It won’t have escaped your notice that the long awaited Irish Data Protection Commission’s (IDPC) final decision in the Meta international data transfers inquiry was published on 22 May 2023. The decision has grabbed the headlines with the largest ever GDPR fine of €1.2 billion, coupled with an order requiring Meta to cease all future transfers of personal data to the USA within 5 months of the decision and cease the “unlawful processing, including storage, in the USA of personal data of EU/EEA users that was transferred in violation of the GDPR”, within 6 months.
All this despite the fact that Meta was using the standard contractual clauses and supplementary measures post Schrems II (as were many other businesses). The IDPC made it clear in its press release that while the concerned supervisory authorities (CSAs) agreed with the IDPC’s proposal to make an order to suspend the data transfers they could not reach agreement on the other corrective measures. Perhaps unsurprisingly Germany, France, Spain and Austria were the four CSAs who disagreed with the IDPC draft decision, in particular they wished for a substantial fine, and when a consensus could not be reached the Article 65 dispute resolution mechanism procedure was invoked. This resulted in the EDPB binding decision and the decision we have today.
Many are asking what about the Data Privacy Framework and the potential EU adequacy decision for the USA? Well while it will certainly help many, it will not help everyone as certain sectors may well fall outwith the scope, e.g. financial services. Whatever sector you operate in, privacy and risk and compliance professionals look to have a busy summer ahead!
Meta Ireland has stated it will appeal the decision. What impact may this have? Will it stay proceedings until a potential adequacy decision is reached? Following the WhatsApp case CJEU (T-709-/21), it is clear Meta will need to apply to the Irish High Court, as part of its appeal against the IDPC’s decision, in order to ask the court to make a preliminary reference to the Court of the European Union (CJEU) regarding the validity of the EDPB’s decision. This is a lengthy process and therefore could well have the desired effect of an adequacy decision being reached in the interim.
There is a lot to unpick and analyse in this decision to understand what this means for your business. Check back later this week where our experts will publish their thoughts and recommended next steps in light of this decision.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”