Largest GDPR fine to date: DPC penalises Meta once more, but did they ever have a choice?

The largest GDPR fine in history, €1.2 billion, has been issued by the Irish Data Protection Commission. There are, however, wider rumblings about the current state of affairs amongst Europe’s other supervisory authorities and the EDPB.

On 22 May 2023, the Irish Data Protection Commission (DPC) announced a decision made on 12 May, concluding an inquiry into Meta Platforms Ireland Limited (Meta) and personal data processed during the provision of their Facebook service. The ‘own volition inquiry’, initiated by the DPC in 2020, examined the basis upon which Meta transferred EU/EEA users’ personal data to the US on the basis of standard contractual clauses (SCCs),^_[1] following the Schrems II Judgment in the Court of Justice of the European Union. The Judgment held that SCCs are still valid transfer mechanisms, providing that the level of protection afforded is essentially equivalent to that which is guaranteed by the GDPR within the EU, and where an assessment is conducted in relation to the risk.

The infringement

Meta carried out “cross-border processing”, as defined in Article 4(23) GDPR, and their main establishment in Ireland gave jurisdiction to the DPC to act as lead supervisory authority (LSA). Pursuant to Article 44 GDPR, transfers to third countries, such as the US, must ensure that the level of protection guaranteed by the GDPR is not undermined. Some examples of mechanisms include transfers based on an adequacy decision,^[2] transfers with appropriate safeguards^[3] and derogations for specific situations,^[4] which enables transfers in the absence of safeguards or an adequacy decision only in circumstances such as where the data subject explicitly provides consent, where the transfer is in the public interest, or where the transfer is necessary for the performance or conclusion of a contract. Importantly, derogations are not available in circumstances such as where the transfer is repetitive and where there is a wide number of data subjects. Hence, the DPC held that it is not for Meta to rely on any of these derogations in respect of data transfers.^[5]

The DPC found that Meta’s processing violated Article 46(1) GDPR, which states:

“…a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”

Two issues arose:

1. The lawfulness of the international transfers on the basis of SCCs, following Schrems II and
2. Whether, and which, corrective powers should be used on the basis of an infringement of Article 46(1).

The decision

The DPC found that “US law does not – in itself – provide an essentially equivalent level of protection to that provided by the GDPR”^[6] and therefore, SCCs are unable to compensate for this deficiency - particularly as Meta had not enacted any supplementary measures which could balance the lack of adequate protection.^[7]

Meta had, however, written to the DPC “to request confirmation that the DPC would afford it a right to be heard in respect of the changes to US law and practice”,^[8] following the signing of Executive Order 14086 (EO)^[9] by Joe Biden, in October 2022. Upon reviewing the substantive elements of the EO, the DPC noted that whilst a redress mechanism is outlined, this is only applicable for ‘qualifying complainants’ in ‘qualifying states’ – of which the EU was not included. Therefore, EU citizens would not be able to access the methods of redress prescribed by the EO and would not have equivalent means to protect their data rights. Moreover, in agreement, the EDPB stated that it “fails to see how the documents issued on 7 October 2022 could have a retroactive effect on the findings made by the IE SA on 6 July 2022.”^[10]

Consequently, the DPC deemed that:

• The data transfers in question were being carried out in breach of Article 46(1) GDPR; and
• In these circumstances, the data transfers should be suspended, invoking a corrective power under Article 58(2)(j) GDPR.

Cooperation with other supervisory authorities

As LSA, and in line with the Article 60 cooperation procedure, the DPC circulated the draft decision to the other Concerned Supervisory Authorities (CSAs). The CSAs agreed with the DPC in terms of the nature of the violation and the proposed suspension order, with the EDPB decision noting that several CSAs “explicitly praise[d] the analysis carried out”^[11] by the DPC.

The CSAs agreed that a suspension order may ensure future compliance, but in order to appropriately address the infringement committed in the past, a small minority of CSAs (4 of 47) objected and suggested that an administrative fine should also be imposed. As “Meta is the provider of the biggest global social media network with an enormous number of users within the European Union and thus affected persons,”^[12] failing to properly address the infringement, it was argued, may “weaken the position of the supervisory authorities and endanger compliance with the GDPR on a general level.”^[13]

Fundamentally, the DPC disagreed with its counterparts; a suspension order would cease the unlawful conduct and right the particular wrongs identified – a fine, would not, in the view of the DPC, “make the findings of unlawfulness any more effective.”^[14] Therefore, pursuant to Article 60(3) GDPR, as the CSAs had submitted relevant and reasoned objections, the DPC were obliged to refer the matter to the EDPB. Pursuant to Article 65, the EDPB conducted a dispute resolution procedure and issued a Binding decision on 13 April 2023.

Outcome

The DPC noted that, consistent with its obligations to adopt its final decision “on the basis of” the EDPB’s decision, pursuant to Article 65(6), the DPC’s final decision of 12 May 2023 records the following penalties imposed on Meta:

1. A suspension order, requiring Meta Ireland to suspend any future personal data transfer to the US within five months of the decision;
2. An administrative fine in the amount of €1.2 billion (based on the EDPB’s assessments and determinations); and
3. A corrective order, requiring Meta to bring its processing into compliance with the GDPR, within 6 months following the decision, by ceasing the unlawful processing - including US storage of the personal data of EU/EEA users transferred in violation of the GDPR.

The fine accounted for the “significant nature, gravity and duration” of the infringement, committed with “at least the highest degree of negligence”, where Meta had a “high degree of responsibility.”^[15] Those factors, coupled with Meta’s significant turnover, suggested that an administrative fine extending beyond the mid-range ought to be imposed.

Meta has said that it plans to appeal the “unjustified and unnecessary” fine.

On Friday 9 June 2023, it was reported that Meta sought leave from the Irish Courts to bring judicial review proceedings challenging what it says is the DPC’s “unlawful decision”. The judge said he was satisfied Meta established arguable grounds for the relief sought. He was satisfied to grant leave to bring judicial review proceedings on notice to the DPC^[16].

Considering the decision, all entities currently relying upon standard contractual clauses to complete data transfers from the European Union to the U.S. should take heed. Companies considering transferring personal data outside the European Union must ensure an equivalent level of protection in the destination country. It is considered that the U.S. is risky because of potential access by certain law enforcement agencies to personal information in scope of the GDPR.

Due to the continued and wide-reaching effects of the U.S’s strategy on surveillance we have now entered a period of limbo, as there is no obvious methodology currently in place for cross-border transfers of EU data to the U.S.

Accordingly, there is a pressing need for a more concrete solution to firmly address the issues of data transfers from the European Union to the US. To resolve this uncertainty, EU-US policy makers are currently in the process of progressing a Trans-Atlantic Data Privacy Framework, (“Framework”). If the Framework is approved by the European Commission, some concerns may be alleviated on the transfer of personal data from the EU to the US. It is hoped that the Framework can be approved later in 2023.

Consistency Mechanism: tensions rising

This fine is the largest value imposed in the five-year history of the GDPR, surpassing the 2021 €746 million fine against Amazon, issued by the data protection authority in Luxembourg. Whilst on the face of it, that may seem to be the headline, a growing animosity is exemplified by this decision – namely, the increasing criticism of the GDPR’s consistency and cooperation mechanisms, tensions surrounding the One Stop Shop (OSS) and a growing issue between CSAs and the EDPB.

Some opponents suggest that the DPC has a light-handed approach and is a “bottleneck of GDPR enforcement” against big tech corporations^[17], and according to a Report by the Irish Civil Liberties council, 75% of the DPC’s decisions and investigations have been overruled by majority vote of the EDPB, who demand tougher enforcement. Preceding this matter, in the January 2023 final decisions also against Meta, the DPC intended to impose €36 and €23 million fines respectively, which were increased substantially to €210 and €180 million, as a result of the input of other supervisory authorities and a binding decision issued by the EDPB. (For a discussion on these fines, please see our previous article here).

Therefore, the DPC have previously suggested that the actions of the EDPB are misaligned with the GDPR’s cooperation and consistency arrangements. DPC Commissioner, Helen Dixon, has also noted that:

“The One-Stop-Shop, in its current form, has created something of a legal maze, building an ever more complex landscape for litigators.”

Currently, the DPC has three cases pending in the CJEU (General Court) against the EDPB:

Case T-111/23, filed on 24 February 2023, in which the DPC requests that the Court annuls paragraphs 222 and 326(8) of Binding decision 5/2022 on WhatsApp Ireland Limited.

Case T-84/23, filed on 24 March 2023, in which the DPC requests that the Court annuls paragraphs 203 and 454 of Binding decision 4/2022 on Meta and its Instagram service.

Case T-70/23, filed on 24 March 2023, in which the DPC requests that the Court annuls the second line of paragraph 198 and the second line of paragraph 487 of Binding decision 3/2022 on Meta and its Facebook service.

In all instances, the DPC alleges that that the EDPB exceeded its competence under Article 65(1)(a) by ordering the DPC to carry out a new investigation, and to also issue a new draft decision based upon those findings.

On the recent passing of the GDPR’s five-year anniversary, it remains to be seen whether these tensions will increase. It does seem however, that mounting tensions between the DPC, CSAs and the EDPB are starting to reach a head. The EU Commission recently closed a feedback period on 24 March 2023, seeking information on a new initiative to streamline the cooperation mechanisms between supervisory authorities in cross-border cases. With Commission adoption planned for the second quarter of 2023, it looks likely that this year may be transformative for GDPR enforcement and cross-border cases throughout Europe and beyond.

---

_{[1] Pursuant to Article 46(2)(d).}

_{[2] Pursuant to Article 45 GDPR. Note: no adequacy decision currently exists between the EU/EEA and the US.}

_{[3] Pursuant to Article 46 GDPR (e.g. A legally binding and enforceable instrument between public authorities or bodies (Article 46(2)(a)); binding corporate rules in accordance with Article 47 (Article 46(2)(b)); and inter alia, standard data protection clauses adopted by the European Commission in accordance with the examination procedure referred to in Article 93(2) (Article 46(2)(c)).}

_{[4] Pursuant to Article 49.}

_{[5] DPC Decision, p.5 [at 1.14(2)]}

_{[6] DPC Decision, p.67 [at 7.48]}

_{[7] DPC Decision, p.126 [at 9.9]}

_{[8] DPC Decision, p.21 [at 2.58]}

_{[9] Executive Order 14086 entitled “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities”}

_{[10] EDPB Decision, p.11 [at 32]}

_{[11] EDPB Decision, p.9 [at 22]}

_{[12] EDPB Decision, p.13 [at 43]}

_{[13] ibid}

_{[14] ibid}

_{[15] DPC Decision p.203 [at 9.98(b)]}

_{[16] Facebook owner granted stay on order that it suspend Europe-US data transfers – The Irish Times}

_{[17] For instance, Meta, Apple and Google all have European headquarters based in Ireland.}