As frequently seen in the agenda, sanctions regarding the protection of personal data continue to be widespread both in Turkey and in the European Union. The Irish Data Protection Commission (DPC) has announced a historic decision regarding Meta Platforms Ireland Limited (Meta) and its violation of EU data protection regulations. The inquiry, which began in August 2020 and resumed in May 2021, focused on Meta’s transfer of personal data from the EU/EEA to the US through its Facebook service. Despite attempts to reach a consensus among supervisory authorities, the DPC referred the objections to the European Data Protection Board (EDPB), its competent supervisory authority at the European level, for resolution. On April 13, 2023, the EDPB (European Data Protection Board) issued a binding decision, and this investigative process concluded with the final decision from the DPC (Data Protection Commission) on May 12, 2023. As a result, Meta was imposed with the highest fine in the history of the European Union’s primary personal data legislation, the General Data Protection Regulation (GDPR), amounting to 1.3 billion US dollars.
The DPC’s ruling addresses Meta’s unlawful transfer of European users’ data to US servers without adequate privacy safeguards. Despite a prior ruling by the Court of Justice of the European Union (CJEU) on EU-U.S. data flows, Meta continued these transfers using the updated Standard Contractual Clauses (SCCs) introduced by the European Commission. However, the DPC’s decision reveals that Meta failed to sufficiently protect EU users’ personal data, highlighting the disparities between US and EU legislation rather than attributing blame solely to Meta.
The decision by the DPC considers the EDPB’s binding decision, considering factors such as the nature, gravity, and duration of the infringement, as well as the scope, purpose, number of affected users, and the harm they suffered. At this point, it is important to consider that Meta has 309 million daily active users in Europe when evaluating the record amount of the fine.
A crucial aspect is Meta’s compliance with Standard Contractual Clauses (SCCs). The EDPB’s decision references the Irish supervisory authority’s conclusion that the 2021 SCCs used by Meta for international transfers did not rectify the insufficient protection provided by US law. Consequently, it concludes that this deficiency has not been addressed. On the other hand; Meta argues that it has implemented additional measures based on an assessment that found no need for such measures, asserting that US law and practices offer equivalent protection to EU law.
In this regard, the DPC has exercised its corrective powers and issued three main orders. In addition to the aforementioned fine, Meta must suspend any future transfer of personal data to the US within five months of the DPC’s decision. In addition, Meta must comply with the GDPR by ceasing the unlawful processing and storage of personal data of EU/EEA users transferred in violation of the GDPR within six months of the DPC’s decision. These orders are crucial for protecting the personal data of current users.
BURCU GÜR, ATTORNEY AT LAW