Meta’s €1.2 billion fine for breaches of the EU GDPR

July 10, 2023
Meta logo

On 22 May 2023, the Irish Data Protection Commission (DPC) announced that Meta Platforms Ireland Limited (Meta Ireland) would be subject to a record €1.2 billion fine relating to its Facebook service and Meta Ireland’s unlawful data transfers from the EU/EEA to the US.

The DPC’s decision concludes that Meta Ireland infringed Article 46(1), EU GDPR[1] and that Meta Ireland’s data transfers from the EU/EEA to the US were unlawful. The decision comes as a result of the landmark Schrems II ruling,[2] which invalidated the EU-US Privacy Shield (otherwise known as Safe Harbour 2.0) which many businesses, including Meta Ireland, relied on to legitimately transfer data to the US. The Schrems II decision also imposed strict conditions for the use of Standard Contractual Clauses (SCCs) and the DPC concluded that Meta Ireland failed to comply with those conditions meaning that such transfers to the US were unlawful.

Article 46(1), EU GDPR

Article 46(1), EU GDPR requires businesses who transfer personal data from the EU/EEA to ‘third countries’ (International Data Transfer) to put in place ‘appropriate safeguards’ to ensure that EU/EEA data subjects who are subject to the transfer have enforceable data subject rights and effective legal remedies.

Whilst Meta Ireland sought to rely on SCCs as the appropriate safeguard under Article 46(2)(c), EU GDPR for its International Data Transfers to the US, the DPC found that this was insufficient as it failed to address the risks and that data subjects did not have equivalent data protection rights and effective legal remedies following such transfer. The main reason for the DPC’s decision, and as highlighted in Schrems II, was that the supplementary measures it introduced did not sufficiently mitigate for US surveillance laws.

Sanctions and Appeal

Alongside this record fine, the DPC announced additional sanctions against Meta Ireland as follows:

  • All International Data Transfers from Meta Ireland to the US are suspended to take effect five (5) months from the date of notification of the DPC’s decision; and 
  • Meta Ireland is required to bring its data processing operations into compliance by ceasing any unlawful processing, including storage, in the US and to transfer personal data back to the EU from the US. Meta has six (6) months from the date of notification of the DPC’s decision to do so.

Meta Ireland is expected to appeal the DPC decision, however, in light of Schrems II, this appeal is unlikely to be successful.

What does this mean for future International Data Transfers to the US?

The fine against Meta Ireland brings the Transatlantic Data Privacy Framework (EU-US Framework) back into the spotlight. The EU-US Framework dubbed Safe Harbour 3.0 is a new mechanism to legitimise International Data Transfers from the EU/EEA to the US making cross-border transfers between businesses easier. On 10 July 2023, the European Commission published its adequacy decision for the EU-US Framework meaning that any future International Data Transfers to the US will be covered by the EU-US Framework and will not require appropriate safeguards.

What does Meta’s fine mean for your business?

Meta Ireland’s fine does not change the status quo for businesses. The starting point being that if you send or share personal data of EU/EEA data subjects to third countries (including transfers to group companies), you will need to do the following:

  1. Assess whether the receiving business is located in a country deemed ‘adequate’. A list of countries deemed adequate is available here - the US has just been granted adequacy but during the transition period it is likely that for immediate International Data Transfers businesses will continue to rely on appropriate safeguards;
  2. If the receiving country is not deemed ‘adequate’, you will need to rely on one of the appropriate safeguards or derogations – the most likely approach for businesses being the SCCs;
  3. If using the SCCs as the appropriate safeguard, you must conduct a Transfer Impact Assessment (TIA). A TIA will help you determine whether, in the circumstances, there are sufficient protections to ensure EU/EEA data subjects’ rights and freedoms are protected. You will need to consider the local laws of the receiving country, what data protection rules they have in place, whether they respect the rule of law, the access to justice and the likelihood of government access (whether through surveillance laws or otherwise). Note, this risk assessment is a key requirement and without conducting a TIA alongside use of the SCCs will invalidate such International Data Transfer; and
  4. You will need to ensure your privacy notices / policies are updated to inform those who are subject to the International Data Transfer (i.e., the data subjects) where and to whom you transfer such data to (including any intra-group transfers).

Does this decision impact UK businesses?

The short answer is yes. Whilst the decision is specifically against Meta Ireland and in the context of the EU GDPR (and EU law), the EU GDPR is able to transcend borders as it has extra-territorial effect. This means that if you are a UK business who: (1) offer goods or services to those in the EU/EEA; or (2) monitor the behaviour of data subjects who are based in the EU/EEA, you will need to comply with the EU GDPR. For UK-headquartered businesses with operations and/or clients in the EU/EEA, it is likely you will be subject to a dual data protection regime and will need to comply with both the EU GDPR and the UK GDPR[3]. 

Comment

If your business engages in International Data Transfers, you need to ensure that you understand the relevant data flows. This can be done by conducting a data flow mapping exercise and recording what types of data you hold, what data is sent, to whom and where. To the extent your business transfers personal data to third countries, you must ensure that you have clear records setting out how you comply with the requirements of Article 46(1), EUGDPR. If relying on SCCs for such transfers, you must ensure you conduct a thorough TIA and, if you identify any risks to data subjects, you must introduce technical and/or contractual measures to mitigate such risks. If such risks cannot be mitigated, you will need to consider alternative options, including suspending such transfers or looking at alternative suppliers in more GDPR-friendly countries.

The approval of the EU-US Framework will undoubtedly be of great relief for businesses. However, businesses should note that the EU-US Framework does not have a retrospective effect, so your business could still be subject to sanctions for non-compliance prior to it being in force.

[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[2]Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18

[3]The UK GDPR is the retained General Data Protection Regulation ((EU) 2016/679)(EU GDPR) by virtue of the section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI2019/419). UK businesses will need to comply with the UK GDPR and the Data Protection Act 2018.

Stuart SmithStuart Smith
Stuart Smith
Stuart Smith
-
Partner
Stephen CartwrightStephen Cartwright
Stephen Cartwright
Stephen Cartwright
-
Associate

News & Insights