Meta receives highest ever GDPR fine

Meta receives highest ever GDPR fine

Ireland’s Data Protection Commission (DPC) has fined Meta Platforms (who operate Facebook) €1.2billion for GDPR breaches, the largest GDPR fine to date.

The fine resulted from international personal data transfers from the European Economic Area (EEA) to the US without adequate safeguards. Meta was also ordered to suspend future transfers of personal data to the US within five months and given six months to stop the unlawful processing and delete anything stored unlawfully.

International data transfers – What are the options?

The GDPR (and the UK-GDPR) requires any transfer of personal data outside the EEA (or UK, as applicable) to have adequate safeguards in place.

The main options under the GDPR for transferring data overseas are:

• An adequacy decision (GDPR Article 45);
• Appropriate safeguards, such as Standard Contractual Clauses (SCCs) with adequate supplementary measures (or in the UK, an International Data Transfer Agreement) or Binding Corporate Rules, provided that, in each case, data subjects have enforceable rights and effective legal remedies (GDPR Articles 46 and 47); or
• Where a derogation for a specific situation applies, for example the data subject has given their explicit consent (GDPR Article 49)

There is no adequacy decision in place for transfers between the US and EEA, as, in 2020, the previous EU-US Privacy Shield arrangements for transferring data were ruled unlawful following a challenge by the data privacy campaigner, Maximillian Schrems (the “Schrems II Ruling”). Meta therefore assessed its choices for transferring data under the other two options above.

The DPC’s ruling

Following the Schrems II Ruling, Meta implemented supplementary measures to enable it to continue transferring data overseas using SCCs, including:

• Internal policies, procedures, and oversight requirements;
• Technical measures, such as in-transit encryption and access controls; and
• Legal measures, such as contractual rights provided to data subjects and requirements to challenge US Government requests it believes are unlawful.

However, the DPC deemed these inadequate and in the absence of sufficient safeguards, Meta’s data transfers to the US were, therefore, deemed unlawful.

The DPC also found that Meta could not rely on any of the GDPR's Article 49 derogations to justify its transfers because of their systematic, bulk, repetitive and ongoing nature.

Meta’s fine and its reaction

Meta was fined €1.2billion and also received a compliance order requiring it to suspend any future transfer of personal data to the US within five months of the decision date. Additionally, it has six months to stop the unlawful processing of personal data of EEA users and delete or return the wrongly transferred personal data.

The DPC justified the high fine and compliance order due to Meta’s systematic, repetitive, continuous, and voluminous personal data transfers to the US without appropriate safeguards.

It’s worth noting that this decision does not affect Facebook in the UK but the Information Commissioner's Office has said it has "noted the decision and will review the details in due course".

Meta has responded by stating its intention to appeal the decision.

Key considerations for organisations

Any business transferring personal data between the EEA and US should evaluate their safeguards to ensure personal data is sufficiently protected. UK organisations should also evaluate their transfers, as the same considerations apply under the UK-GDPR.

The DPC noted that organisations should consider conducting new transfer risk assessments to assess the sufficiency of their supplemental measures. If your organisation cannot produce a risk assessment which contains adequate supplemental measures, personal data should not be transferred to that country until the data can be adequately safeguarded.

If you have any questions on ensuring your organisation has adequate safeguards in place to protect personal data, please contact our Data Privacy Team.