Irish data protection authority fines Meta billions: A turning point for data protection in Europe?

Key Facts

Meta Ireland violates the GDPR when transferring personal data to the USA.
The DPC came to the conclusion that a suspension of data transmission was necessary.
Smaller supervisory authorities are additionally demanding administrative penalties for Meta Ireland for data protection violations.
The fine of 1.2 billion euros illustrates the seriousness of the violations.
Meta Ireland must adapt its data processing practices to the GDPR.
The decision strengthens data protection in Europe and could influence other technology companies.
Companies must be aware of the risks involved in transferring data to insecure third countries.

Meta Ireland violates the GDPR: What the ruling of the Data Protection Commission means

Content Hide

1. Meta Ireland violates the GDPR: What the ruling of the Data Protection Commission means

2. The response of EU/EEA data protection authorities to Meta’s data breaches

3. The decision of the European Data Protection Board and its impact on Meta Ireland

4. Conclusion:

4.1. Author: Marian Härtel

The recently concluded investigation by the Irish Data Protection Commission (DPC) found serious breaches of the General Data Protection Regulation (GDPR) by Meta Platforms Ireland Limited (“Meta Ireland”). Despite the use of standard contractual clauses and additional complementary measures, the DPC found that Meta Ireland continues to transfer personal data from the EU/EEA to the U.S., which does not address the risks to the fundamental rights and freedoms of data subjects identified in the European Court of Justice (ECJ) ruling.

The response of EU/EEA data protection authorities to Meta’s data breaches

After the Irish Data Protection Commission (DPC) finalized its draft decision, it was submitted for review to its partner supervisory authorities in the EU/EEA, also known as “participating supervisory authorities,” in accordance with the cooperation procedure required by the GDPR. The draft decision included the judgment that Meta Ireland had violated Article 46(1) of the GDPR and proposed to suspend the transfer of data due to these circumstances.

Most of the supervisory authorities involved agreed with the DPC’s position that Meta Ireland had breached the GDPR by continuing to transfer data to the US and that a suspension of these data transfers was necessary. However, a small number (4) of the 47 total participating supervisors objected to the DPC’s proposed corrective action.

These four regulators felt that Meta Ireland should not only suspend the data transfer, but also pay an administrative fine for the misconduct found. Two of these regulators even went a step further and requested that Meta Ireland take additional measures to address the data already unlawfully transferred to the U.S. since July 2020.

These differing views among the supervisory authorities involved highlight the complexity and scope of the case and the importance of a consistent application of the GDPR across the EU/EEA.

The decision of the European Data Protection Board and its impact on Meta Ireland

The European Data Protection Board (EDPB) set a decisive course in April 2023 after a thorough examination and consideration of all the available facts. Based on the findings of the Irish Data Protection Commission’s (DPC) investigation, the panel confirmed Meta Ireland’s serious data protection breaches and made clear that such breaches cannot be tolerated.

As a result, the DPC imposed one of the largest fines ever in the history of data protection. At an impressive €1.2 billion, this fine underscores the seriousness of the breaches and the need for companies to take the importance of data privacy and compliance seriously.

But the measures go even further. Meta Ireland has also been required to align its data processing activities with Chapter V of the GDPR. This means that Meta Ireland must stop the unlawful processing and storage of personal data of EU/EEA users in the US. This is an important step to ensure that the data of EU/EEA citizens is handled in accordance with EU data protection rules, regardless of where the data processing actually takes place.

This decision marks a significant escalation in privacy efforts in Europe and could have far-reaching implications for other technology companies transferring data from the EU/EEA to the US.

Conclusion:

This decision is a significant milestone for data protection in Europe and sends a strong signal to companies that transfer personal data to third countries. Companies must be aware of the risks associated with transferring data from the EU/EEA to countries where data protection does not meet European standards.

For users of Facebook and other meta-services, this means that their data should be better protected. The decision makes it clear that the GDPR not only exists on paper, but is also enforced. However, it remains to be seen how Meta and other companies will react to this decision and what impact it will have on users.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Facebook KI Privacy Regulation Standard contractual clauses