19 May 2023
On the 13th of April 2023, the European Data Protection Board (EDPB), announced the adoption of a dispute resolution decision, on the basis of Article 65 of the GDPR, concerning the legality of data transfers to the United States by Meta Platforms Ireland Limited (Meta) for its Facebook service.
The EDPB’s decision follows a draft decision of the Irish Data Protection Authority (DPA), as lead supervisory authority. Following the landmark "Schrems II" decision, the DPA initiated an "own volition" inquiry to consider whether Facebook's data transfers to the U.S. were legal. The DPA reached its draft decision to stop Meta from transferring personal data from the EU to the U.S. through its use of standard contractual clauses. The draft decision was sent to EU Data Protection Authorities. However, due to the several objections raised by various DPAs, the dispute resolution mechanism under Article 65 of the GDPR has been activated.
The EDPB’s binding decision addresses important legal questions arising from the draft decision of the Irish DPA regarding Meta and settles the dispute on whether an administrative fine and/or an additional order to bring processing into compliance must be included in the Irish DPA’s final decision. The EDPB binding decision plays a key role in ensuring the correct and consistent application of the GDPR by the national Data Protection Authorities.
The decision of the EDPB will be published after the Irish DPA notifies its national decision to Meta. The Irish DPA was given one month after the EDPB has notified its decision, to issue its final decision on the legality of data transfers by Meta from the EU to the US.
Following the EDPB’s finalization of its binding decision, Ireland’s Data Protection Commissioner Helen Dixon, said her office would issue its final ruling by May 12th. However, no decision has been published yet.
The potential impact of the imminent final decision of the Irish DPA can prove to be tremendous. Apart from a steep monetary fine, Meta could face data transfer suspension for EU-US data transfers based on the standard contractual clauses, which essentially causes an EU service blackout, affecting thousands of organizations with similar data flows, until a legal transfer mechanism to replace the EU-U.S. Privacy Shield Framework is adopted. This could lead EU businesses to demand data localization from U.S. business partners or to switch to domestic alternatives.
Due to our expertise and extensive experience with diverse clientele including both local as well as multinational companies, Privacy Minders provides full support to organisations whose processing activities involve international data transfers. We conduct through reviews, on a case-by-case basis, of each individual contract with vendors/contractors, perform Transfer Impact Assessments, assess the third country’s relevant legislation, identify the appropriate transfer tool, and assist in choosing supplementary measures. Rest assures that our team is keeping up with the latest privacy developments and can provide alternative solutions in case a decision of the Irish DPA affects the data flows of your organisation.