On April 13, 2023, the European Data Protection Board* (EDPB) issued a binding dispute resolution against Meta IE (Meta Platforms Ireland Limited) following a dispute submitted by the Irish Supervisory Authority (SA). The dispute had to do with the data transfers of Meta IE’s Facebook services. The resolution issued the largest General Data Protection Regulation (GDPR) fine to date to the tune of 1.2 billion Euros (equivalent to about 1.3 billion US dollars) against Meta IE for the transfer of personal data to the US on the basis of standard contractual clauses (SCCs) since July 16, 2020. 

Meta has also been ordered to bring its processing operations into compliance by ceasing this unlawful processing of personal data of European Union (EU) data subjects. The unlawful processing includes the storage of personal data of EU users transferred to the US—which was deemed to be a direct violation of the GDPR. Meta has been granted six months to comply with this order.

I’ll go into a full breakdown of what this means and what happened, but if you’re looking for the tl;dr, watch this short 3-minute video:

GDPR Overview

The General Data Protection Regulation (GDPR) came into force on May 25, 2018. The GDPR enforces strict requirements on organizations offering goods (or services) in the EU, even if the organization isn’t established in the EU.  

The regulation covers seven (7) protection and accountability principles of privacy and data security: 

1. Lawfulness, fairness, and transparency;
2. Purpose limitation;
3. Data minimization;
4. Accuracy;
5. Storage limitation;
6. Integrity and confidentiality; and
7. Accountability.

These principles are addressed throughout eleven (11) chapters and ninety-nine (99) articles documented within the GDPR.

What’s considered transfer of personal data?

The EDPB’s binding dispute resolution may have wide-ranging implications. Let’s take a moment to break this decision down a little further. This case stems from Meta’s violation of Chapter 5 of the GDPR. Chapter 5 of the GDPR defines the legal transfer of personal data from the EU to a third country. The transfer of EU residents’ personal data is only considered lawful if the Commission has deemed a country ‘adequate’ in terms of the level of protection they provide.  

At the time of writing this article, the US is not considered to provide ‘adequate’ protection and has not been approved under an adequacy decision (even though there has been some work towards obtaining adequacy by the US).  This was further enforced by the judgment of the Court of Justice of the European Union (CJEU) delivered on July 16, 2020, known as the ‘Schrems II judgment’ regarding Meta’s transfer of personal data to the US.

In the absence of an adequacy decision, a controller (or processor) may still transfer personal data to a third-country if they have provided appropriate safeguards and data subject rights can be enforced. These rights can be enforced through legal remedies such as legally binding/enforceable instruments, binding corporate rules (which must be approved by a supervisory authority), standard data protection clauses, an approved code of conduct, or an approved certification mechanism.

What was the issue with Meta?

As mentioned earlier, the Schrems II case basically nullified the Privacy Shield framework, which was the instrument used between the EU and the US to provide the lawful transfer of personal data.  The ruling further showed the transfer of (at the time – Facebook Ireland) under a standard contractual clause (SCC) was not valid since—although the SCC was in place at the time of the transfer, controllers and processors must ensure data subjects are granted a level of protection essentially equivalent to what is provided under the GDPR. If protection is not provided, operators must suspend the transfer of personal data outside the EU.  

The Court upheld the complaint indicating there was no justification to transfer personal data to the US since US surveillance programs interfered with the fundamental rights to privacy, data protection, and effective judicial protection. 

“The Court held that the US does not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by the GDPR and the [EU Charter of Fundamental Rights] CFR.”  The decision further states “the US surveillance programs such as PRISM and UPSTREAM are not limited to what is strictly necessary,” and “disproportionate interference with the rights of protection of data and privacy”. “They also do not sufficiently limit the powers conferred upon US authorities and lack actionable rights for EU subjects against US authorities.”  (See The CJEU judgment in the Schrems II case for further details.) 

The decision didn’t necessarily nullify SCCs; however, stipulated data controllers (or operators) utilizing SCCs to transfer data must afford data subjects the same level of protection essentially equivalent to the GDPR and CFR.  It may also be necessary to implement additional measures to compensate for gaps in third-country systems.  Supervisory authorities must check and prohibit transfers if data subjects are not afforded equivalent protection.

Why assess such a large fine?

The EDPB instructed the Irish Supervisory Authority to levy an administrative fine on Meta IE due to several relevant factors:  

• The EDPB analyzed the gravity of the situation, considering the large scope of processing and the millions of data subjects impacted over a long period.  
• The EDPB noted the activity is still ongoing and Meta IE hasn’t stopped the processing.  
• The EDPB determined Meta IE committed the violation with the highest degree of negligence and is responsible at the highest level.  
• Meta IE processed a wide range of categories, including personal data considered to be special categories of personal data (under GDPR Article 9).  
• Meta IE’s design does not permit restrictions over the transfer of EU personal data to the US, which was determined to breach the GDPR.  

Since a large part of Meta IEs profits derived from the provision of services in the EU arising from the GDPR breach, EDPB recommended the fine calculation start between 20% and 100% of the applicable legal maximum due to the seriousness of the offense and aggravating factors.

Author’s note: The bigger outstanding question from the order is how Meta will remove all of the personal data from EU data subjects transferred in violation of the GDPR?

What does this decision mean to your organization?

With strong enforcement coming from regulators, it goes without saying your organization needs to be compliant.  This means you should take some of the following actions to ensure your compliance with the GDPR:

Review policies and procedures

Review your policies and procedures to ensure they address all seven (7) privacy and data security principles noted in the GDPR (and as stated above).

Understand the law

Make sure you understand what legal basis you have to process personal data and the rights you must provide to your data subjects.

Ask yourself: 

• Has your data subjects given consent to the processing of their personal data for one or more specific purposes?
• Is the processing necessary for the performance of a contact to which the data subject is a party to?
• Is the processing necessary to comply with a legal obligation?
• Is the processing necessary to protect the vital interest of the data subject?
• Is the processing necessary for the performance of a task carried out in the public interest?
• Is the processing necessary for the purposes of a legitimate interest (except where such interests are overridden by the interests or fundamental rights/freedoms of the data subject, which require protection of personal data)?

Put the right safeguards in place 

Review specific obligations under GDPR related to your processing activities as a controller and/or a processor and ensure you’ve implemented appropriate safeguards to protect your data and the rights of your data subjects.

Safeguards may include, but are not limited to:

• Implement access controls to permit access to personal data, deletion, amendment, and other rights of data subjects;
• Implement role-based access and conduct routine access reviews;
• Ensure data handling and classification activities are adequately performed;
• Assign a Data Protection Officer (DPO) with appropriate responsibilities, authority, and maintain necessary experience/qualifications;
• Conduct a Data Protection Impact Assessment (DPIA) or a Privacy Impact Assessment (PIA);
• Enforce encryption; Author’s note:  Encrypted data may not be considered personal data as long as the organization in the third-country does not have access to the encryption keys.
• Perform logging and monitoring activities over data;
• Conduct back-ups of data and ensure resilience of systems;
• Implement intrusion detection and incident response procedures; and
• Minimize and anonymize data where possible. 

Review transfer mechanisms

Review the transfer mechanisms in place (or planned) to ensure you comply with the GDPR when transferring any personal data to a third-country.

If you are planning to transfer personal data to a third-country, your organization is responsible to determine if the third-country has been designated as adequate under the Commission of the EU.  Although the transfer is still permitted to a third-country not designated as adequate, you will need to assess if the appropriate safeguards are in place as well as the conditions available to enforce data subject rights and remedies.  These safeguards must be determined to be essentially equivalent to those rights found in the GDPR.  Some criteria and conditions are provided in the following section, and you should seek the advice of an experienced attorney to help navigate these nuances.

If you are currently transferring personal data in violation of the GDPR, you should cease this processing immediately and contact your attorney for further guidance.

Are there any exceptions to the rule?

It’s interesting to note that the transfer of data can still take place in the absence of an adequacy decision or appropriate safeguards (such as the use of binding corporate rules) if one of the following conditions are met:

• The data subject explicitly consented to the proposed transfer after being given information of possible risks to the transfer due to the lack of adequacy/safeguards;  
• The transfer is necessary to perform a contract between the data subject and the controller or as part of pre-contractual measures taken at the request of the data subject; 
• The transfer is necessary for the performance/conclusion of a contract in the data subject’s interest between the controller and another person;
• The transfer is necessary for important reasons of public interest;  Note: Public interest must be recognized by Union law (or in the law of the Member State) to which the controller is subject.  The Union (or Member State) may set limits on the transfer of special categories of personal data when it comes to the public interest;
• The transfer is necessary for the establishment, exercise, or defense of legal claims;
• The transfer is necessary in order to protect the vital interest of the data subject (or other person) where the data subject is physically/legally incapable of giving consent; or
• The transfer is made from a register, which according to Union (or Member State law) is intended to provide information to the public and which is open to consultation either by the public or by any person demonstrating a legitimate interest, but only to the extent conditions are laid down by Union (or Member State law) for consultation are fulfilled in the particular case. 

Note:  Transfer related to the register will not involve the entirety of the personal data (or entire categories of personal data) contained in the register.  If the register is intended for consultation by persons having a legitimate interest, the transfer will be made only at the request of those persons (or if they are to be the recipients)

Transfers could also take place if one of these additional conditions apply:

• The transfer is not repetitive;
• Concerns only a limited number of data subjects;
• Is necessary for the purposes of compelling legitimate interests pursued by the controller, which are not overridden by the interests of rights/freedoms of the data subject; and
• The controller has assessed all the circumstances surrounding the data transfer and has, on the basis of the assessment, provided suitable safeguards with regard to the protection of personal data.

Final Thoughts

I’ll leave you with these words from the Chair of the EDPB:

The example set in the Meta case should be a stark reminder for organizations to take compliance seriously, and the regulators are monitoring and actively enforcing these data protection regulations.  

If your organization needs assistance in complying with the GDPR, get in touch.  We have experts at Thoropass who can help!

---

*The European Data Protection Board (EDPB) is an independent EU body established to support the consistent application of the GDPR and promote cooperation among the Supervisory Authorities (SAs) of the EU.  

---