Meta has been fined by Ireland’s Data Protection Commission (DPC) for transferring European user data to the US
in breach of the General Data Protection Regulation (GDPR) and has been ordered to stop transferring further personal data within five months.
The DPC stated in its findings that Meta’s practices “did not address the risks to the fundamental rights and freedoms” of European users of its platform. Meta falls into the DPC jurisdiction because its European operations are headquartered in Dublin.
In a blog post
written by Nick Clegg, President of Global Affairs and Jennifer Newstead, Chief Legal Office, the company argues that “the ability for data to be transferred across borders is fundamental to how the global open internet works.” Clegg and Newstead also noted that Meta acted in good faith but the legal framework around transferring personal data between the EU and the US lacks clarity.
Meta will appeal the decision and is seeking a stay in the courts to delay the imposed timelines, asserting that “this decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”
In light of the ruling, Meta has also confirmed there will be no interruption to its services in Europe.
In 2020, the Court of Justice of the European Union (CJEU) – Europe’s highest court – ruled that the previous agreement, called the Privacy Shield, was invalid over fears of US surveillance of user data. Since then, there has been no agreement in place between the US and the EU for the transfer of personal data.
EU and US policy makers are working to implement a new agreement called the Data Privacy Framework (DPF), which US President Joe Biden and EU Commission President Ursula von der Leyen sanctioned in March 2022. The new deal could be in place as early as this summer.
The DPC originally did not include a fine in its recommendations. However, four of the 47 Concerned Supervisory Authorities (CSAs) raised objections, requesting not only fines, but corrective actions to delete European user data from the US. The European Data Protection Board (EDPB), the body in place to manage such disputes, agreed to a fine on top of the DPC recommendations.