DPC (Ireland) - IN-20-8-1

From GDPRhub
Revision as of 10:22, 24 May 2023 by Mg (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - IN-20-8-1
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 45 GDPR
Article 46 GDPR
Article 49 GDPR
Article 60(4) GDPR
Article 65(1)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 12.05.2023
Published:
Fine: 1200000000 EUR
Parties: Meta Ireland
National Case Number/Name: IN-20-8-1
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: DPC (Ireland) (in EN)
Initial Contributor: mg

Bound by an EDPB decision, the Irish DPA ordered Meta Ireland to suspend transfers of personal data to the U.S. and to erase data already transferred. In addition, the DPC fined Meta €1,2 billion - the highest fine ever imposed under the GDPR.

English Summary

Facts

In the aftermath of the Schrems I and II judgements (C-362/14 and C-311/18), the Irish DPA started an ex office procedure into the issue of Meta Platforms Ireland Ltd. (Meta Ireland) transferring personal data to Meta Platforms Inc. (Meta U.S.) in violation of Chapter V of the GDPR.

Meta Ireland had been transferring personal data to the U.S. despite the lack of a valid adequacy decision under Article 45 GDPR (as both “safe harbor” and its successor “privacy shield” were invalidated by the CJEU in Schrems I and II).

While negotiation of a new adequacy decision for EU-U.S. data transfers are ongoing, Meta Ireland claimed to have undertaken data transfers on the basis of standard contractual clauses adopted by the Commission under Article 46(2)(c) GDPR even before the CJEU passed the Schrems II decision.

Holding

First, the Irish DPA ascertained whether US law guaranteed an essentially equivalent level of protection of data protection rights in light of Schrems II. This was excluded by the supervisory authority, especially due to the lack of effective judicial remedies against the violation of data subjects’ fundamental rights by U.S. intelligence agencies and due to the lack of limitations imposed on the latters’ investigation powers. The latest developments in U.S. law (which are supposed to ensure a higher level of protection for data transferred to the U.S.) were deemed insufficient by the Irish DPA, especially since some of the promised reforms have not yet been implemented.

Second, the Irish DPA found that Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR invoked by Meta Ireland could not compensate for the lack of an equivalent level of data protection. In particular, SCCs did not (and could not) address the activity of U.S. intelligence agencies or the lack of judicial remedies against such activity.

Third, the supervisory authority considered whether Meta Ireland implemented sufficient supplementary measures that would, in addition to SSCs, ensure an equivalent level of data protection. Neither of the organisational, technical or legal measures Meta Ireland Ltd claimed to have implemented could compensate for a problem that stems from US public law.

Finally, Meta Ireland could not rely on derogations under Article 49 GDPR, as derogations to fundamental rights enshrined in the European Charter of Fundamental Rights shall be interpreted strictly. In this case, the Irish DPA found (following the CJEU in Schrems I and II) that U.S. law interfered with the essence of Europeans’ fundamental rights and therefore did not pass the test set out in Article 52 of the Charter. Moreover, according to the Irish DPC, derogations under Article 49 GDPR can only be invoked for “occasional and non-repetitive” transfers, which was clearly not the case with the Meta group, whose business model is based on massive and continuous transatlantic exchanges of data. As Meta Ireland could not rely on any legal basis for data transfers, it violated Chapter V of the GDPR. Therefore, the Irish DPA decided to use its corrective powers. With a draft decision in the context of an Article 60 GDPR cooperation mechanism, the DPA ordered Meta Ireland to suspend the transfer of personal data to the US pursuant to Article 58(2)(j) GDPR.

Nevertheless, the Irish DPA initially considered the imposition of a fine unnecessary and disproportionate. On the one hand, the Irish DPA found that the suspension of the transfers was already sufficient to enforce the GDPR and a fine on top of it would have been excessive. On the other hand, the Irish DPA claimed that several complex legal issues concerning data transfers were solved for the first time before the CJEU in the Schrems II judgement. Thus, the Irish DPA took the view that Meta Ireland acted in good faith when transferring data in lack of a proper legal basis. The Irish DPA also did not issue an order for the bulk return or erasure of all data transferred to the U.S. either, considering such a measure excessive, too.

Other DPAs disagreed with the Irish DPA’s draft decision and raised reasoned objections under Article 60(4) GDPR, which the Irish DPA did not want to accept. Consequently, the EDPB had to solve the conflict among the European DPAs under Article 65(1)(a) GDPR.

First, the EDPB stated that the end of the storage of personal data in the US was also a necessary measure to bring the overall situation in compliance with Chapter V of the GDPR. Therefore, it requested the Irish DPA to adopt against Meta an order pursuant to Article 58(2)(d) GDPR. The EDPB also established a 6-months deadline in order for Meta to comply with this order.

The EDPB also forced the Irish DPA to fine Meta pursuant to Articles 58(2)(c) and 83 GDPR and to determine the amount of the fine in a way that such a measure was effectively dissuasive. Eventually, the Irish followed he orders by the EDPB and also adopted a €1,2 billion fine – the highest fine issued under the GDPR at this point. In its reasoning the Irish DPA copied large portions of the EDPB decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism