The Data Protection Commission (DPC) has recently finished investigating Meta Platforms Ireland Limited (known as Meta Ireland), the company behind Facebook. They were looking into how Meta Ireland transfers personal data from Europe to the United States while providing its Facebook service. This was all started by Max Shrems and NOYB. Let’s break it down in a way that’s easy to understand.
What’s the issue?
The DPC made a final decision on May 12, 2023, after examining the situation. They found that Meta Ireland broke a law called Article 46(1) GDPR by continuing to send personal data from Europe to the US, even after a court ruling called the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. Meta Ireland tried to follow the rules by using something called “Standard Contractual Clauses” and other extra measures, but the DPC felt that these steps didn’t fully protect people’s rights.
How did it start?
The investigation began in August 2020 but was put on hold by the High Court of Ireland until May 20, 2021, due to some legal proceedings. After looking into everything thoroughly, the DPC prepared a draft decision on July 6, 2022. They found two important things:
- The data transfers Meta Ireland was doing were breaking the law (Article 46(1) GDPR).
- In this situation, they believed the data transfers should be stopped.
What did other regulators say?
As part of a cooperative process required by the GDPR, the DPC shared its draft decision with other European regulators known as Concerned Supervisory Authorities (CSAs). All the CSAs agreed with the DPC’s decision that Meta Ireland had not complied with the GDPR.
However, a small number of CSAs (4 out of 47) had some objections. They felt that Meta Ireland should be fined for what they did wrong and that they should be told to fix the personal data that had already been sent to the US without following the rules. The DPC disagreed because they thought that simply stopping future data transfers was enough punishment for Meta Ireland.
What happened next?
Since they couldn’t find a consensus, the DPC referred the objections to the European Data Protection Board (EDPB) to resolve the issue using a dispute resolution mechanism called Article 65.
The EDPB made its decision on April 13, 2023. The DPC, following its obligations, based its final decision on the EDPB’s decision. Here’s what the DPC decided:
- Meta Ireland must stop sending personal data to the US for at least five months from when they were notified of the DPC’s decision.
- Meta Ireland has been fined €1.2 billion as a punishment for breaking the rules. The DPC determined this amount based on the EDPB’s decision.
- Meta Ireland has to bring its data processing practices in line with the GDPR’s rules within six months from when they were notified of the DPC’s decision. This means they need to stop storing personal data of European users in the US if it goes against the GDPR.
In summary, Meta (formerly known as Facebook) has been in trouble for not properly handling personal data. The Data Protection Commission found that Meta Ireland violated the law by transferring data from Europe to the US in a way that didn’t adequately protect people’s rights. As a result, Meta Ireland has been fined a massive amount of money and needs to make significant changes to their data processing practices. Let’s hope this serves as a reminder to all companies to handle our personal data.
While this is good news, unfortunately, it appears that my complaint against the Catholic Church retaining and processing my data isn’t going as well. More on that soon.