Meta Ireland violates the GDPR: What the ruling of the Data Protection Commission means

The recently concluded investigation by the Irish Data Protection Commission (DPC) found serious breaches of the General Data Protection Regulation (GDPR) by Meta Platforms Ireland Limited (“Meta Ireland”). Despite the use of standard contractual clauses and additional complementary measures, the DPC found that Meta Ireland continues to transfer personal data from the EU/EEA to the U.S., which does not address the risks to the fundamental rights and freedoms of data subjects identified in the European Court of Justice (ECJ) ruling.

The response of EU/EEA data protection authorities to Meta’s data breaches

After the Irish Data Protection Commission (DPC) finalized its draft decision, it was submitted for review to its partner supervisory authorities in the EU/EEA, also known as “participating supervisory authorities,” in accordance with the cooperation procedure required by the GDPR. The draft decision included the judgment that Meta Ireland had violated Article 46(1) of the GDPR and proposed to suspend the transfer of data due to these circumstances.

Most of the supervisory authorities involved agreed with the DPC’s position that Meta Ireland had breached the GDPR by continuing to transfer data to the US and that a suspension of these data transfers was necessary. However, a small number (4) of the 47 total participating supervisors objected to the DPC’s proposed corrective action.

These four regulators felt that Meta Ireland should not only suspend the data transfer, but also pay an administrative fine for the misconduct found. Two of these regulators even went a step further and requested that Meta Ireland take additional measures to address the data already unlawfully transferred to the U.S. since July 2020.

These differing views among the supervisory authorities involved highlight the complexity and scope of the case and the importance of a consistent application of the GDPR across the EU/EEA.

The decision of the European Data Protection Board and its impact on Meta Ireland

The European Data Protection Board (EDPB) set a decisive course in April 2023 after a thorough examination and consideration of all the available facts. Based on the findings of the Irish Data Protection Commission’s (DPC) investigation, the panel confirmed Meta Ireland’s serious data protection breaches and made clear that such breaches cannot be tolerated.

As a result, the DPC imposed one of the largest fines ever in the history of data protection. At an impressive €1.2 billion, this fine underscores the seriousness of the breaches and the need for companies to take the importance of data privacy and compliance seriously.

But the measures go even further. Meta Ireland has also been required to align its data processing activities with Chapter V of the GDPR. This means that Meta Ireland must stop the unlawful processing and storage of personal data of EU/EEA users in the US. This is an important step to ensure that the data of EU/EEA citizens is handled in accordance with EU data protection rules, regardless of where the data processing actually takes place.

This decision marks a significant escalation in privacy efforts in Europe and could have far-reaching implications for other technology companies transferring data from the EU/EEA to the US.

Conclusion:

This decision is a significant milestone for data protection in Europe and sends a strong signal to companies that transfer personal data to third countries. Companies must be aware of the risks associated with transferring data from the EU/EEA to countries where data protection does not meet European standards.

For users of Facebook and other meta-services, this means that their data should be better protected. The decision makes it clear that the GDPR not only exists on paper, but is also enforced. However, it remains to be seen how Meta and other companies will react to this decision and what impact it will have on users.