Article written byEmilie de Vaucresson, Amanda Dubarry and Camille Leflour.
On 22 May 2023, the Irish Data Protection Commission (the “DPC”), acting as the lead supervisory authority, announced that it has fined Meta Ireland a record €1.2 billion for violating Article 46(1) of the GDPR by transferring personal data to the U.S. without implementing the appropriate safeguards.
Since the invalidation of the Privacy Shield, Meta Ireland had been implementing these transfers on the basis of the standard contractual clauses, in conjunction with additional measures that the DPC considered insufficient in light of the risks to the rights and freedoms of data subjects. The data of its European users is indeed stored in the United States, exposing them to potential surveillance by the US authorities.
The investigation was initially launched in August 2020 as part of a cooperation procedure. The draft decision prepared by the DPC was then submitted to its counterpart regulators in the EU/EEA, who rejected it and referred it to the European Data Protection Committee (the “EDPS”).
On the basis of the EDPB’s decision, the DPC adopted the final decision under which Meta Ireland is required:
- to suspend any future transfers of personal data to the United States within 5 months from the date of notification of the decision to Meta Ireland;
- to pay an administrative fine of €1.2 billion – the highest fine ever imposed under the GDPR – justified by the seriousness of the alleged breaches by Facebook’s parent company, which has millions of users in Europe, involving a huge volume of data transferred in violation of the GDPR; and
- to bring its processing operations into compliance with the GDPR by ceasing the unlawful processing, including storage, in the United States of personal data of EU/EEA users transferred without safeguards, within 6 months from the date of notification of the DPC’s decision to Meta Ireland.
In the words of Andrea Jelinek, President of the EDPS, “this sanction is a strong signal to organizations that serious breaches have considerable consequences”. Indeed, it comes in a context of increasing controls on GAFAMs, this sanction being the fourth fine imposed on Meta Ireland in 6 months.
For its part, Meta Ireland describes this fine as “unjustified and unnecessary” and wants to request its suspension in court. In this context, the social network hopes that the European Commission will soon adopt the new draft adequacy decision for data transfer to the United States.
For the time being, as long as no agreement has been reached between Europe and the United States on the framework for data flows to the United States, we would like to remind you that the simple signing of standard contractual clauses is not sufficient to ensure a data transfer that complies with the GDPR. It is necessary to verify that additional guarantees have been implemented by the recipient of data in the United States to ensure the confidentiality of data and the impossibility of access for the American authorities.