Not all fine: Meta fined €1.2 billion and ordered to stop transfers of EU data to US

In its decision dated 12 May this year, the Data Protection Commission (DPC) has imposed its largest fine to date, €1.2 billion, on the social media platform Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (Meta), for violations of the GDPR. 

The decision centres on an infringement of Article 46(1) GDPR and Meta’s continued transfers of EU/EEA users’ data to the US, despite the ruling in CJEU’s decision of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems(CaseC-311/18) EU:C:2020:559 (Schrems II). The ruling in Schrems II held that Standard Contractual Clauses (SCCs) are a valid safeguard that can be used as grounds for data transfers from the EU/EEA to third countries (third countries being those that are not in receipt of an adequacy decision of the European Commission), provided that the non EU/EEA recipient country has an equivalent level of data protection to that found in the EU.

The findings 

The DPC’s recent Meta decision made findings that,

(i) US law does not provide a level of protection that is essentially equivalent to that provided by EU law,
(ii) Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law,
(iii) Meta Ireland does not have in place supplemental measures which compensate for the inadequate protection provided by US law, and, 
(iv) It is not open to Meta Ireland to rely on the derogations provided for at Article 49(1) GDPR, to justify the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US.

The corrective measures

The DPC imposed three corrective measures: 

• a €1.2 billion fine,

• an order suspending transfers to the US within 16 weeks of the decision, and

• an order to bring processing into compliance with Article 46 within 6 months. 
  

The DPC adopted the decision following the Article 65 dispute resolution procedure where the European Data Protection Board (EDPB) acts as final decision maker when consensus cannot be reached amongst the 47 GDPR Supervisory Authorities in disputes on matters of cross-border processing. The DPC is bound to adopt the decision of the EDPB, even where it disagrees with all or part of it. In this case, the EDPB imposed the fine, having considered the DPC’s initial position in the draft decision (which uses language from Article 83 GDPR) that “the imposition of an administrative fine in addition to an order directing the suspension of the Data Transfers would not be ‘effective, proportionate and dissuasive’” and that “the critical feature of the Draft Decision, and the corrective measure for which it made provision, was that the data transfers which were found to be unlawful would cease”. 

On 9 June last Meta was granted leave from the High Court to bring judicial review proceedings against the decision. In the same hearing on 9 June, Meta successfully argued that an interim stay on the DPC decision should be granted, given the financial loss that would otherwise occur from the DPC’s decision, estimated by Meta to be approximately €714 million. An extension of the stay was granted on 26 June, meaning it will remain in place until the end of July. Max Schrems was the complainant in the DPC decision and the privacy rights organisation he leads, None of Your Business (noyb), is seeking to be joined as a notice party to the case, which Meta has opposed. The US government has sought to be joined as an “amicus curiae” (a friend of the court). Both applications are scheduled to be heard on 10 July. 

Does the decision affect my transfers to the US?

Although many column inches have been devoted to the record fine, the suspension of transfers to the US of Meta’s hundreds of millions of EU/EEA users’ data (estimated to be in excess of 400 million users) and the tight timeframe to bring processing into compliance are equally as significant. Of particular note is the decision’s guidance on its scope of application, noting that it will bind Meta Platforms Ireland Limited only. The decision states that “....it is not open to the DPC to make an order suspending or prohibiting transfers to the United States generally”. The decision however acknowledges it exposes a situation whereby any internet platform making similar transfers of EU/EEA personal data to the US may equally fall foul of the requirements of Chapter V GDPR. 

The decision confesses to having one eye on the imminent EU-US Privacy Framework (the Framework), that is, the US adequacy decision of the European Commission, evident where the decision states that the order to suspend transfers “will remain effective unless and until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by way of new measures, not currently in operation, such as the possible future adoption of a relevant adequacy decision by the European Commission pursuant to Article 45 GDPR”, this is, the Framework. The Framework is anticipated to be finalised later this year. The European Parliament voted on 11 May this year to adopt a resolution on the adequacy of the protection afforded by the Framework, giving further momentum to the Framework’s finalisation. It is possible that the Framework will be in place prior to the deadlines of the corrective orders, rendering both orders moot. Pending finalisation of the Framework, transfers may therefore continue to be made to the US using SCCs, provided that the controller puts in place suitable and specific supplemental measures which compensate for the inadequate protection provided by US law. 

For further information on data transfers, please contact Seán O’Donnell, Zelda Deasy, Julia Drennan or any member of our Data Protection/GDPR Team.