Data Protection Commission Concludes Inquiry into Meta Ireland
The Data Protection Commission (DPC) has recently announced the conclusion of its inquiry into Meta Platforms Ireland Limited (Meta Ireland), specifically focusing on the transfer of personal data from the EU/EEA to the US for the delivery of its Facebook service. The DPC’s final decision, adopted on May 12, 2023, states that Meta Ireland violated Article 46(1) of the General Data Protection Regulation (GDPR) by continuing to transfer personal data despite the judgment of the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. While Meta Ireland used the updated Standard Contractual Clauses (SCCs) along with supplementary measures, the DPC found that these arrangements did not adequately address the risks to data subjects’ fundamental rights and freedoms identified by the CJEU.
Background of the Inquiry:
The inquiry was initiated in August 2020 and was put on hold by the High Court of Ireland until May 20, 2021, pending the resolution of legal proceedings. Following a comprehensive investigation, the DPC prepared a draft decision on July 6, 2022, which concluded that the data transfers in question were being conducted in violation of Article 46(1) of the GDPR and proposed suspending those transfers. The draft decision was submitted to Concerned Supervisory Authorities (CSAs) in the EU/EEA through a cooperation procedure mandated by the GDPR.
CSAs Agreement and Objections:
The CSAs, acting as peer regulators, agreed with the DPC’s decision regarding Meta Ireland’s non-compliance with the GDPR and the proposed suspension of data transfers. However, four out of 47 CSAs raised objections concerning the corrective powers outlined in the draft decision. All four CSAs believed that Meta Ireland should face an administrative fine for the infringement and two of them also suggested that Meta Ireland should take action to address the unlawfully transferred personal data.
Dispute Resolution and Final Decision:
Since consensus couldn’t be reached, the DPC referred the objections to the European Data Protection Board (EDPB) for determination through the Article 65 dispute resolution mechanism. On April 13, 2023, the EDPB issued its decision. The DPC’s final decision, based on the EDPB’s determination, exercised the following corrective powers:
-
A suspension order, under Article 58(2)(j) of the GDPR, requiring Meta Ireland to halt any future transfer of personal data to the US within five months from the date of notification of the DPC’s decision.
-
An administrative fine of €1.2 billion, reflecting the EDPB’s determination of the need for a fine to sanction the identified infringement. The DPC determined the specific amount based on the assessments and determinations provided by the EDPB.
-
An order, pursuant to Article 58(2)(d) of the GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR. This includes ceasing the unlawful processing and storage of personal data in the US within six months from the date of notification.
The DPC’s inquiry into Meta Ireland highlights the importance of data protection regulations and the need for compliance with the GDPR. The final decision reflects the DPC’s commitment to enforcing the GDPR and ensuring the protection of data subjects’ rights and freedoms. Meta Ireland will be required to suspend future data transfers, pay a significant fine, and bring its processing operations into compliance with the GDPR within specified timelines.