Meta handed the largest fine in GDPR history for breach of international transfer provisions

On 22 May 2023, Ireland’s Data Protection Commission (the Irish DPC) announced that it is fining Meta (formerly known as Facebook) €1.2 billion, following the decision of the European Data Protection Board (EDPB) on 13 April 2023, which recommended the imposition of an administrative fine. The fine is the largest imposed under the EU GDPR to date.

In addition to the fine, Meta’s Irish entity must:

• suspend further transfers of personal data from the EU to the US within five months; and
• bring its processing operations of data already transferred to the US into compliance with the EU GDPR within six months.

Under the EU GDPR, organisations are generally permitted to transfer personal data to non-EEA countries which the European Commission has deemed to have an equivalent standard of data protection (such as the UK), known as an ‘adequacy decision’. If there is no adequacy decision, organisations must ensure “appropriate safeguards” pursuant to Article 46 of the EU GDPR are in place. 

The last EU / US adequacy decision (known as “Privacy Shield”) was deemed non-EU GDPR compliant in Schrems II given concerns about US surveillance programmes. In the same decision the court affirmed the validity of standard contractual clauses, provided that they are combined with an appropriate risk assessment and additional safeguards. Following that decision, Meta continued to transfer personal data to the US by adopting standard contractual clauses (SCCs), a set of model clauses issued by the European Commission and which many organisations rely on. Meta relied upon the updated SCCs adopted by the European Commission in 2021 (following the Schrems II decision), in conjunction with various additional safeguards.

However, the Irish DPC has determined that Meta’s arrangements still do not sufficiently address the risks of the transfers to the fundamental rights and freedoms of EU data subjects. Meta had not done enough to comply with the EU GDPR because it could not “guarantee a level of protection to data subjects that is essentially equivalent to that provided by EU law”.

There are some key takeaways from the decision.

1. Without an adequacy decision, the potential exposure of organisations transferring data abroad to challenge by data protection regulators is significantly greater (and greater still for high profile companies like Meta). President Biden issued an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” in October 2022 to lay the groundwork for a new adequacy decision for transfers to the US which can withstand legal challenge. However, the process towards a new adequacy decision has recently stalled following concerns raised by the EU’s Committee on Civil Liberties, Justice and Home Affairs that the proposals do not provide sufficient privacy protection.
2. For the time being, organisations transferring data from the EU to the US have little option but to bear the burden of trying to otherwise stay EU GDPR-compliant, while remaining mindful of the material risk that they could have to justify their actions to a regulator. The steps each organisation needs to take to best protect itself will depend on the nature of the personal data being transferred. But in all cases, seeking appropriate advice in advance of the transfers, and keeping detailed records of the decision-making process and actions taken, are essential.
3. SCCs are not a “rubber-stamping” exercise, and organisations must engage meaningfully with the requirements of the legislation and with guidance from the regulatory authorities (in the EU, the EDPB, and in the UK, the ICO). Indeed, the fact that the transfers had been ongoing for a number of years (albeit in reliance on the latest SCCs and additional safeguards) was itself considered an aggravating factor for the purposes of determining the level of fine to be imposed.
4. The Irish DPC decision is not binding in the UK, and the UK ICO may well have reached a different decision to the Irish DPC (which itself was compelled to impose more severe corrective measures following a referral to the EDPB).
5. The UK is currently considering draft legislation aimed at softening the relevant requirements under the UK GDPR (which derives from the EU GDPR) and relaxing the requirements for the UK Government to issue its own adequacy decisions. This is, however, a double-edged sword for the UK’s adequacy in the eyes of the EU:  if the EU determines the UK’s new regime to be inadequate, UK organisations could find themselves able to transfer data more freely to the US, but in a more difficult position with respect to transfers from the EU.

Meta has said it will appeal the decision.

Data Protection Commission announces conclusion of inquiry into Meta Ireland | 22/05/2023 | Data Protection Commission