WHAT HAPPENED?
The fine relates to the legality of data transfers to the United States by Meta for its Facebook service with Meta found to have infringed Article 46(1) GDPR. 

US law does not provide a level of protection to personal data that is equivalent to that provided by EU law and the use of Standard Contractual Clauses (“SCCs”) and supplementary measures implemented by Meta did not compensate for the inadequate protection under US law.  

Facebook has five months to suspend future transfer of personal data to the US and six months to cease the processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR. “Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation”. (link)  

On 13 April, the European Data Protection Board (EDPB) confirmed that it had issued a decision after being called in to settle a dispute following objections lodged by several European DPAs against the DPC’s draft findings “EDPB resolves dispute on transfers by Meta and creates task force on Chat GPT ” European Data Protection Board. (link)

DATA PRIVACY FRAMEWORK
Negotiations are continuing on the EU-US Data Privacy Framework (DPF) which aims to facilitate transatlantic data flows and replace the Privacy Shield invalidated by CJEU Schrems II judgment.

On 28 February, the European Data Protection Board (EDPB) issued its opinion on the DPF which welcomed improvements made to the framework but expressed concerns and clarification, in particular, relating to rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism “Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework”. (link)

On 11 May the European Parliament voted to adopt a resolution on the adequacy of the protection afforded by the DPF which concluded that the proposed DPF is an improvement but not enough to justify an adequacy decision on personal data transfers.  It called on the EU Commission to continue in its negotiations with the US to create a framework that would provide equivalence of the protection provided by the GDPR. It also expressed concern that the DPF could again be invalidated by the CJEU, leading to lack of certainty and business disruption (Texts adopted – “Adequacy of the protection afforded by the EU-U.S. Data Privacy Framework” – Thursday, 11 May 2023. (link)

Given the importance and value of data flows, today’s decision is highly significant and we will be monitoring future data protection enforcements and the progress of the DPF carefully as well as any future potential legal challenges to that framework.

Susie MacKenzie, Head of Legal & Regulatory Analytics.

If you’d like to know more about Corlytics and our solutions, please get in touch with us