On the fifth anniversary of the implementation of the General Data Protection Regulation (GDPR) of the European Union, the Irish Data Protection Commission (IDPC) issued a decision imposing a record-breaking fine of 1.2 billion euros on Meta Platforms Ireland Limited (“Meta Ireland”), the owner of Facebook, for breaching rules related to the international transfer of personal data. This penalty was imposed due to the transfer of Facebook users’ personal data from the EU to the United States without ensuring appropriate safeguards.
The fine was imposed because the GDPR establishes conditions for the transfer of data to third countries from the European Union. According to the GDPR, data can be freely transferred to other countries if the competent authorities of the EU determine that the legislation of the receiving country provides adequate protection. In the case of Meta Ireland, the transfer of personal data from the EU to the United States was found to lack appropriate safeguards, leading to the significant penalty.
Since the United States is not on the list of countries providing an adequate level of data protection for EU members, additional conditions must be met for such transfers. The level of data protection prescribed by the laws of a country like the United States can be compensated through agreements between data controllers, processors, and/or recipients. These agreements may include Standard Contractual Clauses (SCC) and an International Data Transfer Impact Assessment (DTIA). These mechanisms help ensure the protection of personal data during the transfer process.
Despite Meta Ireland conducting data transfers based on a Data Processing Agreement that incorporates the European Commission’s Standard Contractual Clauses (SCC) from 2021, as well as an International Data Transfer Impact Assessment (IDTIA) that identifies the risks and consequences of such transfers, the Irish Data Protection Commission (IDPC) has determined a violation of Article 46(1) of the GDPR in this specific case.
Indeed, in 2020, the European Court of Justice delivered the Schrems II[1] ruling, which tightened the rules for data transfers to third countries. This ruling establishes that standard contractual clauses are still considered good practice but are no longer sufficient on their own. Data controllers cannot solely rely on signed pieces of paper; they must be informed about the level of compliance with the recipient country’s legislation in relation to the GDPR.
In this case, the Irish Data Protection Commission (IDPC), in collaboration with the European Data Protection Board (EDPB) and other European supervisory authorities, concluded that the efforts made by Meta Ireland were not sufficient to protect the rights and freedoms of individuals whose personal data was transferred.
In its decision, in addition to the fine of 1.2 billion euros, the Irish Data Protection Commission (IDPC) also issued an order to Meta Ireland. Within 6 (six) months from the date of the decision’s delivery to Meta Ireland, the company is required to align its data processing practices with the GDPR, cease illegal processing, including storing personal data of users from the European Economic Area (EEA) in the United States in violation of the GDPR. Furthermore, Meta Ireland must stop any future transfers of personal data to the United States within five months from the date of the decision.
In response to the decision of the Irish Data Protection Commission (IDPC), Meta Ireland announced that it will file an appeal as it believes the decision is unjust and excessive. Additionally, representatives of Meta Ireland stated that there will be no immediate disruption of Facebook services in Europe.
In Meta Ireland’s response, one of the main points of contention was the fact that the Facebook case was brought to the forefront while other organizations providing their services within Europe use the same legal mechanisms. Meta Ireland argued that many other companies employ similar measures when transferring data to third countries and this claim certainly holds some truth. From this perspective, it can be said that Meta Ireland is being singled out, and this decision serves as a warning to all entities that additional efforts must be made to ensure the protection of personal data, even when it is transferred to other continents.
Certainly, it is worth noting that Meta Ireland has already been fined multiple times by the same authority for non-compliance with GDPR provisions. Furthermore, this monetary penalty exceeds even the fine imposed on Amazon by the Luxembourg National Commission for Data Protection (NCDP) in July 2021, which amounted to 746 million euros for non-compliance with data protection regulations. This makes it currently the highest fine in this field.