The Data Protection Commission (‘the DPC’) has announced the conclusion of its inquiry into Meta Platforms Ireland Limited (‘Meta Ireland’), examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.
The DPC adopted its final decision in this inquiry on May 12, 2023. The decision records that Meta Ireland infringed Article 46(1) C when it continued to transfer personal data from the EU/EEA to the US following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (‘SCCs’) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.
Richard Hollis, CEO of Risk Crew, commented on the announcement: “This is a potentially game-changing fine. It clearly signals that serious infringements bear serious consequences and also demonstrates how legislation is defining borders on the Internet by mandating that data is stored within the country where it is collected, rather than allowing it to move freely through data centres across the world.
“The fine also contradicts the popular view that data protection legislation is toothless and fines are too small to effect any real change in the way businesses protect our data – but a change in Meta’s behaviour will have a real and substantial impact on the way all businesses protect data.
“As a result, this could be a data protection milestone.”Click below to share this article