Ireland’s Data Protection Commission (DPC) have decided to fine Meta for their transfer, storage and processing of data in the US. In July 2020 the EU Court of Justice ruled on the case between Ireland’s DPC and Facebook Ireland, Schrems (now Meta IE). The decision became known as the Schrems II decision and started an avalanche of repercussions for how the data of EU consumers is processed in the US.
Following the Schrems II decision the EU-US Privacy Shield Framework was invalidated. There were major concerns due to the fact that US surveillance programs had no limitations to when and what data they could access. Data being stored in the US meant that access to data was no longer being restricted to only what was strictly necessary and proportional. As such it meant that the EU-US Privacy Shield Framework no longer met the requirements of Article 52 of the EU Charter on Fundamental Rights.
We saw some big changes due to the impact of this decision, such as a new, revised version of Google Analytics, in order for the program to remain legal in Europe. And this fine is a long awaited decision from Ireland’s DPC against Meta which started this process off.
Following the Schrems decision, Meta IE (formerly Facebook Ireland) adopted modernized Standard Contractual Clauses (SCCs) and implemented supplementary measures as recommended by the European Data Protection Board (EDPB). DPC Ireland circulated a draft decision following these changes by Meta and asked for other European Supervisory Authorities (ESAs) to review and comment on it. Several ESAs objected following the review due to there still being inadequacies in the corrective measures proposed. These were referred to the EDPB.
The EDPB issued a binding decision to resolve the CSAs dispute over whether DPC Ireland should fine Meta and order them to bring their processing into compliance under GDPR. The DPC were given one month to come up with their final decision.
DPC Ireland determined Meta is in violation of GDPR. This is because data transfers are made in circumstances that fail to guarantee a level of protection equivalent to that under GDPR. It was said the new SCCs and supplementary measures did not adequately compensate for the deficiencies under US law.
FISA’s PRISM program:
- Grants US authorities extensive access options to European personal data and largely unrestricted monitoring powers
- Allows non-court supervised access to a user’s data without their knowledge
- Does not guarantee data subject rights
- Violates the principle of proportionality
- Does not grant European data subjects legal protections against US authorities.
The changes to the SCCs cannot stop this type of access. There is also no remedy for an EEA data subject who is not informed that they have been the subject of a search.
Meta proposed a series of measures to try and circumvent the concerns. It was suggested transfer of personal data could rely on derogations such as contractual necessity, public interest and explicit consent. However, derogations for contractual necessity and public interest cannot be relied on for systemic, bulk, repetitive and ongoing transfers to the US. And Meta has not obtained the explicit consent of EU/EEA users.
DPC Ireland have order Meta IE that they must:
- Pay a fine of €1.2 billion ($1,293,720,000 USD)
- Suspend any future transfers of personal data to the US within five months
- Cease unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GPDR, within six months.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.