Irish Supervisory Authority "Poking" At Meta's GDPR Practices

• Published date: 07 June 2023
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: K&L Gates
• Author: Mr Claude-Étienne Armingaud and Whitney E. McCollum

Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined the Irish subsidiary of Meta, Meta Platforms Ireland Limited (Meta Ireland), ?1.2 billion (US$1.3 billion), the highest GDPR fine levied since 2018.

Further to the DPC decision (Decision), and in addition to paying the record fine, Meta will need to:

• Suspend any future transfers of personal data to the United States within five months from the date of notification of the decision to Meta Ireland; and
• Ensure the compliance of its data processing operations by ceasing the unlawful processing, including storage, in the United States of personal data of its users in the European Economic Area (EEA), transferred without sufficient safeguards, within six months from the date of notification of the DPC's decision to Meta Ireland.

The core of the grievances relates to a decade-long (and ongoing) crusade initiated by privacy and data rights activist Maximilian Schrems and the data protection association he founded, None of Your Business (NOYB). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor Framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 case of Schrems I (see our alert). That was followed by action against the Safe Harbor's successor, the Privacy Shield Framework, leading to the same result in 2020 in the case of Schrems II (see our alerts here, here, and here).

The European Commission is currently assessing a potential successor to the Safe Harbor and the Privacy Shield. As such, all eyes turned to the DPC, and in particular its analysis of Meta's internal framework for the transfer of personal data from its European users to its headquarters and services providers in the United States.

In the absence of a catch-all framework such as the Safe Harbor or the Privacy Shield, Meta instead relied on a specific contractual framework, the Standard Contractual Clauses (SCC) published by the European Commission. This framework, which pre-dates GDPR, has recently been revised further to Schrems II (see above and our alert-the deadline to transition from the revised framework was set to 27 December 2022).

These new SCC generally addressed the concerns raised under Schrems II pertaining to potential access by US intelligence agencies to personal...