Topic: Privacy & Data Protection
In the end of May 2023, the Irish Data Protection Authority (the “IE DPA”) fined Meta Ireland €1.2 billion and ordered the company to suspend its transfers of personal data to the USA for infringing Article 46(1) of the GDPR on the conditions for international transfers of personal data. The fine was imposed further to a “Binding decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platform Ireland Limited for its Facebook service (Art. 65 GDPR” of the EDPB of 13 April 2023. By its decision, the EDPB instructed the IE DPA, in its final decision to impose a fine on Meta Ireland in an amount ranging between 20% and 100% of the applicable legal maximum under Article 83 of the GDPR, and to order Meta Ireland ceasing of the unlawful processing of personal data of EEA users to the USA, including storage of that data.
As a background, since the judgment of the Court of Justice of the European Union delivered on 16 July 2020 in Case C-311/18, EEA companies have been unable to base their international data transfers to the USA on an adequacy decision. The use of standard contractual clauses (“SCCs”) under Article 46(2)(c) of the GDPR has remained the only practical option for such transfers, provided that, however, additional safeguard measures, ensuring essentially equivalent level of data protection in their US counterparties, are implemented alongside the SCCs.
The administrative sanction imposed on Meta Ireland and the referenced decision of the EDPB in this relation stabilize the rule that mere SCC without appropriate additional safeguards put in place at the US importer of personal data do not suffice to claim compliance with the GDPR on data transfers.
Two other key takeaways:
• Companies engaging in unlawful data transfers to the USA can receive both, a punitive administrative fine and a suspension order, as complementary corrective measures; and
• When calculating the final amount of the fine, the lead supervisory authority uses the total worldwide annual turnover of the undertaking concerned for the preceding financial year, where such undertaking includes all entities from the group and their combined turnover is used as a basis to calculate the fine.
From a separate, though related, perspective, currently, the adequacy decision procedure regarding the USA does not show satisfactory progress, because the EU-US Data Protection Framework, as proposed by the European Commission, has faced considerable criticism at the European Parliament. As of this date, it seems unlikely that EU-US adequacy framework be set up shortly. That is why, EEA companies that transfer personal data to the US shall conduct thorough transfer impact assessments and adopt appropriate additional safeguard measures that ensure essentially equivalent level of protection at the relevant US data importer.
You can read the Binding decision 1/2023 of the EDPB: