Meta Platforms Faced with Largest Fine in GDPR History for Unlawful Personal Data Transfer to the United States

In a remarkable development that has sent shockwaves across the digital domain, Ireland’s Data Protection Commission (DPC) has imposed a €1.2 billion fine to conclude its long-term investigation into Meta Platforms Ireland Limited – formerly Facebook Ireland – over its data transfers from the EU/EEA to the United States. Let us take a look at what happened.

Understanding international data transfers

The GDPR has strict rules for transferring personal data outside the EU, requiring it to be performed through adequate data transfer mechanisms such as adequacy decisions, Standard Contractual Clauses (SCCs), and sufficient safeguards, among others. The goal is to ensure that the rights of data subjects are not compromised when their information is transferred outside the European Union. A key aspect of this involves verifying that the recipient country has comprehensive and comparable data protection laws capable of safeguarding the privacy rights of data subjects.

Previously, data transfers to the United States were permitted under a framework known as the EU-US Privacy Shield. This was designed to help companies meet data protection requirements when transferring personal data from the EU to the US. However, the Privacy Shield was invalidated in 2020 by the Court of Justice of the European Union (CJEU) in a case known as Schrems II, which ruled that the United States‘ protection of data subjects was inadequate, primarily due to its extensive government surveillance capabilities. This precedent left businesses uncertain about how to lawfully transfer data to a country in which many European companies have a presence.

The case against Meta

The heart of the fine is Meta’s violation of Article 46(1) of the General Data Protection Regulation (GDPR). As part of a multinational group, Meta Platforms Ireland Limited regularly transfers its users‘ personal data to Meta Platforms Inc., its U.S.-based headquarters.

After the precedent set by the CJEU, Meta continued to transfer personal data to the U.S., relying on the SCCs adopted by the European Commission, as well as intra-group agreements between Meta Ireland and Meta U.S. However, the DPC found these measures to be insufficient in addressing the risks identified by the CJEU, as the personal information could still be accessed by the United States government when access requests were made under U.S. law.

According to the CJEU precedent, the DPC found that the SCC and intra-group agreements used by Meta failed to provide an adequate level of protection for users’ rights. This is because the data recipient (Meta U.S.) is bound by the laws of the U.S., a country where public authorities can interfere with the privacy rights of data subjects. To make the transfer lawful, Meta would have needed to introduce supplementary measures to compensate for the lack of protection in the U.S. While Meta did indeed implement some additional organizational, technical, and legal measures, they were insufficient to counteract the failings of U.S. law, and therefore, did not offer appropriate safeguards for personal information and data subjects’ rights.

As a result, the DPC:

• Imposed a €1.2 billion fine;
• Ordered Meta to align its processing operations with Chapter V of the GDPR. This includes ceasing the unlawful processing, including storage, in the U.S. of personal data of EU/EEA users within six months; and
• Ordered the suspension of future transfers of personal data to the U.S. within five months.

Meta’s current position

In response to this ruling, Meta has asserted that it acted in good faith. The tech giant emphasized the importance of cross-border data transfers, which form the foundation of the global open internet. It pointed out that thousands of businesses depend on this mechanism for uninterrupted operations and delivering crucial services.

Meta also drew attention to the regulatory uncertainty that arose from the invalidation of the Privacy Shield in 2020, which left businesses uncertain about how to properly transfer data to the United States. Despite this, Meta maintained that the SCCs were compliant with the GDPR. Meta expressed its disappointment at being singled out despite using the same legal mechanisms as many other companies.

Meta has also criticized the decision for setting a potentially harmful precedent for other businesses and is preparing to appeal against the decision and the orders imposed. It aims to pause the implementation deadlines via a court stay.

The current complexity of international data transfers from the EU to the U.S.

The discussion surrounding international data transfers from the EU to the U.S. is complex, combining legal, political, and technological dimensions. The core challenge is balancing the need for cross-border data flow (for business and service provision) with strict data privacy requirements that protect individual rights.

The invalidation of the Privacy Shield by the CJEU has left a void in the legal mechanisms for EU-US data transfers, casting doubts on the viability of mechanisms like SCCs. As the Meta situation illustrates, the validity of SCCs is no longer assured, especially when the recipient country provides its government extensive surveillance capabilities that interfere with privacy rights that are considered fundamental within the European Union.

The underlying legal conflict between U.S. data access rules and European privacy rights is one that individual companies cannot resolve. Consequently, policymakers in both the EU and the U.S. are trying to disentangle the situation with a new Data Privacy Framework (DPF). For the last year, the U.S. government and European institutions have been working on an agreement for a new framework to enable the free flow of transatlantic data. Policymakers on both sides of the Atlantic have committed to fully implementing the DPF as quickly as possible. However, until the DPF is implemented, uncertainty persists.

The verdict on Meta highlights not just a single company’s data transfer practices, but the broader challenges of maintaining an open yet secure internet. At FIRST PRIVACY and the DSN GROUP, we offer a comprehensive suite of services to help businesses comply with data protection laws. Our expert team has a deep understanding of the GDPR and other relevant legislation and can guide you through the complexities and uncertainties of data transfers, to minimize the risk of administrative fines as much as possible.

The regulatory landscape is continuously evolving, but with expert guidance and support, businesses can navigate it and focus on their growth and success.