The DPC’s ruling addresses Meta’s unlawful transfer of European users’ data to US servers without adequate privacy safeguards. Despite a prior ruling by the Court of Justice of the European Union (CJEU) on EU-U.S. data flows, Meta continued these transfers using the updated Standard Contractual Clauses (SCCs) introduced by the European Commission. However, the DPC’s decision reveals that Meta failed to sufficiently protect EU users’ personal data, highlighting the disparities between US and EU legislation rather than attributing blame solely to Meta.
The decision by the DPC considers the EDPB’s binding decision, considering factors such as the nature, gravity, and duration of the infringement, as well as the scope, purpose, number of affected users, and the harm they suffered. At this point, it is important to consider that Meta has 309 million daily active users in Europe when evaluating the record amount of the fine.
A crucial aspect is Meta’s compliance with Standard Contractual Clauses (SCCs). The EDPB’s decision references the Irish supervisory authority’s conclusion that the 2021 SCCs used by Meta for international transfers did not rectify the insufficient protection provided by US law. Consequently, it concludes that this deficiency has not been addressed. On the other hand; Meta argues that it has implemented additional measures based on an assessment that found no need for such measures, asserting that US law and practices offer equivalent protection to EU law.
In this regard, the DPC has exercised its corrective powers and issued three main orders. In addition to the aforementioned fine, Meta must suspend any future transfer of personal data to the US within five months of the DPC’s decision. In addition, Meta must comply with the GDPR by ceasing the unlawful processing and storage of personal data of EU/EEA users transferred in violation of the GDPR within six months of the DPC’s decision. These orders are crucial for protecting the personal data of current users.
BURCU GÜR, ATTORNEY AT LAW