Meta fined €1.2bn by Irish Data Protection Commission

The findings focused on the basis upon which Meta Ireland transfers personal data from the EU and European Economic Area (EEA) to the US in connection with the delivery of its Facebook service.

The inquiry into Meta began in 2020, with a draft decision produced in July 2022 that found that the data transfers carried out by Facebook breached Article 46( 1 ) of the General data Protection Regulation (GDPR) and that in these circumstances, the data transfers should be suspended.

The DPC had originally decided that the exercise of additional corrective powers, beyond the proposed suspension order, “would exceed the extent of powers that could be described as being ‘appropriate, proportionate and necessary’”.

However, following an informal consultation process with Concerned Supervisory Authorities, the DPC referred objections to its original decision to the European Data Protection Board (EDPB), which decided against the DPC.

As a result, an order was made to require Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification.

An administrative fine of €1.2bn was also imposed, as well as an order requiring Meta Ireland to bring its processing operations into compliance with the GDPR by ceasing the processing, including storage, in the US of personal data of EU/EEA users within six months.

In a blog post by Nick Clegg, president, global affairs at Meta, and Jennifer Newstead, chief legal officer at Meta, the company confirmed it was appealing the DPC’s decisions and will immediately seek a stay with the courts who can pause the implementation deadlines “given the harm that these orders would cause, including to the millions of people who use Facebook every day”.

The statement added: “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.

“It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.”

Chris Combemale, chief executive at the Data & Marketing Association, said: “This is a concerning situation for businesses across the UK, particularly those who have customers based in the EU and who use cloud tech services hosted in the US.

“It highlights a significant challenge when transferring data between the EU and US, especially how businesses use standard contractual clauses to create sufficient privacy safeguards.

“While this ruling doesn’t affect international data transfers between the UK and US or UK and EU, it raises important questions about differing privacy standards between countries outside of the EU with commercial interests inside of it.”

Ashley Winton, fintech and privacy Partner at Mishcon de Reya said: “It is clear that Facebook did introduce additional legal and technical measures to help ensure that the transfer of personal data to the US was legal, however, the Irish DPC in its 222 page report found that they were insufficient. The DPC did suggest, however, that with sufficient encryption the transfers may have been permitted.

“For other social media platforms, this case is a good reminder to keep your practices up to date and under review. Many of the assessments made in advance of EU-US transfers should now be updated and consideration should be given again to whether encryption can be used to frustrate a request to provide personal data to the US government.”