Meta sanctioned: IDPC enforces EU to US data transfer block

On May 12, 2023, the Irish Data Protection Commission (IDPC) made a significant decision against Meta Platforms Ireland Ltd, formerly known as Facebook. The case concerns the transmission of personal data, some of which are sensitive, of Facebook users located in the European Union (EU) to the parent company in the USA, where this data is stored and processed. This verdict, characterized by a particularly high fine, has sparked a wide debate, as it could affect the continuity of services offered by one of the most popular social networks in the EU. The Centers for European Policy Network (CEP), with a publication edited by Anja Hoffmann, also commented on this ruling and examined the general situation.

Details of the decision and its possible consequences

Among the highlights of the decision, the IDPC prohibited Meta from transferring the personal data of Facebook users in the EU to the United States in the future, as this violates the General Data Protection Regulation (GDPR). However, this suspension will not have immediate effect, it will only come into effect in October 2023. Furthermore, the IDPC has ordered Meta to bring its data processing operations into line with the provisions of the GDPR, with a deadline of six months from the decision , i.e. until November 12, 2023. In response, Meta must decide how to ensure that the processing of data already transferred complies with the GDPR. As a result, Meta received a €1.2 billion fine, the highest ever imposed under the GDPR.

The question of the appropriate legal basis and other implications

The IDPC highlighted that Meta does not have a legal basis for transferring European user data to the US as required by the GDPR. Following the 2020 Schrems II ruling, the "EU-USA Privacy Shield" is no longer considered a valid legal basis and Meta cannot base its data transfers on the EU Standard Contractual Clauses. The IDPC determined that Meta transferred the data to the United States without providing adequate guarantees of protection, thus violating the art. 46 of the GDPR. This decision, even though it formally applies only to Facebook, sets a precedent that could influence future decisions of other data protection authorities.

Possible future developments and the evolution of the regulation

While Meta has previously suggested that services like Facebook might have to shut down in Europe following a data transfer ban, the real implications of this recent decision remain to be seen. It is assumed that Meta could implement new processes to ensure compliance with the GDPR, or it could appeal the decision to court, delaying the enforcement of the ruling. At the same time, this decision could accelerate the adoption of new data protection regulations internationally, especially between the EU and the US, to establish a framework that ensures both respect for user privacy and the free flow of data across borders.