Final decision adopted on May 12, 2023 states Meta infringed art 46.1 GDPR when it continued to transfer personal data from EU/EEA to US post EU Schrems judgment.
While Meta transferred on basis of updated Standard Contractual Clauses (SCCs) 2021 plus additional supplementary measures implemented by Meta Ireland, arrangements did not address risks to rights, freedoms of data subjects identified in cited judgment.
The inquiry was initially commenced in Aug. 2020, subsequently stayed by Order of High Court of Ireland, pending resolution of legal proceedings, until May 20, 2021.
Following comprehensive investigation IRE DP prepared a draft decision Jul. 6, 2022.
Findings and EU Assessment
Data transfers in question were being carried out in breach of art 46.1 GDPR.
Thus, in these circumstances, the personal data transfers should be suspended.
Under cooperation procedure mandated by GDPR art 60 draft decision prepared was submitted to peer regulators in EU/EEA, Concerned Supervisory Authorities (CSAs).
The nature of processing under examination was such that all other EU/EEA Supervisory Authorities were engaged as CSAs for purpose of cooperation procedure.
4 of 47 CSAs raised objections re corrective power IRE DP proposed to exercise in dec.
Within this subset of CSAs, all took view that Meta Ireland should be subject to administrative fine for the infringement that was found to have occurred.
2 of those also took view Meta Ireland should be ordered to take action to address data already unlawfully transferred to US i.e. data transferred from Jul. 2020 to date.
IRE DP disagreed, said exercise of additional corrective powers, beyond suspension order, would exceed what is appropriate, proportionate, necessary to address breach.
As it became clear consensus could not be reached IRE DP referred the objections to EDPB for determination pursuant to the art 65 GDPR dispute resolution mechanism.
EU Dispute Resolution
EDPB adopted decision on Apr. 13, 2023, IRE DP adopted decision its on May 12, 2023.
Order per art 58.2.j) GDPR requires Meta to suspend any future transfer of personal data to US within period of 5 months from date of notification of IRE DP decision.
Administrative fine of €1.2 billion reflects EDPB’s determination that administrative fine ought to be imposed, to penalize the confirmed infringement.
Amount set by reference to assessments and determinations included in EDPB’s dec.
Order per art 58.2.d) GDPR, requires Meta Ireland to bring its processing operations into compliance with Chapter V GDPR, by ceasing unlawful processing, including storage, in US of personal data of EU/EEA users transferred in violation of the GDPR.
To be done within 6 months following date of notification of IRE DP decision to Meta.
Post brief description of affair said fine, largest GDPR fine ever, imposed on Meta’s transfers of data to US on basis of standard contractual clauses since Jul. 16, 2020.
EDPB Chair, said the EDPB found Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous.
Facebook has millions of users in EU so volume of personal data transferred massive.
Unprecedented fine is strong signal serious infringements have far-reaching results.
EDPB binding decision instructed IRE DP to amend its draft decision, impose a fine.
Given seriousness of infringement, EDPB found that the starting point for calculation of the fine should be between 20% and 100% of the applicable legal maximum.
Final decision taken by IRE DP is available in Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
EU EDPB; IRE DP
PR 5/22/2023; Dec 5/12/2023; Dec 4/13/2023; Case C-311/18; GDPR Reg 2016/679
Compliance; Legal; Operations; Privacy; Product Administration; Record Retention; Risk; Technology