The Irish Data Protection Commission (DPC) has announced a $1.3 billion fine on Facebook after claiming the company breached Article 46(1) of the GDPR (General Data Protection Regulation ).

Specifically, Facebook has been found to transfer data from EU-based users of the platform to the United States, where data protection regulations vary from state to state and have been deemed insufficient to protect the rights of EU data subjects.

Article 46(1) of the GDPR prohibits transfers of personal data to countries or international organizations that do not have safeguards for security and legal redress mechanisms.

Following the breach, the DPC imposed a record fine of 1.2 billion euros ($1.3 billion) on Facebook’s parent company, Meta Ireland, and demanded that all data transfers that violate the GDPR be suspended within five months of the decision.

Additionally, Meta will be required to stop processing or retaining any data unlawfully transferred from the EU to the US within six months of DPA announcement.

Chronology

Facebook previously transferred data between European countries and the US under the 2016 EU-US GDPR Privacy Shield, which allowed EU data to be stored with US companies listed on the GDPR. privacy shield list.

Changes to International Data Transfers under GDPR Modified July 2020 Case “Schrems II”where the CJEU has ruled that any transfer of personal data under the Privacy Shield Decision is unlawful and stricter data control regulations must be introduced.

In August 2020, the Irish DPC opened an investigation into Meta’s data transfer activities. In July 2022, it published a draft decision pointing out that the tech giant was in breach of Article 46(1) of the GDPR.

On April 13, 2023, the European Data Protection Board (EDPB) adopted a binding decisionordering the DPA to fine Meta and order it to comply with the GDPR.

Today, the Irish DPC imposes the $1.3 billion administrative fine reflecting the EDPB’s decision, punishing Meta with a fine determined on EDPB Guidelines (20% to 100% of the applicable maximum), taking into account the seriousness of the offence.

Meta’s response

Meta responded to the ruling via a blog post, saying seamless cross-border data transfers are critically important to business continuity, and notes that administrative fines and restraining orders will have a significant impact on its services. in Europe.

The company says all transatlantic data transfers are controlled by Standard Contractual Clauses (SCCs) used by all organisations, which the CJEU has previously accepted as a valid alternative to verify “legal safeguards”.

“Like thousands of other companies, Meta has used SCCs believing them to comply with the General Data Protection Regulation (GDPR),” comments the tech giant.

The company finds the fine unfair, unnecessary and disproportionate, and plans to appeal the decision and challenge the severity of the fine and the underlying orders.

“It’s not about a company’s privacy practices – there is a fundamental rights conflict between US government rules on access to data and European privacy rights, which policymakers should solve this summer”, explained Meta.

Meta criticizes the EDPB’s decision to ignore the DPC’s acknowledgment that the company had previously acted in good faith and also highlights the bad timing of these procedures, considering that the next Data Privacy Framework (DPF) will soon be implemented, resolving current legal disputes.