Meta has this week been struck with a record-breaking €1.2 billion fine and a formal suspension order for Facebook requiring it not just to halt exportation of European Union user data to the United States, but also to return any data already transferred to the US.
Whilst the impact is primarily felt by Meta, this also sends a clear message to all global organisations that the EDPB is a force to be reckoned with when it comes to international data transfers. Of just as much note as the fine itself is the fact that this decision was the result of the EDPB exercising its powers under GDPR to change the initial decision made by the Irish regulator (DPC) which didn’t impose any financial sanction on Meta. It undoubtedly bolsters uncertainty surrounding liability for international data transfers across the Atlantic – all eyes will now be on whether the new EU-US Data Privacy framework can be negotiated on time to enable a viable alternative.
After almost a decade of litigation, Ireland's Data Protection Commission (DPC) announced on Tuesday that Meta (previously Facebook) violated the GDPR by transferring personal data of European users to the US without sufficiently protecting their fundamental rights from US data surveillance practices.
The penalties imposed on Meta are three-fold:
1. pay an administrative fine of €1.2 billion;
2. suspend any future transfer of personal data to the US within 5 months of the decision; and
3. implement specific measures to bring Meta's processing operations into compliance with Chapter V of the GDPR by ceasing unlawful processing (including storage) in the US of European users' personal data within 6 months of the decision.
Whilst Meta have responded to the decision by labelling the penalties as "unjustified and unnecessary" and have indicated they will seek to appeal the decision, the European Data Protection Board's chair Andrea Jelinek has stated that Meta's infringement is "very serious since it concerns transfers that are systematic, repetitive and continuous".
Max Schrems platform NYOB, which lodged the initial complaint resulting in the penalty, has heralded the decision with a call to further action to end blanket surveillance in the US, whilst at the same time encouraging individuals to sign up for class actions for 'emotional damage' under the EU's new class action system to be introduced this summer.
The decision also – significantly – highlights the point that was already established in the landmark Schrems II decision, that Standard Contractual Clauses are not enough to make sure transfers to 'non-adequate' territories are compliant with GDPR. Even following transfer impact assessment and extensive supplemental measures taken by Meta designed to protect security, there was still a breach of GDPR due to the extent of the potential for surveillance.
There is inevitable concern from many organisations transferring data to the US following this decision, but it is important to note that this decision binds Meta only and specifically applies to data processing by Facebook. Nevertheless, the DPC has stated that, due to the way US surveillance laws operate, "the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider…may equally fall foul of the [transfer rules]."
Please reach out to our data team if you have any questions about this Decision and how it will impact your world and would like to discuss further, we would love to hear from you.