Data Protection

The EDPB flexes its muscles – META fined in excess of €1.5bn

08 Aug 2023

9 min read

Author: Jackie Mallia

The European Data Protection Board (EDPB) has in 2023 issued four decisions relating to Meta Ireland. These decisions were issued under the consistency mechanism set out in Article 65 of the GDPR. Based on these four decisions, the Irish Data Protection Commission (IDPC) fined Meta more than €1.5bn for its infringements of the GDPR:

FACEBOOKUnlawfully transferring PD to the USA€1.2bn  12.5.23
FACEBOOKUnlawfully processing PD for behavioral advertising€210m  31.12.22
INSTAGRAMUnlawfully processing PD for behavioral advertising€180m  31.12.22
WHATSAPPUnlawfully processing PD for security and service improvement€5.5m12.1.23

The OSS and consistency mechanism

The GDPR employs a one-stop-shop mechanism (OSS) by virtue of which the Data Protection Authority (DPA) of a country’s main establishment will be competent to be the leading DPA. In these four cases, because Meta’s main headquarters are located in Ireland, the IDPC was competent to act as lead DPA and therefore to act as the sole interlocutor of the target company. It initiated the inquiries with Meta.

Under the co-operation mechanism within the GDPR, the IDPC is required to co-operate, exchange information and share the draft decision with other concerned DPAs before adopting a final decision.

Under Article 65(1)(a) of the GDPR, in cases of disagreement between the lead DPA and other concerned DPAs, the lead DPA must refer the matter to the EDPB for its binding decision. Since Meta’s services are consumed across the EU, all national EU DPAs qualified as concerned and could (and some did) raise objections to the IDPC’s draft decision in accordance with Article 60 of the GDPR.

Some DPAs[1] disagreed on whether Meta could rely on Article 6(1)(b) of the GDPR[2] to process users’ personal data for behavioral advertising and for security and service improvements. The IDPC had, in its draft decision, concluded that Meta could rely on the grounds provided for under Article 6(1)(b) however, other DPAs did not concur that Meta’s processing operations were objectively necessary for Meta to deliver its services. This reasoning aligns with a recent judgment of the EU Grand Chamber following a preliminary reference. In that case, the Court confirmed that for the processing of personal data to be regarded as necessary for the performance of a contract, “it must be objectively indispensable for a purpose that is integral to the contractual obligation”.[3] The Court had declared that “personalised content  does not appear to be necessary in order to offer that user the services of the online social network.”[4]

In addition, certain DPAs[5] disagreed on the corrective measures and the level of the fines that had been proposed by the IDPC in the draft decision.[6] The IDPC did not follow the objections raised so the matter was referred to the EDPB.

Derogations cited by META are invalid

The EDPB concluded that Meta could not rely on Article 6(1)(b) of the GDPR and instructed the IDPC to modify its draft decisions accordingly.

In its final decision, the IDPC reiterated case-law and held “that derogations cannot be interpreted so as to allow the exception provided by the derogation to replace the rule established by the EU measure; it is necessary that “the exception remain an exception.”[7]

The DPC, while referring to Schrems II,[8] concluded that measures that do not “respect the essence of the right to effective judicial protection as enshrined in Article 47 of the Charter”[9],[10] must be invalid and that laws giving individuals no remedies would fail this test.[11] The IDPC held that the contractual necessity derogation could not be relied on to justify data transfers to the U.S.

Breach of international PD transfer rules leads to record fine

In its draft decision, the IDPC had not proposed the imposition of a fine on the basis that the objective of the enforcement was to ensure compliance – and an order suspending data transfers would achieve this. The IDPC held that the case involved a series of complex issues, linked to litigation at the highest level, and that Meta had attempted to work through the issues in good faith.

The EDPB disagreed. It concluded that Meta “committed an infringement of significant nature, gravity and duration” which was still ongoing and that the likelihood of a fine being imposed is important, so that those who are in breach will fear the imposition of a fine.[12] On the other hand, not fining would send a message that past infringements will not be addressed and would encourage others to infringe.[13]  While referring to its own guidelines on administrative fines, the EDPB proposed a fine of between 20% and 100% of the maximum permissible[14]

The IDPC decided to set the level of the fine at the mid-point of the range proposed by the EDPB.  It accordingly fined Meta a record €1.2bn[15] for a breach of Article 46(1) of the GDPR when transferring personal data of EU users to the US relying on its standard contractual clauses (SCCs).  This finding follows the Schrems II judgment which had invalidated the EU-US Privacy Shield.  The IDPC concluded that “US law does not provide a level of protection that is essentially equivalent to that provided by EU law” and that “(n)either the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law”.[16]  The IDPC further held that “Meta Ireland does not have in place supplemental measures which compensate for the inadequate protection provided by US law”.[17]  The IDPC noted that when the US Government makes a request for data under Section 702 of FISA,[18] both Meta US and Meta Ireland are obliged to comply in providing data about their users to the US authorities.  The IDPC concluded however, that Meta could not rely on Article 49 of the GDPR[19] to justify the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US.[20]

Suspension of EU-US data transfers- Hollow victory?

The IDPC draft decision had held that “ordering the suspension of data transfers is the only appropriate, necessary and proportionate” measure.  The EDPB however, instructed the IDPC to order Meta to bring its processing operations into compliance with the GDPR “by ceasing the unlawful processing, including storage, in the US of personal data of EEA users”. 

This was reflected in the IDPC’s final decision together with an order for Meta to suspend EU-US data transfers.  As noted in its final decision, “the orders specified in Section 10, […], will remain effective unless and until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by way of new measures, not currently in operation, such as the possible future adoption of a relevant adequacy decision by the European Commission pursuant to Article 45 GDPR.”[21]

EC adopts its adequacy decision

On 10 July 2023, the European Commission did adopt its much-anticipated Adequacy Decision for the EU-US Data Privacy Framework.  The Adequacy Decision stemmed from the ramifications of Schrems II which had invalidated the EU-US Privacy Shield on the basis that the US public authorities’ use of and access to EU data were not subjected to proportionality restrictions and there was no judicial redress available to EU data subjects.[22]

Following Schrems II, the U.S. adopted Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation).  The Commission, after analysing EO 14086 and the AG Regulation decided that the U.S. ensures an adequate level of protection for personal data transferred under the EU-U.S. Data Privacy Framework from a controller or a processor in the Union to certified organisations in the United States.

The Adequacy Decision in essence means that personal data can be transferred from the EU to companies which self-certify under the Data Privacy Framework without any other data transfer mechanisms (such as the Standard Contractual Clauses s or Binding Corporate Rules). Moreover, organisations transferring personal data to importers who participate in the framework are not required to carry out transfer risk assessments, since framework is already covered by the Adequacy Decision.

Effect on the IDPC decision

While the penalty imposed on Meta will subsist, the requirement to “bring its processing into compliance”[23] is now superseded by the effects of the IDPC final decision.  Similarly, the requirement to suspend the transfer of EU data to US authorities is likewise superseded by the Adequacy Decision.

The IDPC final decision remains relevant for transfers to third countries because it signifies that the EDPB will not accept lightly derogations from the GDPR obligations.  Specifically, the derogation for contractual necessity cannot be used for transfers which are systematic, bulk or repetitive because while explicit consent could be used to legitimise transfers, that consent would need to be informed, meaning that one consent could not be given, to all future transfers.

[1] DPAs of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden.

[2] Process is lawful if the processing is necessary for the performance of a contract to which the data subject is a party.

[3] Case C‑252/21 decided on 4 July 2023 at para. 102.

[4] Ibid.

[5] DPAs of Austria, France, Germany and Spain.

[6] No fines were proposed against Facebook (for the 1st infringement listed in the table on p. 1) and WhatsApp while fines of €36m and €23m were proposed on Facebook (for the 2nd infringement in the table) and Instagram respectively.

[7] At para. 8.13 and citing case C-623/17 Privacy International, paragraph 69 and other cases cited therein.

[8] Case C-311/18 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems decided on 16 July 2020

[9] At para. 7.37.

[10] The Charter of Fundamental Rights of the European Union.

[11] At para 8.56

[12] At para. 149.

[13] At paras. 155 & 156.

[14] 4% of Meta’s total worldwide turnover in the preceding financial year.

[15] A small reduction for mitigating measures taken in relation to enhanced transparency was applied.

[16] In the matter of Meta Platforms Ireland Limited (previously known as Facebook Ireland Limited) – DPC Inquiry Reference: IN-20-8-1 at para. 10.1.

[17] Ibid.

[18] Foreign Intelligence Surveillance Act.

[19] Data transfer is necessary for compelling legitimate interests.

[20] Ibid. at para. 8.106.

[21] At para. 9.51 – emphasis added.

[22] Schrems II at paras. 185 & 197.

[23] At para. 9.98(d).