Meta IE €1.2bn fine and stop order: Key takeaways

This article was first published in Thomson Reuters Regulatory Intelligence on 12 April 2023 and are the personal views of the author, Robert Baugh. Subscribers link. Free trial link. 

See the sister blog on the €2.5bn of fines dished out to meta by the DPC in the last 3 years.

Ireland’s DPC gives Meta €1.2bn GDPR fine, orders stop to transfers to USA

On 22 May 2023, the Irish Data Protection Commission (“DPC”) published a landmark decision under EU GDPR against Meta Platforms Ireland Limited, formerly Facebook Ireland (“Meta IE”).

• Meta IE was given a record €1.2bn under EU GDPR for breach of Article 46 regarding transfers to the USA of personal data of Facebook users in the EEA (“EEA Data”).
• The DPC decided that Meta IE’s use of the official EU Standard Contractual Clauses (“SCCs”) did not provide an adequate level of protection, even with the extensive supplemental measures Meta IE had implemented. This applied to both the 2010 and 2021 SCCs.
• Meta IE was ordered to suspend future transfers of EEA Data to the US within 5 months of the decision.
• And Meta IE was ordered to effectively stop processing, even just storing, previously transferred EEA Data within 6 months of the decision.

It’s worth returning to EDPB Chair Andrea Jelinek’s words in June 2021, when the EDPB adopted the final version of their Recommendations on transfers: “The impact of Schrems II cannot be underestimated: already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels.”

Quick background

• The Schrems I decision in October 2015 related to Facebook Ireland’s transfer of Max Schrems’ personal data from the EEA to the USA. That decision invalidated Safe Harbor, the adequacy decision allowing transfer of personal data to US organisations that signed up to Safe Harbor’s rules.
• The CJEU’s Schrems II decision in July 2020 related to the same factual context, and that decision invalidated Privacy Shield, the successor to Safe Harbor with very similar rules.
• At least from the date of the Schrems II decision, Meta IE had been transferring personal data to its ultimate parent company in the USA (“Meta US”) based upon the 2010 SCCs and then the 2021 SCCs.
• This DPC decision is the result of the DPC’s own-volition investigation, starting just a month after Schrems II in August 2020, into Meta IE’s use of SCCs for those transfers.

Schrems II and SCCs

In Schrems II, the CJEU decided that US surveillance laws (particularly s702 FISA and EO 12333) were so broad and unrestricted that there was no ‘essential equivalence’ between US and EU laws on the protection of personal data and so Privacy Shield was invalid.

With no adequacy decision now available, the CJEU looked at the most popular, next available ‘transfer tool’ in Chapter V of GDPR: SCCs. The Court confirmed that SCCs per se are a potentially valid transfer tool, but stressed that data exporters must review the law and practice in the destination country, in particular surveillance laws, to see if any supplemental measures need to be put in place to compensate for any shortfall in the protection afforded to personal data by the SCCs.

With only 14 adequacy decisions under EU GDPR, that leaves many countries around the world who arguably have worse government surveillance powers and oversight than the USA, and many of those also receive personal data from the EEA.

Impact on Meta

Financially, this is big but manageable by the Meta group. The DPC noted that Meta USA reported revenue of $116.61 Bn for 2022 alone. And it’s only 25% of the $5 bn fine the FTC imposed on Facebook, Inc (as it then was) in 2019 over the Cambridge Analytica affair.

Operationally and commercially, it’s the order to stop transfers, and delete the previously transferred EEA Data, that have the potential to really hurt Meta. But will that happen?

Privacy Shield’s successor: the DPF

As the DPC noted, on 7 October 2022, President Biden signed Executive Order 14086 and the US Attorney General signed Rule / Regulations 28 CFR 201, establishing, within the US Department of Justice, a “Data Protection Review Court”.

These steps were to bring in the US aspects of the EU-US Data Protection Framework (“DPF”), intended to be the successor to Privacy Shield. The EU process is nearing completion, with an adequacy decision from the European Commission on the DPF expected in summer 2023.

But the DPF is not in place yet. The US aspects aren’t operational yet. And the DPF will not be retrospective.

How will this play out?

Meta IE has already said they will appeal the decision. In the author’s view, that appeal will fail.

The DPC’s decision was not a surprise to practitioners and is in line with several prior decisions from EU regulators holding that the use of Google Analytics, due to transfers to the USA post-Schrems II, was contrary to EU GDPR for the same reason. Again in the author’s opinion, the level of the fine may be reduced, but it’s hard to argue with the logic of the rest of the order under current EU law and regulator decisions.

What will most likely change is that the DPF adequacy decision will be adopted before the expiry of the 6 months period to achieve compliance on transfers, and so negate the need for Meta IE to suspend future transfers.

Areas of note

• Derogations – This was obiter but the DPC reviewed decisions and guidance before deciding that derogations in Article 49 are to be the exception and that no derogation would work (apart from potentially consent) if one of the ‘essences’ of the Charter-based rights was not respected (here, the legal remedy for EEA data subjects).
• Supplemental measures – The DPC reviewed Meta IE’s significant supplemental measures (organisational, technical and legal) before saying they all amounted to naught in the face of a valid legal order on Meta US to hand over EEA Data.
• DPC overruled again – The DPC had not wanted to fine Meta IE, nor impose any order regarding previously transferred EEA Data. However, under the Article 60 cooperation procedure, the French, German, Spanish and Austrian SAs in particular disagreed, as finally did the EDPB: the DPC was left with no choice.
• Risk-based approach – Tantalisingly, the DPC stated that: “the EDPB Supplemental Measures Recommendations do not exclude a so-called risk- based approach...” But then went on to say that: “the risk-based approach called out by Meta Ireland as being identified in the GDPR can have no application where the essence of one or more of the Charter-based rights engaged is not respected.” Arguments on a risk-based approach to transfers at least live to fight another day, when all Charter-based rights are respected.
• Meta’s intent – The EDPB stopped short of saying Meta IE had wilfully infringed GDPR. While the DPC felt that the breach was unintentional, other SAs were not so sure (not least due to Meta’s involvement in both Schrems decisions). The EDPB concluded [page 159, para 110 et seq]: “that there are sufficient indications that Meta IE committed the infringement of Article 46(1) GDPR knowingly.” However, “the EDPB takes the view that, on the basis of the objective elements in the case file, ‘wilfulness’ on the side of Meta IE is not fully demonstrated.” And: “In light of the above, the EDPB takes the view that Meta IE committed the infringement at least with the highest degree of negligence and this has to be taken into account when deciding whether an administrative fine should be imposed.”

Lessons

• Review your transfers under EU GDPR (and UK GDPR but those are far less risk at present given the UK’s enforcement record).
• Identify transfers to non-adequacy countries and try to eliminate or reduce them, for example keep data in the EEA or anonymise or encrypt beforehand.
• Where you can’t avoid a transfer, revisit your transfer impact assessments and the EDPB Recommendations, with a focus on encryption and the supply chain.

Make Privacy Compliance Intuitive & Simple

If you’ve enjoyed these practical insights into this complex topic, why not see how Keepabl’s multi-award-winning Privacy Management Software can give you instant insights into your Privacy Compliance status, helping you create and maintain your GDPR governance framework and instantly highlighting gaps and creating needed reports.

Organise your demo today!