Ireland’s Data Protection Commission (DPC) has published a press release on May 22, announcing that the inquiry into Meta Ireland, the Dublin-based company that manages Facebook not only in Ireland but throughout Europe, has been concluded.
Major media outlets such as The Guardian and the New York Times immediately made headlines with results of said investigation, culminating in the fine of 1.2 billion euros or 1.0 billion pounds imposed on Meta on May 12, 2023, due to internationally sharing personal data of European data subjects, in violation of Article 46, (1), of the General Data Protection Regulation (GDPR). Article 46 is entitled “Transfers subject to appropriate safeguards” and (1) establishes the following text:
Meta Ireland has transferred and shared personal data based on the updated Standard Contractual Clauses (SCCs), which were adopted by the European Commission in 2021, with alleged additional supplementary measures (but not informed by the DPC). Thus, the DPC understood that such contracts do not effectively observe the risks to data subjects’ fundamental rights and freedoms. This was consistent with the decision rendered in the Shrems II case by the European Court of Justice (ECJ), on July 16, 2020, prompted by an Austrian privacy activist, Max Schrems. He raised concern based on the disclosures made by Edward Snowden regarding confidential US government information, making it clear that the personal data of European citizens is not sufficiently protected from the reach of US intelligence agencies once inside the country.
By the way, this decision was emblematic, as it repealed the Privacy Shield, which established stricter obligations for US companies to protect the personal data of European citizens. The requirement was that the US should robustly monitor, as well as enforce and cooperate with European data protection authorities.
It is important to note that the decision by the DPC was submitted to the European Data Protection Board (EDPB) for validation in accordance with the dispute resolution mechanism of Article 65 of the GDPR, with the EDPB issuing its decision on 13 April 2023.
Since then, the decision rendered by the DPC on May 12, 2023 focused not only on the fine, but on three main points listed below:
1. an order, made pursuant to Article 58(2)(j) GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
2. an administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed, to sanction the infringement that was found to have occurred. The DPC determined the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision); and
3. an order, made pursuant to Article 58(2)(d) GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland.
This decision, however, is not limited only to Meta Ireland. It sets a precedent for numerous IT companies, especially the large social networks, which process and share personal data of millions of holders globally, especially Europeans. Such data generally consists of name, e-mail, address, telephone number and, sometimes, bank details.
Another point that draws attention is item 3 of the decision above, given that companies such as Meta Ireland will have to adopt effective measures to ensure the same degree of protection to personal data conferred by the GDPR in European territory for the same data transferred to the US. How can they do this in the face of laws such as the US National Security Act, which allows authorities to do whatever is necessary to ensure the country's security? There is a relatively simple answer to this question: not transfer such data to the US, storing it in European territory instead, following the guidelines established by the GDPR and other relevant regulations.
In view of this decision, the transfer of personal data of European citizens to countries with national security acts or other laws that override the protection of personal data can no longer be supported only by SCCs, even if updated by the European Commission in 2021.