate Rules should be accompanied by a risk assessment that would help to identify whether the recipient country grants a level of data protection equivalent to the one granted under the GDPR and to determine the supplementary measures required to protect the fundamental rights and freedoms of the data subjects whose personal data is transferred. According to the DPC, whereas Meta used these tools and safeguards, they were implemented in a way that did not properly address the risks to the data subjects involved.
The nature of the transfers and the large amount of personal data were key elements in the decision
In the EDPB news release, Andrea Jelinek, EDPB Chair, said: “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.” This case shows that using Standard Contractual Clauses and having a risk assessment in place are not necessarily sufficient safeguards for the lawfulness of international data transfers. The controller needs to carry out a case-by-case analysis taking into account all of the relevant elements of the specific transfer, including the nature and purpose of the transfer as well as the type and amount of data transferred, in order to ensure that the measures implemented provide effective protection against the risks identified.
This decision may have wider implications also for other businesses.
International transfers of personal data are now in the focus of GDPR enforcement by the supervisory authorities in EU/EEA and this fine being the largest one imposed since the GDPR started to apply is an example of how seriously compliance with the relevant rules should be taken by businesses transferring personal data to third countries. While the EU and US are trying to reach a new agreement on an EU-US data privacy framework, the use of Standard Contractual Clauses or Binding Corporate Rules together with a risk assessment and effective supplementary measures is the only one mechanism that would currently allow a lawful transfer of personal data to the US or any other country outside the EU/EEA.