This penalty, the heftiest General Data Protection Regulation (GDPR) fine to date, results from an investigation into Facebook led by the Irish Data Protection Authority (IE DPA).
The EDPB’s decision from 13 April 2023 led to the substantial penalty, accusing Meta of systematic, repetitive, and continuous transfers of personal data via standard contractual clauses (SCCs) since 16 July 2020. Moreover, the EDPB has ordered Meta to bring its data transfers into compliance with the GDPR.
“The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous,” said Andrea Jelinek, EDPB Chair. “The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Following the EDPB’s ruling, Meta IE has been instructed to cease the unlawful processing, including storage, in the US of personal data of European users transferred in violation of the GDPR.
Meta Vows to Appeal the Ruling
In response to the EDPB’s decision, Meta released a statement promising to appeal the ruling and seek a stay of the orders through the courts.
Nick Clegg, President of Global Affairs, and Jennifer Newstead, Chief Legal Officer, co-authored a statement in which they assert that the issue is not about one company’s privacy practices, but rather a fundamental conflict of law between the US government’s rules on access to data and European privacy rights.
The executives emphasised the necessity of data transfers across borders for thousands of businesses and organisations. They warned that hindering these transfers risks “carving up the internet into national and regional silos.”
Meta’s response comes after the Irish DPC set out its findings into Meta’s use of SCCs for the transfer of Facebook user data between the EU and the US. Despite the DPC acknowledging Meta’s good faith and viewing the fine as unjustified, the EDPB overruled the DPC.
“We are disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,” the Meta executives wrote. They labelled the decision as flawed, unjustified and a dangerous precedent for countless other companies transferring data between the EU and the US.
The Meta executives highlighted an agreement on the principles of a new Data Privacy Framework (DPF) by President Biden and Commission President Von der Leyen in March 2022 as a clear path to resolving this conflict. They expressed hopes that if the DPF comes into effect before the implementation deadlines expire, Meta’s services can continue without any disruption or impact on users.
In the meantime, Meta assures there will be no immediate disruption to Facebook in Europe due to the decision’s implementation periods that run until later this year.