The European Union (EU) has issued a 1.2 billion euro fine on Meta Inc. for transferring the personal data of EU subjects to the United States (US). The present article series is divided into two parts. Part 1 of the series explains the European Data Protection Board’s (EDPB) decision in the light of the events that transpired and Part 2 of the series attempts to highlight the impact of this decision on Indian businesses operational in Europe.
Introduction
Meta Inc., the parent company of Facebook, is headquartered in California but boasts a strong presence in countries across the globe. Since Meta is an American conglomerate with its data servers in the US, there is a significant flow of personal data of its users to the US.
The operating data protection law of Europe ie the EU General Data Protection Regulation, 2016 (GDPR) lays down the rights of subjects whose data is collected, stored, transferred and processed, allowing data subjects a higher degree of control over their personal data, along with placing the responsibility of data protection on companies that process such data.
It is supervised by the EDPB to ensure its thorough compliance. It is due to Meta’s non-compliance with the GDPR and adherence to US’s surveillance laws that the EDPB has subjected the company to its biggest fine since its inception.
A Brief Background On EDPB’s Decision
In Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) 2020 (the Schrems II judgement), the Court of Justice of the European Union (CJEU) held the existing US-EU data transfer agreement (Privacy Shield) to be invalid as the Foreign Intelligence Surveillance Act, 1978 (FISA), a US Surveillance law, posed a threat to the right to privacy of the European Economic Area (EEA) citizens. The Court, however, did not invalidate the Standard Contractual Clauses (SCCs), which Meta continued to use. SCCs are standardized contracts that govern international data transfers. The EU provides model SCCs that comply with the GDPR which Meta has claimed to utilise in their EU-US data transfers.
Ireland’s Data Protection Commission (DPC), acting as the Lead Supervisory Authority (LSA) on behalf of the EU, has been investigating Meta’s transfer of user data from servers in the EU to the US since 2020 as a result of a complaint lodged by Mr. Maximillian Schrems, an Austrian privacy activist. Additionally, Meta was accused of neglecting to address the risk of infringement of users’ fundamental rights and freedoms in its SCCS.
According to the EDPB, the scope of enquiry comprised two issues:
- the lawfulness of international transfers of personal data of EU/EEA individuals who visit, access, use or otherwise interact with Facebook; and
- whether corrective powers should be exercised if the conclusion is reached that Meta is acting unlawfully and infringing Article 46(1) of the GDPR i.e. the law governing international data transfers.
The Commission concluded that Facebook is liable for a severe privacy breach. Consequently, Facebook has been given six months to put an end to “unlawful data processing, including storage, in the US” and five months for suspension of the transfer of data to the US servers. The four Concerned Supervisory Authorities from Austria, Germany, Spain and France (collectively referred to as the CAs) raised objections to this draft decision and encouraged the imposition of a hefty administrative fine of 1.2 billion euros for this “systematic, repetitive and continuous” data breach by Facebook.
Thank you for reading Part 1 of the series. In Part 2 we discuss Meta’s response to this decision, the data protection framework between India and the EU for Indian platforms operational in the EU, the impact of this decision on them and the way forward for India.
Corrida Legal is the preferred corporate law firm in Gurgaon (Delhi NCR) and Mumbai. Reach out to us on LinkedIn or contact us at contact@corridalegal.com in case you require any advice or legal assistance. Go to our Data Privacy and Protection page for similar articles.