26 May 2023

Record Fine for Meta Ireland sets up potential Face-off on trans-Atlantic data flows

On May 22nd, the Irish Data Commission (‘DPC’), published its final findings in its investigation into Meta Ireland’s transfers of personal data to its parent company in the United States. Meta Ireland is the data controller for personal data on its Facebook, Instagram and WhatsApp platforms across the EU. The DPC’s final decision includes a fine of EUR 1.2 billion, and an order for Meta Ireland to cease transferring personal data.

Despite Meta’s use of the updated 2021 EU Standard Contractual Clauses, and additional supplementary measures of protection for personal data, the DPC found that these steps were insufficient to address the requirements set out by the CJEU in the Schrems II decision (see our previous commentary here).

As well as being the largest fine issued under the GDPR (totalling around 50% of all previous fines under the GDPR put together), the DPC ordered Meta Ireland:

i) Within 12 weeks, to cease transferring personal data to the US; and

ii) Within six months, to cease storing and/or processing in the US, personal data of individuals to whom the GDPR applies and which has been  unlawfully transferred to the US.

The DPC’s draft decision (see our past commentary here) did not include such a large fine against Meta, but the final decision issued on May 22nd includes elements emanating from the European Data Protection Board’s (‘EDPB’) binding GDPR Article 65 decision, pursuant to which other EU national data protection authorities considered the draft decision (which has EU-wide effect). Objections raised during that process meant that the draft decision was subject to the EDPB’s review procedure; following which, the DPC was charged with implementing mandatory orders in its final decision.

Facebook’s President of Global Affairs, Nick Clegg, released a statement confirming that Meta Ireland would appeal the decision, saying of the decision that ‘[it is an] unjustified and unnecessary fine, and [we shall] seek a stay of the orders through the courts.’

Facebook’s statement also insisted that the fine was not due to the company’s specific actions, but rather to the ‘fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans.’ As noted in our Data Blast at the time (here), US President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the ‘Executive Order’), which is a step toward a new Privacy Shield, after Schrems II. However, as noted in our past commentary (here), progress toward a determination on the adequacy of those measures has been slow. It remains to be seen whether a replacement for Privacy Shield will be adopted before the DPC’s deadline for Meta to cease transferring personal data to the US, but this week’s decision will surely add pressure to European authorities to progress their consideration of the Executive Order, to seek to avoid a ‘cliff edge’ for Meta Ireland in August.

In its annual report to the US Securities and Exchange Commission for the year ending December 31st, 2021 (here), Meta had stated:

‘If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.’

Now that the EDPB and the DPC appear to have called this bluff, all eyes will be on an appeal by Meta, and in the absence of a new data transfer mechanism (or stay of the DPC decision pending an appeal by Meta Ireland), whether Meta Ireland does indeed restrict access to users in the EU. Perhaps foreseeing the severity of such a move, Meta Ireland’s VP of Public Policy, Markus Reinisch, appeared to row back from the SEC report, stating:

‘Meta is not wanting or ‘threatening’ to leave Europe and any reporting that implies we do is simply not true. Much like 70 other EU and US companies, we are identifying a business risk resulting from uncertainty around international data transfers.’