Meta Platforms Ireland Limited ("Meta") has been fined EUR 1.2 billion by the Data Protection Commission ("DPC"). The amount of the data protection fine for Meta shows that EU companies must take data protection seriously. It is also important to shed light on the background to the decision. The entire decision comprises over 200 pages and is probably too long for a blog post. We have picked out a few aspects for you.
Violation of Art 46: Data protection fine for Meta
According to the DPC, Meta has violated Art 46 GDPR, i.e. has not provided suitable safeguards for transfers to third countries. Meta is accused of continuing to transfer data to the US after the ECJ's Schrems II decision. The new version of the standard contractual clauses was used and some technical measures were also implemented. On the whole, however, the modifications made by Meta are not sufficient and do not implement the requirements of the ECJ.
The role of exemptions
It is noted that Meta cannot rely on any exceptions under Art 49 GDPR. In particular, the DPC does not consider a data transfer to the USA to be "contractually necessary" within the meaning of Art 49(1)(d) GDPR. The DPC refers to the case law of the ECJ (decision, p 101) and states that Art 49 GDPR is a derogation. This implies a "strict interpretation". The DPC also refers to statements made by Advocate General Giovanni Pitruzzella (decision, p 110): Art 52 of the EU Charter of Fundamental Rights requires that a restriction of the fundamental rights of EU citizens must, firstly, be provided for by law and must not affect the essence of fundamental rights. Art 49 GDPR must also be interpreted in this light.
Meta stated in this regard that although the word "occasionally" in recital 111 expresses an exceptional character, this term is not repeated in the GDPR and therefore has no further meaning. This interpretation is contradicted by the DPC (decision p 113), as the recitals should indeed be used to interpret the provisions of the EU regulations.
What role does explicit consent play?
Important in this context: Whether Meta - despite the exceptional nature of the provision of Art 49 GDPR - can rely on the express consent of users has not been decided because Meta does not currently obtain such consent (decision p 121). However, the DPC suggests that this is certainly problematic, especially as Art 49 para. 1 lit a GDPR alludes to a specific data transfer. It is therefore highly questionable whether consent can be given for all data transfers from Meta to the USA (decision p 123).
How was the fine determined?
One of the factors taken into account when determining the amount of the penalty was the fact that Meta had already been fined. It was also taken into account that the violation has been ongoing for a long time (since the Schrems II decision was handed down) and that the offense was intentional.
Significance for domestic companies
What does the decision mean for companies beyond the use of meta services? Many domestic companies also refer to Art 49 para. 1 lit a GDPR in connection with the use of cookies. Although this does not appear to violate the regulation from the outset due to the decision, it should be viewed critically. The DPC strongly emphasized the exceptional nature of the provision. The fact that consent relates to specific data processing could speak in favor of the possible use of cookies and tracking tools.
Source
Do you have further questions about data protection?
If you have any further questions on this topic or other data protection issues, please do not hesitate to contact us. You can find further information on our homepage, at office@geuer.at or by telephone on +43-1-4380072. We look forward to hearing from you.