EUR 1.2 billion fine against Meta over EU US data transfers
24/05/23
On 12 May 2023, the Irish Data Protection Commission fined Meta the record amount of €1.2 billion. Possibly even more important, it ordered Meta to stop transferring data collected from Facebook users in Europe to the United States within five months of the ruling decision. This will have a significant impact on the way that Meta works.
The Irish Data Protection Commission confirmed that Meta’s data transfers to the United States constitute an infringement of the GDPR, as Meta has no proper transfer mechanisms, whilst being subject to US surveillance laws such as the Cloud Act and FISA 702. as set forth in the Schrems II decision (European Court of Justice, C-311-18, 16 July 2020).
Even though Meta is expected to file an appeal, the chances of success are rather low, given the two earlier decisions of the European Court of Justice.
Equal to the resolution of the European Parliament of 11 May 2023, this ruling urges the European Commission and the US Government to adopt a reviewed EU-US Data Privacy Framework. A first preliminary agreement was adopted in March 2022, but the parties still have some way to go before the necessary legal documents on this agreement can be adopted on both sides.
In the meantime, this ruling comes as an important sign to organisations that there is to be no more leniency, but rather more scrutiny from data protection authorities regarding the transfer of personal data outside of the EEA. The fact that organisations use ‘off the shelf’ or commonly used technology solutions does not preclude the risk of them being fined for this matter.
This ruling puts the spotlight back on the risks associated with the use of ‘big tech providers’ and cloud computing, as well as the need to consider data residency and appropriate mitigation measures. However, it should not impede further IT projects or developments, as safe alternatives and/or mitigation measures are available.
Feel free to contact our data protection lawyer Loïc Delanghe (BE) and Cedric Verheyen (BE) if you’d like to learn more about this decision or to check if the measures you have taken comply with your GDPR obligations.
