EDPB - Binding Decision 1/2023 on the dispute submitted by the
Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR)
Adopted on 13 April 2023
The European Data Protection Board
Having regard to Article 63 and Article 65(1)(a) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter ‘GDPR’)[1],
Having regard to the European Economic Area (hereinafter ‘EEA’) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018[2],
Having regard to Article 11 and Article 22 of its Rules of Procedure (hereinafter ‘EDPB RoP’)[3],
Whereas:
(1) It follows from Article 60 GDPR that the lead supervisory authority (hereinafter ‘LSA’) shall cooperate with the other supervisory authorities concerned (hereinafter ‘CSAs’) in an endeavour to reach consensus, that the LSA and CSAs shall exchange all relevant information with each other, and that the LSA shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. The LSA shall without delay submit a draft decision to the other CSAs for their opinion and take due account of their views.
(2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the objection or considers that the objection is not reasoned and relevant, the LSA shall submit this matter to the consistency mechanism referred to in Article 63 GDPR.
(3) The main role of the European Data Protection Board (hereinafter the ‘EDPB’) is to ensure the consistent application of the GDPR throughout the EEA. Pursuant to Article 65(1)(a) GDPR, the EDPB shall issue a binding decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether there is an infringement of the GDPR.
(4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) EDPB RoP, within one month after the Chair of the EDPB and the competent supervisory authority have decided that the file is complete. The deadline may be extended by a further month, taking into account the complexity of the subject-matter upon decision of the Chair of the EDPB on own initiative or at the request of at least one third of the members of the EDPB.
(5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of the extension by a simple majority of its members.
(6) In accordance with Article 11(6) EDPB RoP, only the English text of the decision is authentic as it is the language of the EDPB adoption procedure.
HAS ADOPTED THE FOLLOWING BINDING DECISION
1 SUMMARY OF THE DISPUTE
1. This document contains a binding decision adopted by the EDPB in accordance with Article 65(1)(a) GDPR. The decision concerns the dispute arisen following a draft decision (hereinafter ‘Draft Decision’) issued by the Irish supervisory authority (‘Data Protection Commission’, hereinafter the ‘IE SA’, also referred to in this context as the ‘LSA’) and the subsequent objections expressed by a number of CSAs (‘Österreichische Datenschutzbehörde’ hereinafter the ‘AT SA’; ‘ Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit’ also on behalf of all German SAs[4], hereinafter the ‘DE SAs’ ; ‘Agencia Española de Protección de Datos’, hereinafter the ‘ES SA’; ‘Commission Nationale de l’Informatique et des Libertés’, hereinafter the ‘FR SA’).
2. The Draft Decision at issue relates to an ‘own volition inquiry’ (IN-20-8-1) (the ‘Inquiry’) which was commenced by the IE SA on 28 August 2020 into the Facebook social media processing activities (hereinafter ‘Facebook service’[5]) of Facebook Ireland Limited, and more specifically into transfers of personal data outside of the EU/EEA carried out on the basis of standard contractual clauses (‘SCCs’) (pursuant to Article 46(2)(d) GDPR).
3. Facebook Ireland Limited is a company established in Dublin, Ireland. The company has subsequently changed its name to ‘Meta Platforms Ireland Limited’ (hereinafter ‘Meta IE’). Any reference to Meta IE in this Binding Decision means a reference to either Facebook Ireland Limited or Meta Platforms Ireland Limited, as appropriate[6].
4. The scope of the Inquiry was described by the IE SA as comprising two issues: (1) the lawfulness of international transfers of personal data of EU/EEA individuals[7] who visit, access, use or otherwise interact with the Facebook service, carried out by Meta IE, to Facebook Inc. pursuant to SCCs[8] following the judgment of the Court of Justice of the European Union delivered on 16 July 2020 in Case C-311/18 (the ‘Schrems II judgment’)[9] (these transfers of personal data will hereinafter be referred to as ‘FB International Transfers’); (2) whether (and/or which) corrective powers should be exercised by the IE SA pursuant to Article 58(2) GDPR in the event that the conclusion is reached that Meta IE is acting unlawfully and infringing Article 46(1) GDPR[10].
5. The IE SA explained it is also engaged in a separate and standalone ‘complaint-based inquiry’ (IN-21- 6-3) in which Meta IE is also a respondent and in which issues substantially the same as those addressed in the Draft Decision will be determined[11]. This inquiry is based on a complaint that was lodged by Mr. Maximilian Schrems (hereinafter, ‘Schrems’)[12] and is progressed separately by the IE SA.
6. In these circumstances, the IE SA invited Schrems, as interested party, to share his views at specific junctures in the Inquiry, as further outlined below[13].
7. Additionally, the IE SA invited the Government of the United States of America (hereinafter, ‘US Government’) to share its views on particular matters at specific junctures in the Inquiry, as further outlined below[14].
8. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is the LSA, within the meaning of the GDPR, for Meta IE, as controller, for the purpose of the international transfers of personal data carried out on the basis of the SCCs in the context of the Facebook service[15].
9. The following table presents a summary timeline of the events part of the procedure leading to the submission of the matter to the consistency mechanism.
28.08.2020
The IE SA issued a preliminary draft decision (hereinafter ‘the Preliminary Draft Decision’) to Meta IE on 28 August 2020. The Preliminary Draft Decision served as notice to Meta IE of commencement of an own volition inquiry, setting out its scope and legal basis. The IE SA invited Meta IE to provide its views on the Preliminary Draft Decision.
10.09.2020
May 2021 - September 2021
On 21 May 2021[18], the IE SA renewed its invitation to Meta IE to make submissions on the Preliminary Draft Decision, which Meta IE submitted on 2 July 2021 (‘the Meta IE PDD Submissions’).
At the same time, the IE SA invited Schrems to make submissions on the Preliminary Draft Decision. On 20 July 2021, the IE SA invited Schrems to make submissions on the (redacted) submissions of Meta IE on the Preliminary Draft Decision. In response, Schrems provided submissions to the IE SA on 15 August 2021 (‘the Schrems PDD Submissions’).
On 18 August 2021, the IE SA raised additional questions to Meta IE in relation to their submissions; Meta IE responded on 1 September 2021 (‘the Meta IE Supplemental PDD Submissions’).
On 23 August 2021, the IE SA provided to Meta IE a copy of the Schrems PDD Submissions; Meta IE responded on 24 September 2021 (‘the Meta IE Response to Schrems PDD Submissions’).
On 20 August 2021, the IE SA invited the US Government as interested party to make submissions on a series of questions posed to it by IE SA, a response to which was provided on 20 September 2021 (‘the US Government PDD Submissions’).
21 - 22.02.2022
Having considered the material obtained over the course of the inquiry, including the submissions and response identified above, the IE SA issued a revised preliminary draft decision (‘the Revised Preliminary Draft’). The IE SA invited Meta IE to exercise its right to be heard in respect of the Revised Preliminary Draft. At this time, IE SA also provided Schrems and the US Government an opportunity to make submissions in response to the Revised Preliminary Draft.
March - April 2022
Schrems furnished submissions to IE SA on 21 March 2022 (‘the Schrems Revised PDD Submissions’). The US Government furnished submissions to the IE SA on 4 April 2022 (‘the US Government Revised PDD Submissions’).
Meta IE furnished submissions on 29 April 2022 concerning the Revised Preliminary Draft, the Schrems Revised PDD Submissions and the US Government Revised PDD Submissions (‘the Meta IE Revised PDD Submissions’)
6.07.2022
The IE SA shared its Draft Decision with the CSAs in accordance with Article 60(3) GDPR.
July - August 2022
10.08.2022
The IE SA furnished a copy of the objections and comments to Meta IE, for transparency purposes.
20.09.2022
The IE SA issued a memorandum setting out its replies to such objections and shared it with the CSAs (hereinafter, ‘Composite Response’). The IE SA requested the relevant CSAs to confirm by 27 September 2022 whether, having considered the IE SA’s position in relation to the objections as set out in the Composite Response, the CSAs intended to maintain their objections. On 27 September 2022, DE SAs explicitly confirmed to the IE SA that they maintain their objections[21].
28.09.2022 The IE SA clarified to Meta IE its intention to refer the dispute to the EDPB and invited Meta IE to exercise its right to be heard in respect of the objections (and comments) that IE SA proposed to refer to the EDPB along with Composite Response and the communications received from the CSAs in reply to the Composite Response.
2.11.2022
Meta IE furnished the requested submissions (the ‘Meta IE Art. 65 Submissions’).
10. Following the facts set out above, on 19 January 2023 the IE SA submitted the dispute to the EDPB in accordance with Article 60(4) GDPR, thus initiating the dispute resolution procedure under Article 65(1)(a) GDPR using the Internal Market Information system (hereinafter ‘IMI’) on 19 January 2023, at which time they also confirmed the completeness of the file.
11. Following the submission by the IE SA of this matter to the EDPB in accordance with Article 60(4) GDPR, the EDPB Secretariat assessed the completeness of the file on behalf of the Chair of the EDPB in line with Article 11(2) EDPB RoP.
12. The EDPB Secretariat contacted the IE SA on 30 January 2023, asking it to provide additional documents and clarifications within a one-week timeframe. The IE SA provided the documents and information on 10 February 2023[22].
13. A matter of particular importance that was scrutinised by the EDPB Secretariat was the right to be heard, as required by Article 41(2)(a) of the Charter of Fundamental Rights of the European Union (hereinafter, ‘CFR’). Further details on this are provided in Section 2 of this Binding Decision.
14. On 13 February 2023, the decision on the completeness of the file was taken, and it was circulated by the EDPB Secretariat to all the members of the EDPB.
15. The Chair of the EDPB decided, in compliance with Article 65(3) GDPR in conjunction with Article 11(4) EDPB RoP, to extend the default timeline for adoption of one month by a further month on account of the complexity of the subject-matter.
2 THE RIGHT TO GOOD ADMINISTRATION
16. The EDPB is subject to Article 41 of the CFR, in particular Article 41 (right to good administration). This is also reflected in Article 11(1) EDPB RoP. Further details were provided in the EDPB Guidelines 03/2021 on the application of Article 65(1)(a) GDPR, adopted on 13 April 2021 (version for public consultation) (hereinafter, ‘EDPB Guidelines on Article 65(1)(a) GDPR’)[23].
17. The EDPB decision ‘shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them’ (Article 65(2) GDPR). It is not aiming to address directly any other third party, as clarified by the recent order of the General Court in case T- 709/21[24].
18. Nevertheless, the EDPB assessed if Meta IE was offered the opportunity to exercise its right to be heard in relation to all the documents it received containing the matters of facts and law to be used by the EDPB to take its decision in this procedure.
19. The EDPB notes that Meta IE has received the opportunity to exercise its right to be heard regarding all the documents containing the matters of facts and of law considered and addressed by the EDPB in the context of this decision and provided its written observations[25], which have been shared with the EDPB by the IE SA.
3 CONDITIONS FOR ADOPTING A BINDING DECISION
20. The general conditions for the adoption of a binding decision by the EDPB are set forth in Article 60(4) GDPR and Article 65(1)(a) GDPR[26].
3.1 Objection(s) expressed by several CSA(s) in relation to a Draft Decision
21. The EDPB notes that several CSAs raised objections to the Draft Decision via IMI. The objections were raised pursuant to Article 60(4) GDPR[26].
22. At this juncture, it is important to note the parts of the Draft Decision which fall outside the scope of the dispute and therefore of the competence of the EDPB. None of the findings of the IE SA on the infringements committed by Meta IE are challenged or disputed by the objections raised by the CSAs. Several CSAs explicitly praise the analysis carried out by the IE SA[27].
23. In its Draft Decision, the IE SA finds that ‘US law does not provide a level of protection that is essentially equivalent to that provided by EU law’, SCCs cannot compensate for the inadequate protection provided by US law, and ‘Meta does not have in place any supplemental measures which would compensate for the inadequate protection provided by US law’[28]. Accordingly, the IE SA finds that in making the FB International Transfers Meta is infringing Article 46(1) GDPR[29]. The IE SA also analyses the application of the derogations enshrined in Article 49 GDPR and concludes that ‘it is not open to Meta Ireland to rely on the derogations at Article 49(1) GDPR (or any of them) to justify the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US’[30].
24. The IE SA takes the view that ‘it is necessary to exercise corrective powers in order to address the infringements identified’ and that ‘in all the circumstances, it is appropriate, necessary and proportionate to order the suspension of the Data Transfers pursuant to Article 58(2)(j) GDPR’[31].
25. The IE SA refers to the Court of Justice of the European Union’s (hereinafter, ‘CJEU’) findings in the Schrems II judgment and recalls that although it is for the IE SA to ‘determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence’[32]. The IE SA then concludes that, as a supervisory authority, it is ‘required to take appropriate action in order to remedy the identified breach of Article 46 GDPR’ and that ‘it is appropriate, necessary and proportionate to invoke the power under Article 58(2)(j) GDPR to order the suspension of the Data Transfers’[33].
26. All the objections raised in this case only concern the application of corrective measures, and more specifically suggest the addition of further corrective measures while agreeing with the suspension order proposed by the IE SA[34].
3.2 The IE SA does not follow the objections to the Draft Decision or is of the opinion that the objections are not relevant or reasoned
27. The IE SA considered that the objections raised by the AT SA, FR SA and DE SAs are ‘relevant and reasoned’ for the purpose of Article 4(24) GDPR. In the case of the objection raised by the ES SA, however, the IE SA considers that this objection is not ‘relevant and reasoned’ for the reasons set out in the IE SA’s ‘Internal Assessment of the Status of Objections’[35] and below.
28. On 20 September 2022, the IE SA provided the CSAs with an analysis of their objections in its Composite Response. The analysis is provided ‘without prejudice to IE SA’s position on whether any of the objections raised constitute “relevant and reasoned” objections for the purpose of Article 4(24) GDPR’. According to the IE SA, the Composite Response represents the ‘IE SA’s compliance with its obligation (as Lead Supervisory Authority) to take due account of the views that have been expressed by the CSAs and, thereby, facilitating (insofar as possible) the conclusion of the within cooperation and consistency process by consensus, as envisaged by Article 60 GDPR’[36].
29. After setting out its position on the reasons for maintaining the Draft Decision unchanged, the IE SA concluded that it would not follow the objections[37].
3.3 Admissibility of the case
30. The case at issue fulfils, prima facie, all the elements listed by Article 65(1)(a) GDPR, since CSAs raised objections to the Draft Decision within the deadline provided by Article 60(4) GDPR, and the IE SA has not followed objections or rejected them for being, in its view, not relevant or reasoned.
31. The EDPB takes note of Meta IE’s position that the IE SA should not have referred the dispute to the EDPB pursuant to Article 65 GDPR in light of the ‘Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities’ (hereinafter ‘Executive Order’) issued on 7 October 2022 by the President of the United States as well as the ‘Regulations regarding the Data Protection Review Court introduced by the EO’ (hereinafter ‘US AG Regulations’) issued by the United States Attorney General[38]. Concretely, Meta IE petitioned the IE SA for ‘a right to be heard in respect of the changes to US law and practice made by the EO and (ii) consider whether it was necessary to revise the Draft Decision in light of this material development before this matter is submitted to an Article 65 Process’[39]. Meta IE argues that ‘any conclusions arrived at in the Article 65 Process would be based on erroneous and outdated findings of fact’[40].
32. The IE SA examines very thoroughly whether the Executive Order and the US AG Regulations give rise to a material change of circumstance such as to require them to revisit the Draft Decision, concluding that ‘the analysis on which the findings contained in the Draft Decision rest have not been overtaken by events, or rendered inaccurate, incomplete or out of date, whether by reference to the Executive Order, or otherwise’[41]. Likewise, the EDPB fails to see how the documents issued on 7 October 2022 could have a retroactive effect on the findings made by the IE SA on 6 July 2022. The EDPB fully agrees with the IE SA that ‘the Draft Decision can (and, indeed, must) proceed to consideration by the EDPB in the context of the Article 65 Procedure’[42].
33. Considering the above, in particular that the conditions of Article 65(1)(a) GDPR are met, the EDPB is therefore competent to adopt a binding decision, which shall concern all the matters which are the subject of the relevant and reasoned objection(s), in particular whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR[43].
34. The EDPB recalls that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant Draft Decision and the objections raised by the CSA(s).
3.4 Structure of the binding decision
35. For each of the objections raised, the EDPB decides on their admissibility, by assessing first whether they can be considered as a ‘relevant and reasoned objection’ within the meaning of Article 4(24) GDPR as clarified in the EDPB Guidelines 9/2020 on the concept of relevant and reasoned objection, version 2 adopted on 9 March 2021 (hereinafter, ‘EDPB Guidelines on RRO’)[44].
36. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the EDPB does not take any position on the merit of any substantial issues raised by that objection in this specific case. The EDPB will analyse the merits of the substantial issues raised by all objections it deems relevant and reasoned[45].
4 ON THE IMPOSITION OF AN ADMINISTRATIVE FINE
4.1 Analysis by the LSA in the Draft Decision
37. The EDPB recalls that the current dispute revolves around the corrective measures chosen by the IE SA[46]. The IE SA states that it has ‘had regard to the DPC’s power to impose an administrative fine, whether in addition to, or instead of, any of the other measures set out in GDPR Article 58(2)’ and that it has ‘carefully considered the criteria set out in GDPR Article 83(2)(a)–(k)’[47].
38. The IE SA takes the view that the imposition of an administrative fine ‘in addition to an order directing the suspension of the Data Transfers would not be "effective, proportionate and dissuasive”’ and ‘would not render the DPC’s response to the findings of unlawfulness any more effective’[48]. The IE SA does not consider that ‘in the particular circumstances of this case, or in relation to transfers generally, the imposition of an administrative fine on top of the suspension would have any meaningful dissuasive effect, particularly when set against the consequences said to attach to an order directing the suspension of transfers’[49].
39. The IE SA further expressed concern that the imposition of an administrative fine would be disproportionate, both having regard to the consequences attaching to an order directing suspension of transfers but also because it was ultimately through the Schrems II judgment that a series of complex legal issues relating to the Data Transfers have been resolved, and where, in the interim, ‘the Data Transfers were being effected, in good faith, under and by reference to transfer mechanisms provided for at law’[50].
4.2 Summary of the objections raised by the CSAs
40. The AT SA, DE SAs, ES SA, and FR SA raise objections pursuant to Article 4(24) GDPR and Article 60(4) GDPR stating that in the case at stake it would be appropriate for an administrative fine to be imposed for the infringement of Article 46(1) GDPR in addition to the suspension of data transfers[51].
41. The AT SA, DE SAs, ES SA, and FR SA put forward several factual and legal arguments for the proposed change concerning the envisaged corrective measures.
42. While all these CSAs agree with the imposition of the suspension order envisaged by the LSA to ensure future compliance[52], they argue that an administrative fine should also be imposed in order to appropriately address the infringement committed in the past[53]. According to the AT SA and DE SAs, the suspension alone is not sufficient[54]. The FR SA and ES SA argue in this respect that the imposition of an administrative fine would have punitive effects that the suspension would not have[55].
43. The AT SA, DE SAs, ES SA, and FR SA disagree with the IE SA’s conclusion set forth in the Draft Decision[56] that an administrative fine would not be appropriate and would not have any meaningful dissuasive effect[57]. Since ‘Meta is the provider of the biggest global social media network with an enormous number of users within the European Union and thus affected persons’[58], the AT SA argues that ‘[n]ot properly addressing the identified infringement of Chapter V of the GDPR would generally weaken the position of the supervisory authorities and endanger compliance with the GDPR on a general level’[59] also considering that ‘transferring data to the United States is still a widely used practice among numerous controllers’[60]. The AT SA, DE SAs, and ES SA highlight that the imposition of an administrative fine in the case at hand should be effective, proportionate and dissuasive[61]. The AT SA, ES SA, DE SAs and FR SA also recall in their objections that Recital 148 GDPR and Article 58(2)(i) GDPR allow the imposition of administrative fines ‘in addition to, or instead of’ other measures[62]. Along the same lines, the ES SA highlights that the imposition of an administrative fines is ‘compatible with the imposition of the corrective measures proposed’ by the IE SA[63]. According to the DE SAs, Recital 148 GDPR indicates that an order must be complemented by a fine[64].
44. With respect to effectiveness, the AT SA underlines that ‘an administrative fine may be imposed in addition to other corrective measures’[65] and that it would be an effective measure to counteract the infringement established and strengthen the enforcement of the GDPR, also in light of Meta IE’s financial position[66]. According to the DE SAs, ‘Only the imposition of an administrative fine regarding the infringement of Article 46 (1) GDPR at least for the time since the Schrems-II ruling can ensure the effective enforcement of the GDPR in this case’[67]. The ES SA highlighted with respect to effectiveness that ‘the non-imposition of a fine would lead the infringing entities to consider that the infringement of the GDPR does not have financial punitive consequences’[68]. The FR SA argues that the administrative fine and the suspension are ‘complementary corrective measures’[69].
45. Concerning proportionality, the AT SA concludes that ‘the imposition of an administrative fine would not in any case be disproportionate’[70] considering the factors in Article 83(2)(a), (b), (e), and (g) GDPR. In the DE SAs’ view, ‘there is nothing in the draft decision to support the conclusion that the imposition of an administrative fine would be disproportionate’ and on the contrary ‘the very long duration of proceedings show that the controller must have been aware of the problem for a long time’[71]. The ES SA argues that ‘it should be borne in mind that it is an entity that generates huge profits, so imposing a fine taking into account the gravity of the infringement and the nature of the processing would not be disproportionate and would not cause it harm which it would not have to face as a result of acts contrary to the GDPR’[72].
46. As to the dissuasiveness aspect, the AT SA, DE SAs, ES SA and FR SA provide reasoning as to why imposing an administrative fine would achieve both the general and specific deterrence objectives[73]. With respect to general deterrence, the AT SA highlights the need for the corrective measures to achieve this goal ‘in order to raise awareness among controllers who transfer personal data to the United States’[74] and avoid that controllers ‘come to the conclusion that the cost of continuing an unlawful practice will outweigh the expected consequences of an infringement and will be less inclined to comply with the GDPR’[75]. The DE SAs argue that this case ‘is a precedent that will affect many if not all cases of third country data transfers’, ‘closely watched by all undertakings participating in the Single Economic Market’[76], and that therefore ‘general deterrence is of higher importance in this specific case’[77]. According to the DE SAs, not imposing a fine ‘for the serious infringement of Article 46(1) GDPR could not ensure a general preventive effect of the compliance order’ and will rather have the opposite effect[78], since other controllers ‘may orientate their compliance with data protection law considering that infringements of Article 46 (1) GDPR are not sanctioned’[79] and ‘may demand to be treated by other supervisory authorities as the DPC treated Meta’, after concluding that ‘even total disrespect to the principles relating to the processing of personal data would not lead to administrative fines at all’[80]. The ES SA express their concern that the Draft Decision ‘would set a precedent that would make it difficult to impose fines by reducing the enforcement power of the authorities and their ability to ensure effective compliance with the GDPR’[81]. The FR SA underlines the risk that if no administrative fine is imposed, other controllers carrying out similar processing and transferring personal data under similar conditions would have no incentive to bring their transfers into conformity with the GDPR or to suspend them[82].
47. With respect to specific deterrence, according to the AT SA ‘an administrative fine is necessary to have a dissuasive effect in the specific case, as Meta Ireland does not seem to have shown any efforts to refrain from transferring personal data to Meta Platforms, Inc.’ and has instead expressed that these transfers are necessary for it to continue to provide its services in the EU/EEA area[83]. Along the same lines, the DE SAs note that the facts of the case do not indicate that Meta IE is sufficiently deterred by the order to no longer transfer personal data in the future[84] and that contrary to the IE SA’s opinion Meta IE is not sufficiently deterred to refrain from non-compliance if a fine is not imposed[85]. According to the DE SAs, even if the envisaged order could be taken into account in assessing general deterrence, ‘the individual case at hand does not allow to conclude that Meta is sufficiently deterred’[86]: rather, ‘Meta did not declare that it recognizes its non-compliance in the past’, ‘did not show any form of active repentance that would allow the argument that an order alone would suffice to change the overall attitude of Meta towards general data protection compliance’, and ‘did not declare to accept the order to cease data transfers and to comply with the DPC’s order’[87]. The DE SAs thus conclude that the IE SA incorrectly assessed the question of specific deterrence and ‘wrongfully put excessive mitigating weight on this factor’[88]. The ES SA highlighted that ‘the measure suspending transfers has effects with a forward-looking nature but has no punitive effect on the infringement committed and that which is still committed, so that the measure does not have a deterrent effect’[89]. According to the FR SA, the controller has no incentive to refrain from repeating such behaviour (and thus unlawfully transferring personal data) or from continuing it in the context of other processing operations it carries out. The draft decision in question only concerns the Facebook service and not the other services proposed by the company Meta Platforms Ireland Limited (such as, for instance, the Instagram and WhatsApp services)[90].
48. The AT SA and DE SAs also disagree with the way in which the IE SA assesses or weighs the factors in Article 83(2) GDPR[91]. The AT SA flags that the IE SA states in its Draft Decision that it carefully considers the criteria under Article 83(2) GDPR but does not provide any detailed reasoning[92]. The DE SAs argues that the IE SA ‘did not [assess] the factors in Article 83 (2) GDPR or at least did not weigh these factors correctly’[93] and highlights that ‘it is necessary to provide a minimum amount of reasoning regarding the application of these factors to ensure smooth decisions for CSA in Article 60 GDPR and Article 65 GDPR procedures’, i.e. to at least ‘establish which of the factors of Article 83(2) GDPR are of relevance in the individual case’ and ‘indicate individually whether the relevant factors were applied in a mitigating or aggravating manner’[94].
- the application of Article 83(2)(d) GDPR is analysed by the DE SAs[105];
- the application of Article 83(2)(e) GDPR is analysed by the AT SA[106];
- the application of Article 83(2)(h) GDPR is analysed by the DE SAs[111];
- the application of Article 83(2)(k) GDPR is analysed by the DE SAs[112].
50. In light of the criteria they analyse, the DE SAs conclude that the ‘infringement should be classified in the high level of seriousness’[113].
51. The AT SA, DE SAs and FR SA also elaborate on some of the criteria to be employed in the calculation of the amount of the fine to be imposed[114].
52. The AT SA, DE SAs, ES SA, and FR SA also explain that failure to impose an administrative fine for the infringement at stake in addition to the envisaged suspension would pose risks to the fundamental rights and freedoms of data subjects[115].
53. Specifically, the AT SA argues that should an administrative fine not be imposed, ‘the rights of the data subjects would not be effectively safeguarded, thus creating an incentive for the controller and other entities to continue or engage in such violations’, sending a ‘wrong signal to other controllers’[116]: this ‘would endanger the data subjects – with respect to their rights under the CFR, especially Articles 7, 8 and 47 – whose personal data are and will be processed by the controller or other controllers in the future’[117]. The AT SA also flags that ‘Ultimately, less compliance with the GDPR inevitably leads to less protection of data subjects in relation to the processing of personal data’[118] and that not properly addressing the infringement ‘would generally endanger compliance with the GDPR on a general level’[119].
54. The DE SAs argue that the Draft Decision, and specifically its ‘essential shortcoming’ consisting in the absence of an administrative fine, ‘would lead to significant risks for the fundamental rights and freedoms of the data subjects’[120]. This is because the enforcement of the GDPR aims to protect the fundamental rights and freedoms of the data subjects[121], and an effective enforcement is a precondition for such protection, but this cannot be ensured in this case without the imposition of an administrative fine[122], as ‘Non-compliance with GDPR would not cause any costs and therefore, from an economical point of a view could be a reasonable option for controllers’[123].
55. The ES SA argues in this regard that ‘If the procedure is concluded without the imposition of a fine for the infringement committed and still committed, there are significant risks to the fundamental rights and freedoms of all users of the services of the controller, since, if the infringement does not have sufficiently dissuasive financial consequences for the infringer, the data subjects could lose the guarantees they derive from the GDPR as compared to other legislation as evidenced by the CJEU ruling of 16 July 2020 in Case C-311/18, annulling a system which considered that it did not offer sufficient safeguards’[124]. The ES SA also highlights that the suspension would not have a deterrent effect[125].
56. The FR SA argues that the Draft Decision ‘would present a significant risk for the rights and freedoms of the data subjects’[126] because ‘in the absence of a fine against the controller, the draft decision would not have any dissuasive character, neither against the controller in question, nor against other controllers’[127]. According to the FR SA, the suspension of an unlawful transfer is already an obligation resulting expressly from the GDPR and the Schrems II judgment and if only a suspension is imposed, ‘the only risk for a controller who fails to comply with its obligation to suspend an unlawful transfer would be that a supervisory authority would order it to do so’[128]. ‘This total lack of dissuasive effect of the draft decision constitutes a risk for the fundamental rights and freedoms of data subjects’ because ‘the controller has no incentive to refrain from repeating such behaviour (and thus unlawfully transferring personal data) or from continuing it in the context of other processing operations it carries out’[129]. The FR SA also argues that ‘Other controllers carrying out similar processing operations and in particular transferring personal data under similar conditions have thus no incentive to bring their transfers into conformity with the GDPR or to suspend them’[130] and concludes that ‘data transfers such as the one at issue would be encouraged by a draft decision that would not contain any punitive measure and this constitutes a strong risk for the right to privacy of the data subjects’[131].
57. According to the AT SA and ES SA, a failure to impose an administrative fine in this case would also possibly jeopardise the consistent application of the GDPR or create discriminatory treatment as in similar cases an administrative fine would likely be imposed, and this case would set a precedent[132].
4.3 Position of the LSA on the objections
58. The IE SA considers that the objections raised by the AT SA, FR SA and DE SAs are ‘relevant and reasoned’ for the purpose of Article 4(24) GDPR. In the case of the objection raised by the ES SA, however, the IE SA considers that this objection is not ‘relevant and reasoned’ on the basis that it ‘does not clearly demonstrate the significance of the risks posed by the draft decision in relation to the fundamental rights and freedoms of data subjects’[133]. In relation to the subject-matter of the objections, the IE SA considers that it would not be possible to reach consensus on the matters arising from the objections and determines that the most appropriate course of action is to refer the objections to the EDPB for determination in accordance with Articles 60(4) and 65(1)(a) GDPR[134].
59. The IE SA notes that the objections and comments in relation to the imposition of an administrative fine ‘broadly focus on concerns of deterrence and effectiveness’[135]. The IE SA reiterates its view that an administrative fine in addition to the suspension order ‘would not be appropriate, necessary or proportionate to the circumstances of the within inquiry’[136] and would not be effective, proportionate and dissuasive as required by Article 83(1) GDPR[137].
60. In response to the ES SA’s concern regarding the discriminatory treatment vis-à-vis other controllers, the IE SA highlights that the decisions issued following the 101 complaints lodged by the non-profit None of Your Business - European Center for Digital Rights (hereinafter, ‘NOYB’) concerning the use of Google Analytics have found an infringement of the GDPR without, however, imposing an administrative fine[138]. According to the IE SA, ‘in light of the outcomes recorded in the Google Analytics-focused complaint-based inquiries, it would be inconsistent to seek to impose a punitive sanction on Meta Ireland when similar punitive sanctions have not yet been imposed on either: (i) the entities which were found to have unlawfully used Google Analytics; or (ii) Google LLC itself’[139].
61. In relation to the CSAs’ suggestion that Meta IE ought to have stopped transferring personal data following the delivery of the CJEU’s judgment of 16 July 2020[140], the IE SA notes that, following the Schrems II judgment, Meta IE implemented measures to supplement the 2021 SCCs and which it considered to provide appropriate safeguards to the data subjects[141]. The IE SA also recalls that Meta IE has made alternative submissions seeking to rely on the derogations under Article 49 GDPR[142].
62. The IE SA notes that, while it ultimately determined that neither the supplemental measures nor the Article 49 derogations could be relied upon by Meta IE to ground the transfer of personal data to the US, ‘it does not follow that Meta Ireland ought to have known, following the delivery of the CJEU Judgment, that it was not entitled to transfer personal data to the US in reliance on either the supplemental measures or the Article 49 derogations’[143]. This is particularly the case in relation to Meta IE’s alternative reliance on the Article 49 derogations, given the clear suggestion – set out in paragraph 202 of the Schrems II judgment – that it might be possible for data transfers to the US to take place on the basis of the derogations provided for in Article 49 GDPR. The IE SA explains that it was in these circumstances that the Draft Decision recorded (in paragraph 9.48 thereof) that ‘in the interim, the Data Transfers were being effected, in good faith, under and by reference to transfer mechanisms provided for at law’. In addition, according to the IE SA, no CSA has challenged the conclusion that Meta IE had acted in good faith when relying on transfer mechanisms to continue transferring data[144].
63. In light of the above, the IE SA concludes that an administrative fine, the objective of which is ‘to sanction wrongdoing that has already occurred’, would be ‘a disproportionate response in the circumstances of this particular case’ and decides not to follow the objections[145].
4.4 Analysis of the EDPB
4.4.1 Assessment of whether the objections were relevant and reasoned
64. The objections raised by the AT SA, ES SA, DE SAs and FR SAs concern ‘whether the action envisaged in the Draft Decision complies with the GDPR’[146].
65. The EDPB takes note of Meta IE’s view that not a single objection put forward by the CSAs meets the threshold of Article 4(24) GDPR[147]. Meta IE argues that CSAs must ‘limit their Objections to the specific corrective measures proposed by the DPC as LSA and whether these comply with the GDPR’ and may not ‘substitute their own view of the appropriate corrective measures’[148] concluding that none of the objections are relevant[149].
66. The EDPB is of the view that CSAs are not restricted to criticising the corrective measures set out by an LSA in its draft decision, but may ask for specific additional corrective measures to be taken by the LSA - provided the objection is sufficiently reasoned to demonstrate that the lack thereof means the envisaged action of the LSA does not comply with the GDPR taking into consideration the risks at stake[150]. This is a possibility both to address infringements already identified in the Draft Decision or, as the case may be, identified by the CSA in an objection raised[151].
67. The AT SA, ES SA, DE SAs and FR SAs disagree with a specific part of the IE SA’s Draft Decision, where the IE SA decided not to impose an administrative fine, by arguing that an administrative fine should have been imposed in the Draft Decision in addition to the order to suspend transfers[152]. If followed, these objections would lead to a different conclusion as to the choice of corrective measures. In consequence, the EDPB finds the objections to be relevant.
68. On the factual elements and legal arguments put forward by the AT SA and DE SAs, Meta IE does not allege any shortcoming[153]. On the reasoning set out by the ES SA and FR SA, Meta IE alleges they do not provide sound and substantiated reasoning and thus do not meet the threshold of Article 4(24) GDPR[154]. Specifically, Meta IE refers to the factors listed in Article 83(2) GDPR and argues that the ES SA ‘fails to provide any analysis of these factors and does not suggest that the DPC’s analysis of them was flawed’[155] and instead makes ‘broad and misguided claims’, for example that ‘this infringement is particularly serious since it concerns transfers which are not occasional or sporadic’ and that Meta Ireland ‘is an entity that generates huge profits’[156]. Similarly, Meta IE asserts that the FR SA ‘does not provide any reasoned assessment of the Article 83(2) factors, simply asserting that it “thinks that, in this case, an administrative fine must be imposed given the gravity of the infringement, the number of data subjects affected, the nature and duration of the infringement and the intentional character”’[157].
69. The EDPB recalls that ‘the degree of detail of the objection and the depth of the analysis included therein may be affected by the degree of detail in the content of the draft decision and by the degree of involvement of the CSA in the process leading to the draft decision’[158]. In the current case, the Draft Decision does not include an analysis of the factors of article 83(2) GDPR, yet in part the dispute revolves around these factors[159]. The EDPB also takes the view that CSAs are not required to engage in a full assessment of all the aspects of Article 83 GDPR in order for an objection on the appropriate administrative fine to be considered reasoned. In this regard, it is entirely possible to argue an administrative fine is not ‘effective, proportionate and dissuasive’ in the meaning of Article 83(1) GDPR without referring to a specific criterion listed in Article 83(2) GDPR[160]. It is sufficient to lay out which aspect of the Draft Decision that, in their view, is deficient/erroneous and why[161].
70. In the case at hand, in any event, both the ES SA and the FR SA clearly explain in their objection why they deem a change to the Draft Decision necessary. The ES SA indeed puts forward specific arguments, in particular its view that the transfers are not occasional or sporadic, adding they are ‘systematic, mass, repetitive and continuous in nature, which include special categories of personal data’, which the EDPB understands as a concise but clear reference to the facts identified by the IE SA in the Draft Decision and not disputed by the ES SA[162], as well as to certain factors listed by Article 83(2) GDPR. In addition the ES SA argues that the circumstance that Meta IE is ‘an entity that generates huge profits’ is pertinent when assessing the proportionality of a fine[163]. Furthermore, the FR SA provides more details than the summary statement cited by Meta IE[164], as explained in detail above in paragraph 56.
71. Concerning whether these objections are adequately ‘reasoned’, the EDPB recalls that this requirement is connected to whether they include clarifications and arguments as to why an amendment to the draft decision is proposed[165]. The EDPB finds that all of these objections include sufficient arguments and clarifications as to the factual elements and legal arguments supporting these requests for change (i.e. the request for the imposition of an administrative fine). As explained in Section 4.2 of this Binding Decision, the objections raised by the AT SA, DE SAs, ES SA and FR SA explain thoroughly why the specific aspect of the Draft Decision consisting in the choice not to impose an administrative fine is deficient / erroneous[166]. This is in line with the threshold of Article 4(24) GDPR.
72. In order for objections to meet the threshold set by Article 4(24) GDPR, they also need to clearly demonstrate the significance of the risks posed by the draft decision. In this regard, Meta IE argues that the AT SA, ES SA, DE SAs and FR SAs do not sufficiently demonstrate that the Draft Decision poses a significant risk to fundamental rights and freedoms of data subjects.
73. Meta IE asserts the AT SA does not sufficiently demonstrate the risk posed by the Draft Decision, ‘particularly in circumstances where the Austrian SA accepts that the Transfer Suspension Order would be “suitable” for the purposes of bringing Meta Ireland into compliance with the GDPR’[167]. The EDPB fails to see how an acknowledgement by the AT SA that it agrees in part with the Draft Decision (the chosen corrective measure is suitable), could be understood as undermining the objection expressed by the AT SA (expressing, in a nutshell, the view that the chosen corrective measure is not sufficient)[168]. Similarly, Meta IE claims the ES SA ‘appears to be of the view that the Transfer Suspension Order would bring Meta Ireland into compliance with the GDPR’[169], however the EDPB cannot identify any such position in the objection[170].
74. Meta IE dismisses as unsubstantiated the arguments raised by the AT SA, ES SA, DE SAs and FR SA on the risk that the Draft Decision will not have a sufficient specific deterrent effect towards Meta IE and concludes that the lack of administrative fine would not pose significant risks to data subjects’ fundamental rights and freedoms[171]. Meta IE adds that the DE SAs and FR SA overlook ‘the significant adverse impacts of the proposed Transfer Suspension Order, and it is incorrect and unrealistic to suggest that this will not dissuade Meta Ireland (and others) from non-compliance’[172]. The EDPB notes that the DE SAs and FR SA included in their objection clear arguments explaining why, in their view, the imposition of a fine would have a dissuasive effect that the proposed suspension order alone would not have. Moreover, considering the context of the Inquiry - and the lengthy proceedings leading up to it[173] - the EDPB finds the concerns expressed on specific deterrence both ‘substantial and plausible’ in the sense of the EDPB Guidelines on RRO[174].
75. Meta IE dismisses as mere speculation the concerns articulated by the AT SA, DE SAs, ES SA and FR SA about the precedent the Draft Decision sets in terms of use of corrective powers as general deterrent[175]. The EDPB recalls that any risk assessment addresses future outcomes, which are to some degree uncertain. The EDPB finds the objections reflect specifically on the likely effects of the Draft Decision on other controllers, weighing the expected costs and gains of compliance, and thus go beyond mere speculation[176].
76. In summary, the EDPB finds that the AT SA, DE SAs, ES SA and FR SA clearly articulate why an adverse effect on the rights and freedoms of data subjects would be produced if the Draft Decision is left unchanged. These concerns entail a reflection on a failure to guarantee a high level of protection under EU law for the rights and interests of the individuals[177]. Therefore, the EDPB finds that AT SA, DE SAs, ES SA and FR SA clearly demonstrate the significance of the risks to the data subjects posed by the Draft Decision.
77. Considering the above, the EDPB finds that the aforementioned objections of the AT SA, DE SAs, ES SA and FR SA are relevant and reasoned pursuant to Article 4(24) GDPR.
4.4.2 Assessment on the merits
78. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether the envisaged action in the Draft Decision with regard to the controller complies with the GDPR. The EDPB considers that the objections found to be relevant and reasoned in this section, raised by the AT SA, DE SAs, ES SA, and FR SA, requested the IE SA to exercise its power to impose an administrative fine and propose the imposition of corrective measures in addition to the ones proposed in the LSA’s Draft Decision. When assessing the merits of the objection raised, the EDPB also takes into account Meta IE’s position on the objection and its submissions.
79. The EDPB is therefore required to assess whether the IE SA’s proposal in the Draft Decision not to impose an administrative fine pursuant to Article 58(2)(i) GDPR for the infringement by Meta IE of Article 46(1) GDPR is in accordance with the GDPR. Meta IE’s position ‘is that the DPC exercised its discretion properly in the Draft Decision in deciding not to impose an administrative fine on Meta Ireland’[178].
80. The EDPB recalls that the consistency mechanism may also be used to promote a consistent application of administrative fines, as highlighted by Recital 150 GDPR[179]. This is the case, among others, in situations where the relevant and reasoned objections challenge the decision by the LSA not to propose the imposition of an administrative fine (and propose the imposition of additional corrective measures[180]) and in situations where a relevant and reasoned objection challenges the elements relied upon by the LSA to calculate the amount of the fine[181].
81. Meta IE considers that the LSA has sole discretion to determine the appropriate corrective measure and that Article 65(1) GDPR does not confer competence to the EDPB to instruct the LSA to impose an administrative fine[182]. According to Meta IE, it would be contrary to Articles 4(24) and 58(2)(i) GDPR ‘for the CSAs and/or the EDPB to seek to substitute their own views of the corrective measures for those of the [IE SA]’[183]. In this respect, the EDPB highlights that the views of Meta IE amount to a misunderstanding of the GDPR one-stop-shop mechanism and of the shared competences of the CSAs. The GDPR requires supervisory authorities to cooperate pursuant to Article 60 GDPR to achieve a consistent interpretation of the Regulation[184]. Pursuant to Articles 56(1) and 60(1) GDPR, in cross- border cases, the LSA shall cooperate with the other CSAs in an endeavour to reach consensus. Considering that in such cases the final decision of the LSA has cross-border effects (potentially across the entire EEA), consensus should also be reached with regard to the appropriate corrective measures. While the LSA is the authority that can ultimately exercise the corrective powers listed in Article 58(2) GDPR, this cannot diminish the role of the CSAs within the cooperation procedure or the role of the EDPB in the consistency procedure[185].
82. The CSAs may raise an objection on the existing or missing corrective measures in the Draft Decision when, in their views, the envisaged action does not comply with the GDPR, in which case they should indicate which action they believe would be appropriate for the LSA to include taking into consideration the risks at stake[186]. The dispute resolution competence of the EDPB covers ‘all the matters which are the subject of the relevant and reasoned objections’[187]. Therefore, in case of disagreement, the consistency mechanism may also be used to promote a consistent application by the supervisory authorities of their corrective powers, taking into account the range of powers listed in Article 58(2) GDPR[188], when a relevant and reasoned objection questions the action(s) envisaged by the Draft Decision vis-a-vis the controller/processor, or the absence thereof.
83. In accordance with Article 58(2) GDPR, the imposition of administrative fines pursuant to Article 83 GDPR is only one of the corrective powers vested with the SAs. The wording ‘in addition to, or instead of’ in Article 58(2)(i) makes it clear that different corrective measures can be combined, as long as the requirements of Article 83 GDPR are met. Nevertheless, it should be borne in mind that, as highlighted by the WP29, ‘Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58 [GDPR]’[189].
84. The EDPB takes note of Meta IE’s views that ‘the GDPR does not mandate the imposition of fines in any particular circumstances’[190]. The EDPB concurs that the decision to impose an administrative fine needs to be taken on a case-by-case basis, in light of the circumstances of each individual case, as mentioned in Recital 129 GDPR and Article 58(2)(i) GDPR[191]. It is clear from the wording of Article 83(2) GDPR that the factors listed thereunder are meant not only to enable the SAs to calculate the amount of the administrative fine in each individual case, but also to decide ‘whether to impose an administrative fine’ in the first place. Thus, the EDPB fully agrees with the DE SAs’ view that the criteria set out in Article 83(2) GDPR ‘influence the discretion to issue an administrative fine’[192]. Where a supervisory authority decides to impose an administrative fine on the basis of Article 83(2) GDPR, it should also make sure that the requirements of Article 83(1) GDPR are fulfilled.
85. In light of the above, the EDPB will first examine the application of the relevant criteria under Article 83(2) GDPR. The main elements to be taken into account when assessing the application of Article 83(2) GDPR were already established in the EDPB Guidelines on Administrative Fines, and the complementary EDPB Guidelines on the calculation of fines under the GDPR[193].
86. In this regard, the EDPB notes that in the Draft Decision the IE SA mentions that it has ‘carefully considered the criteria set out in GDPR Article 83(2)(a)-(k)’[194] without providing further details. In the context of exchanges between the EDPB Secretariat and the IE SA in the context of the analysis of the completeness of the file, aimed at ensuring that all relevant elements and documents (e.g. concerning the IE SA’s position on this matter) were available to the EDPB to support its decision-making[195], the IE SA confirmed that no further documentation on its consideration of the criteria had to be added as all documents relating to this issue were already included in the file transmitted to the Secretariat.
87. On the basis of the available and relevant documents and taking into account the relevant and reasoned objections raised, the EDPB proceeds with an assessment of the criteria under Article 83(2) GDPR as applicable to the case at hand. As further described below, the overall analysis of the relevant factors listed in Article 83(2) GDPR demonstrates the need to impose an administrative fine for the identified infringement of Article 46(1) GDPR.
88. Article 83(2) GDPR ‘provides a list of criteria the supervisory authorities are expected to use in the assessment both of whether a fine should be imposed and of the amount of the fine’[196]: as explained in the EDPB Guidelines on Administrative Fines, this does not consist in ‘a repeated assessment of the same criteria, but an assessment that takes into account all the circumstances of each individual case’, and the ‘conclusions reached in the first stage of the assessment may be used in the second part concerning the amount of the fine, thereby avoiding the need to assess using the same criteria twice’[197].
On the nature, gravity and duration of the infringement (Article 83(2)(a) GDPR)
89. Pursuant to Article 83(2)(a) GDPR, when assessing the nature, gravity and duration of the infringement, the SA shall give due regard to the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered.
90. With regard to the nature and gravity of the infringement, Meta IE argues that account has to be taken of the ‘highly unusual circumstances of the alleged infringement of Article 46(1) GDPR’ and in particular that ‘Meta Ireland has always made the Meta Ireland Data Transfers in good faith’[198]. The EDPB considers that this argument relates to Article 83(2)(b) GDPR rather than to Article 83(2)(a) GDPR and will examine it below.
91. In its Draft Decision, when assessing the imposition of corrective measures for the established infringement of Article 46(1) GDPR, the IE SA underlines that ‘the deficiencies in US law identified by the CJEU have not been addressed by the SCCs or supplemental measures, that a derogation under GDPR Article 49(1) is not available to Meta Ireland, and that the Data Transfers have been found to give rise to a breach of the essence of one or more fundamental rights’[199]. In this regard, the EDPB highlights that an infringement giving rise to a breach of the essence of a fundamental right shall be considered as a grave one. In addition, the EDPB agrees with the arguments put forward by the AT SA, DE SAs, ES SA and FR SA, which consider that the infringement is particularly serious[200]. More specifically, according to the ES SA, the FB International Transfers ‘are not occasional or sporadic’ but ‘systematic, mass, repetitive and continuous in nature’[201]. Likewise, the AT SA considers that Meta IE has been substantially and continuously violating data subject rights for several years[202]. In the FR SA’s view, the breach is particularly serious in terms of the data subjects’ privacy[203]. The DE SAs refer to the large number of data subjects concerned, the long period of the infringement and the scope of the processing[204].
92. Regarding the nature, scope and purpose of the processing concerned, the EDPB takes note of Meta IE’s description of the processing as being ‘simply the transfer of Meta Ireland User Data by Meta Ireland to its processor, MPI, in the US for the purpose of supporting Meta Ireland in its provision of the Facebook Service to Meta Ireland Users’[205]. Specifically concerning the scope, Meta IE considers that the scale of the processing is not a relevant factor to assess whether to impose an administrative fine[206]. Notwithstanding, the EDPB finds that Article 83(2)(a) GDPR entails that the scope or scale of the processing is a relevant factor when deciding whether to impose an administrative fine. More particularly, the EDPB recalls that the processing at stake has a particularly large scope and agrees with the DE SAs’ view that the ‘context of data processing extents to huge amounts of social interactions generated by these data subjects each and every day for the past and ongoing’[207]. This is confirmed by the IE SA itself, which describes the transfers as ‘systematic, bulk, repetitive and ongoing’ throughout Section 8 of the Draft Decision[208].
93. As to the number of data subjects affected, the EDPB considers the DE SAs’ observation that Meta IE has ‘309 million daily active users in Europe’[209] and that therefore ‘a large share of the entire population of the European Union is directly affected by the non-compliance’ of Meta IE’[210] is particularly relevant. The same is supported by the FR and AT SAs, which also correctly observe that a ‘particularly massive volume of data’ is at stake ‘since the Facebook service has millions of users in the European Union’[211] and that ‘Meta is the provider of the biggest global social media network with an enormous number of users within the European Union and thus affected persons’[212].
94. Meta IE does not dispute the fact that ‘a large number of data subjects have been involved’ as the Facebook Service is used by a very high number of users[213]. In its submissions on the Preliminary Draft Decision, Meta IE itself explains that ‘Since its introduction in 2004, the Facebook Service has become an extremely popular and well-known online global communication and content sharing service, used by approximately 2.85 billion users globally every month to share and access information and connect with others around the world. This includes more than 255 million individual users in the EU / EEA’[214]. However, according to Meta IE, ‘the fact that personal data of a large number of data subjects have been involved in the Meta Ireland Data Transfers does not equate to a large number of data subjects being “affected” for the purpose of Article 83(1)(a) GDPR’[215]. It further argues that ‘There was always only an extremely limited practical risk of alleged interference with Meta Ireland Users’ data protection and redress rights as a result of the Meta Ireland Data Transfer, and any such risk only involved an extremely limited number of Meta Ireland Users’[216].
95. The EDPB cannot agree with Meta IE’s arguments. As explained in the EDPB Guidelines on calculation of fines, the number of data subjects affected should mean ‘concretely but also potentially affected’[217]. In other words, ‘affected’ data subjects are not only data subjects whose accounts have been subject to access requests, but also data subjects whose accounts could have been subject to access requests[218]. The EDPB recalls that, at the time of this dispute resolution procedure, the infringement is still ongoing, which means that the personal data of Facebook users is transferred to and processed in the US without appropriate safeguards, as required by Article 46(1) GDPR.
96. Therefore, the EDPB concludes that a very high number of data subjects is affected and this already high number can keep increasing until the infringement is effectively brought to an end.
97. Regarding the duration of the infringement, the DE SAs and AT SA stress that it has been ongoing for several years, which they see as an aggravating factor[219]. According to the AT SA, the duration of the infringement resulted in data subjects’ rights being ‘substantially and continuously violated’[220]. The DE SAs point out that ‘the duration of the infringement for the data subjects extents to even before GDPR with the previous regimen with the same legal obligations for controllers’[221]. The DE SAs further highlight that ‘the data processing of the undertaking is under scrutiny of supervisory authorities since about ten years’[222]. Meta IE responds to this by stressing that the inquiry only concerns the period since the GDPR became applicable[223].
98. The EDPB takes note of the IE SA’s explanation that the purpose of the Draft Decision is ‘to consider whether Meta Ireland is acting […] compatibly with GDPR Article 46(1), in making transfers […] of personal data relating […] to Meta US pursuant to standard contractual clauses […], following the judgment of the Court of Justice of the European Union (“the CJEU”), delivered on 16 July 2020, in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems’[224]. The EDPB also notes that no CSA raised objections concerning the temporal scope of the Draft Decision. Therefore, the starting point of the infringement at stake should be determined on the basis of the description made in the Draft Decision only, i.e. from 16 July 2020 (date of the adoption of the Schrems II judgment). The EDPB considers that this duration of infringement is significant and has to be taken into account when deciding whether an administrative fine should be imposed.
99. As a conclusion, the EDPB considers that, taking into account the nature and scope of the processing, as well as the very high number of data subjects affected, Meta IE committed an infringement of significant nature, gravity and duration. Therefore, this criterion has to be taken into account when deciding whether an administrative fine should be imposed.
On the intentional or negligent character of the infringement (Article 83(2)(b) GDPR)
100. Article 83(2) GDPR mentions, among the factors to be taken into account when deciding the imposition and amount of an administrative fine, ‘the intentional or negligent character of the infringement’. Recital 148 GDPR also requires that due regard be given to the ‘intentional character of the infringement’.
101. Meta IE agrees with the IE SA’s conclusion that the FB International Transfers were made by Meta IE in good faith because it has implemented supplemental measures in addition to the 2021 SCCs, and has believed that, in the alternative, was entitled to rely on Article 49 GDPR[225].Meta IE argues that the IE SA’s finding that Meta IE made the FB International transfers in good faith is a factual finding on the basis of which the EDPB must make its decision[226] and which is not the subject of any objection by the CSAs[227].
102. The EDPB cannot agree with Meta IE’s arguments. The IE SA found that Meta IE has relied on SCCs and, alternatively on the derogations under Article 49 GDPR and concluded that Meta IE acted ‘in good faith’. The EDPB notes that this conclusion is, contrary to what Meta IE argues, the subject of the objections and hence of the dispute. As previously explained in Section 4.2 of this Binding Decision, all the objections raised by CSAs on the matter of the imposition of an administrative fine express views on the intentionality of the infringement and disagree with the assessment that Meta IE acted in good faith when carrying out the FB International Transfers. More specifically, the FR SA argued the infringement had an ‘intentional character’ as it was ‘committed deliberately by the company’[228]. The ES SA also mentions that Meta IE ‘has been in breach of the GDPR despite its knowledge [since the Schrems II judgment]’ that the FB International Transfers would trigger a breach of the GDPR[229]. The DE SAs also argue that Meta IE acted intentionally or at least - as argued by the AT SA - with dolus eventualis[230]. These statements included in the objections amount to disagreements with the finding that Meta IE acted in good faith in carrying out the FB International Transfers.
103. As already clarified in the EDPB Guidelines on Administrative Fines, ‘in general, intent includes both knowledge and wilfulness in relation to the characteristics of an offence, whereas “unintentional” means that there was no intention to cause the infringement although the controller/processor breached the duty of care which is required in the law’[231]. In other words, the EDPB Guidelines on calculation of fines confirm that there are two cumulative elements on the basis of which an infringement can be considered intentional: the knowledge of the breach and the wilfulness in relation to such act[232]. On the other hand, an infringement is ‘unintentional’ when there was a breach of the duty of care, without having intentionally caused the infringement[233]. The EDPB also recalls that the intentional or negligent character of the infringement ‘should be assessed taking into account the objective elements of conduct gathered from the facts of the case’ and that ‘depending on the circumstances of the case, the supervisory authority may also attach weight to the degree of negligence’[234].
104. The EDPB notes and agrees with the DE SAs’ observation that Meta IE has been ‘under scrutiny of supervisory authorities since about ten years’[235]: the two landmark judgments issued by the CJEU in 2015 and in 2020 were also issued in cases concerning this same company. Indeed, as recalled by the IE SA in the Draft Decision, the original complaint against Meta IE which contended that the transfer of personal data by Meta IE to Meta Platforms, Inc., in reliance on the ‘Safe Harbor’ adequacy decision, was unlawful[236] and which led to judicial proceedings in Ireland and then to the preliminary ruling of the CJEU in 2015 in the case C-362/14, Schrems v Data Protection Commissioner (‘Schrems I judgment’)[237], was filed by Schrems with the IE SA on 25 June 2013[238]. The Schrems II Judgment, as previously mentioned, was handed down by the CJEU on 16 July 2020. Following the IE SA Preliminary Draft Decision of 28 August 2020 and the opening of inquiry IN 20-8-1, Meta IE commenced judicial proceedings against the IE SA[239].
105. In addition, the EDPB takes note of Section 7 of the Draft Decision, where the IE SA first sets out the framework of its assessment and then examines in detail the lawfulness of the transfers, by following the terms of Article 46(1) GDPR as reflected by the Schrems II Judgment. The EDPB also takes note of the IE SA’s assessment in Section 8 of the Draft Decision and the conclusion that it is ‘not open to Meta Ireland to rely on the derogations at Article 49(1) (or any of them) to justify the systematic, bulk, repetitive and ongoing transfers of its users’ data from the EU to the US’.
106. The EDPB recalls the IE SA’s conclusion that the 2021 SCCs Meta IE relied upon to carry out the FB International Transfers[240] could not remedy the inadequate protection afforded by US law[241]. The EDPB also notes that the IE SA examined in detail the question of whether Meta IE has put in place supplementary measures that could address the insufficiencies of the protection provided by US Law and its conclusion that this is not the case[242].
107. As explained by the EDPB in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (hereinafter ‘EDPB Recommendations on Supplementary Measures’)[243], when assessing third countries and identifying appropriate supplementary measures, controllers should assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools that they are relying on[244]. In this regard, the EDPB notes that, according to Meta IE’s assessment, ‘the level of protection required by EU law is provided for by relevant US law and practice’ and that Meta IE implemented supplementary measures in addition to the 2021 SCCS in order to ‘further ensure that an adequate level of protection continues to apply to User Data transferred from FIL to FB, Inc’[245]. In other words, Meta IE has implemented supplementary measures on the basis of an assessment which concluded that there was no need for such measures, since, in Meta IE’s view, the relevant US law and practice were already providing a level of protection equivalent to the one provided under EU law[246].
108. Moreover, the EDPB highlights the IE SA’s concern that Meta IE’s submissions ‘seem to simply ignore the ruling of the CJEU’[247] and ‘that Meta Ireland is seeking to promote a lower standard for the objective of SCCs and supplemental measures than is permitted by the Judgment and the GDPR’[248]. More specifically, the IE SA notes that Meta IE ‘seems to identify its own test for determining suitability of supplemental measures by lowering the standard to include measures that can “address” or “mitigate” any “relevant remaining” inadequacies in the protections offered by US law and practice and the SCCs’[249], and concludes in the Draft Decision that ‘Meta Ireland does not have in place any supplemental measures which would compensate for the inadequate protection provided by US law’[250].
109. Considering the detailed assessment of the US legal system by the CJEU in the Schrems II judgment, the series of steps to follow, sources of information and examples of supplementary measures provided in the EDPB Recommendations on Supplementary Measures’, as well as the IE SA’s findings in the Preliminary Draft Decision[251] and Revised Preliminary Draft Decision[252] which were shared with Meta IE prior to the Draft Decision, the EDPB takes the view that Meta IE could not have been unaware of the fact that the FB International Transfers could be considered in violation of Article 46(1) GDPR.
110. In light of the above, the EDPB concludes that there are sufficient indications that Meta IE committed the infringement of Article 46(1) GDPR knowingly.
111. Additionally, with respect to the finding of the IE SA that reliance on Article 49 GDPR was not open to Meta IE for the purpose of carrying out the FB International Transfers, the EDPB is of the view that at the very least Meta IE could not have been unaware of the guidance of the EDPB and of the findings of the CJEU that the derogations cannot be relied upon for systematic and massive transfers and have to be strictly construed[253].
112. As regards the ‘wilfulness’ component of intent, the EDPB recalls that the CJEU has established a high threshold in order to consider an act intentional[254]. The EDPB has previously recalled that even in criminal proceedings, the CJEU has acknowledged the existence of ‘serious negligence’, rather than ‘intentionality’ when ‘the person responsible commits a patent breach of the duty of care which he should have and could have complied with in view of his attributes, knowledge, abilities and individual situation’[255]. Although a company for which the processing of personal data is at the core of its business activities is expected to have sufficient measures in place for the safeguard of personal data and for the thorough understanding of its duties in this regard, this does not per se demonstrate the wilfulness of an infringement[256]. In this regard, the EDPB notes that Meta IE has taken steps in order to achieve compliance with Chapter V of the GDPR following the Schrems II judgment[257], but these steps were not sufficient to achieve compliance as established by the Draft Decision. Consequently, the EDPB takes the view that, on the basis of the objective elements in the case file, ‘wilfulness’ on the side of Meta IE is not fully demonstrated.
113. Nevertheless, the EDPB stresses that Meta IE’s position that the relevant US law and practice were already providing a level of protection equivalent to the one provided under EU law in spite of the Schrems II judgment[258], the lower standard applied by Meta IE when implementing the SCCs and supplementary measures, as well as the subsequent failure to implement supplementary measures that were aimed to compensate (and could compensate) for the inadequate protection provided by US law (rather than address or mitigate ‘any relevant remaining inadequacies in the protection afforded by US law and practice’[259], as argued by Meta IE[260]), indicate a very high degree of negligence on the side of Meta IE. As the IE SA correctly recalls, ‘the terms “mitigate” and “address” cannot be found in either the Judgment or the GDPR’[261]. In addition, the EDPB notes that Meta IE contests the IE SA’s interpretation of the Schrems II judgment and of the test for determining suitability of supplementary measures not only in its submissions on the Preliminary Draft Decision, but also in its submissions on the Revised Preliminary Draft Decision[262]. Therefore, it appears that, by not applying the correct test for determining the suitability of supplementary measures in spite of the clear requirement that the appropriate safeguards to be taken by the controller must ‘compensate for’ the lack of data protection in the third country[263], Meta IE breached its duty of care and acted at least with the highest degree of negligence.
114. This is the case also in light of the arguments brought by the AT SA and DE SAs[264] that Meta IE has acted at least with conditional intent (dolus eventualis) ‘since it must have seriously considered a violation of Chapter V GDPR when carrying out data transfers’[265]. The EDPB has previously explained that ‘Depending on the circumstances of the case, the supervisory authority may also attach weight to the degree of negligence’[266].
115. In light of the above, the EDPB takes the view that Meta IE committed the infringement at least with the highest degree of negligence and this has to be taken into account when deciding whether an administrative fine should be imposed.
On the degree of responsibility of the controller taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 (Article 83(2)(d) GDPR)
116. The EDPB recalls that, pursuant to Article 83(2)(d) GDPR, the degree of responsibility of the controller or processor will have to be assessed, taking into account measures implemented by them to meet the requirements of data protection by design and by default (Article 25 GDPR) and of security of processing (Article 32 GDPR). More specifically, the EDPB has explained that ‘the question that the supervisory authority must then answer is to what extent the controller “did what it could be expected to do” given the nature, the purposes or the size of the processing, seen in light of the obligations imposed on them by the Regulation’[267]. In addition, the residual risk for the freedoms and rights of the data subjects, the impairment caused to the data subjects and the damage persisting after the adoption of the measures by the controller as well as the degree of robustness of the measures adopted pursuant to Articles 25 and 32 GDPR must be assessed[268].
117. The EDPB has also explained that, given the increased level of accountability under the GDPR, it is likely that this factor will be considered either an aggravating or a neutral one[269]. Only in exceptional circumstances, where the controller or processor has gone above and beyond the obligations imposed upon them, will this be considered a mitigating factor[270].
118. Meta IE argues that ‘the issue regarding EU-US data transfers is fundamentally one of a “conflict of laws” between the EU and the US[271]’ and that it has conducted all appropriate assessments, maintained all documentation and taken all steps available to it as soon as possible, such as entering into the 2021 SCCs[272].
119. The EDPB considers that these arguments have no bearing on the degree of responsibility of Meta IE in the present case.
120. It is clear from Article 25(1) GDPR that the controller is under an obligation, both at the time of the determination of the means for processing and at the time of the processing itself, to implement appropriate technical and organisational measures designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. In addition, Article 32(1) GDPR lays down an obligation for the controller, by taking into account a number of factors, to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons. Article 32(2) GDPR further specifies that, in assessing the level of security, account shall be taken in particular of the risks that are presented by processing, in particular from […] unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
121. In this regard, the EDPB recalls that the IE SA carries out a detailed assessment of whether Meta IE implemented supplementary measures that could address the inadequate protection provided by US law[273]. More specifically, the IE SA analyses the organisational, technical and legal measures implemented by Meta IE and concludes that these measures cannot, ‘whether viewed in isolation, or in tandem with the 2021 SCCs and the full suite of measures outlined in the ROS’, compensate for the deficiencies identified in US law and cannot provide essentially equivalent protection to that available under EU law[274].
122. This results in a high residual risk for the rights and freedoms of the data subjects concerned, because, as highlighted by the IE SA, data subjects are still not protected against 702 FISA DOWNSTREAM (PRISM) requests and Meta US would still be required to disclose its users’ personal data, if requested by the US Government[275].
123. It is relevant also to recall that the EDPB Recommendations 1/2020 clarified that controllers may have to apply some or all of the measures described therein even irrespective of the level of protection provided for by the laws applicable to the data importer because they need to comply with Articles 25 and 32 GDPR in the concrete circumstances of the transfers[276].
124. Against this background, the EDPB recalls the DE SAs view that, considering the amount of data processed, ‘the responsibility may have been heightened above average’[277]. The EDPB also finds particularly relevant the FR SA’s observation that the Facebook social network occupies an ‘inescapable place in France’ since it ‘dominates by far the social media market’ and, due to its dominant position, generates important ‘network effects’[278]. The EDPB considers that this is the case not only in France, but in the EEA in general. In addition, the Facebook service is provided to many users who do not necessarily have legal or technical knowledge[279]. These users rely on the information published by Meta IE and therefore would reasonably expect that their personal data is protected when it is transferred to the US[280]. Finally, the EDPB concurs with the FR SA’s view that ‘in parallel with its traditional function of maintaining and developing interpersonal relationships, this social network also occupies an increasingly larger role in areas as diverse as access to information, public debate or even civil security’[281].
125. In light of the above considerations, the EDPB takes the view that there are enough elements in the analysis of this factor which confirm Meta IE’s high degree of responsibility. Therefore, this factor has be taken into account when deciding whether to impose an administrative fine.
Any relevant previous infringements by the controller (Article 83(2)(e) GDPR)
126. The EDPB recalls that, according to Article 83(2)(e) GDPR and Recital 148 GDPR, any relevant previous infringements committed by the controller or processor are to given due regard when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine. In addition, the absence of any previous infringements cannot be considered a mitigating factor, as compliance with the GDPR is the norm and if there are no previous infringements, this factor can be regarded as neutral[282]. The EDPB has already explained that prior infringements are relevant as they might provide an indication about the controller’s general attitude towards the observance of the GDPR[283] and that recent infringements under the GDPR have more significance than infringements that have taken place long time ago[284].
127. In this regard, the EDPB notes the AT SA’s remark that ‘it is not the first case where the DPC has established a violation of the GDPR by Meta Ireland’[285]. The AT SA Objection does not make reference to specific cases where the IE SA has established a violation of the GDPR by Meta IE, but it is possible to recall in particular the IE SA’s decisions[286] adopted following EDPB Binding Decisions 2/2022 of 28 July 2022 and 3/2022 and 4/2022 of 5 December 2022 where the IE SA found that Meta IE breached the GDPR[287]. The EDPB recalls that at the time when the Draft Decision was circulated to the CSAs, the IE SA’s final decision in these cases had not yet been adopted. Therefore, nothing arises to be taken into account here when deciding whether an administrative fine should be imposed on Meta IE.
On the categories of personal data affected by the infringement (Article 83(2)(g) GDPR)
128. Concerning the requirement to take account of the categories of personal data affected under Article 83(2)(g) GDPR, the EDPB recalls that the GDPR clearly highlights the types of data that deserve special protection and therefore a stricter response in terms of fines[288]. The EDPB has already explained that categories of personal data deserving a stricter response in terms of fines include at the very least, the types of data covered by Articles 9 and 10 GDPR, and data outside the scope of these Articles the dissemination of which causes immediate damages or distress to the data subject, such as location data, data on private communication, national identification numbers, or financial data[289].
129. The EDPB takes note of the large number of categories of personal data transferred to the US, as outlined in the Draft Decision[290]. More specifically, Part A of Appendix 1 to the Meta US’s Data Transfer and Processing Agreement of 25 May 2018 mentions: ‘the personal data generated, shared and uploaded by or about individuals who visit, access, use or otherwise interact with the products and services of the data exporter (including Facebook and Instagram); information related to the things users do and the information users provide when using the services (such as profile information, posted photos and videos, shared location information, communications between users, and related information about use of the products and services); information related to the data subjects that other users of the products and services provide (such as a user’s imported contacts or photos); information related to users’ networks and connections (such as a user’s connections to groups, pages, and other users); information related to payments (such as information related to purchases or financial transactions); information about devices (such as information from or about the computers, phones or other devices where users install software provided by, or that access products and services of, the data exporter); information from websites and apps that use products and services of the data exporter (such as information about visits to third-party websites or apps that use a “like” or “comment” button or other service integrations); and information from third-party partners (such as information related to jointly offered services or use of third party services); and information from affiliates of Facebook and companies in the Facebook family of companies’[291].
130. As raised by some of the objections, it is therefore clear that the FB International Transfers found to be violating the GDPR concerns personal data including ‘photographs, videos or messages’[292] and ‘everyday data of social interactions with family, friends, acquaintances and others’[293]. Of particular relevance is the DE SAs view that ‘a map of social contacts is very interesting for foreign law enforcement and intelligence’, and that the transferred data allows ‘not only to infer many matters of private and professional lives, but also allows to infer further data, including emotional and mental states’ and ‘can also be misused for political manipulation’[294].
131. In the same document it is also specified that special categories of data in the meaning of Article 9 GDPR are transferred[295]. It is therefore clear that the FB International Transfers found to be violating the GDPR concern personal data including special categories of personal data, as also noted by the objections[296].
132. Meta IE argues that ‘a large number of categories of data being involved’ in the transfers does ‘not equate to a large number of categories of personal data being “affected” by the (alleged infringement)’[297]. However, for the reasons already explained in paragraphs 94 to 96 of this Binding Decision, the EDPB cannot accept this argument.
133. In light of the above assessment, the EDPB considers that a large number of categories of personal data have been affected by the infringement, including special categories of personal data under Article 9 GDPR. Therefore, this factor has to be taken into account when deciding on whether a fine should be imposed.
On the manner in which the infringement became known to the supervisory authorities (Article 83(2)(h) GDPR)
134. The DE SAs consider relevant that ‘the infringement became known to the supervisory authority by a submission of a data subject, not by chance or report by the controller itself’[298]. In this regard, Meta IE SA responds that ‘The proposed finding of infringement arises from this own-volition inquiry. As noted above, however, Meta Ireland does not consider that there has been (or is) any infringement, and so never notified the alleged infringement to the DPC’[299].
135. The EDPB notes that the Inquiry is an own-volition inquiry, and not a complaint-based one[300]. In any case, the EDPB considers that, as a rule, the circumstance that the infringement became known to the supervisory authority by a complaint or an investigation should be considered as neutral[301]. The objections do not put forward reasons that would justify a departure from this rule in the present case.
136. Therefore, the EDPB is of the view that nothing arises to be taken into account here when deciding whether an administrative fine should be imposed on Meta IE.
On any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement (Article 83(2)(k) GDPR)
137. As the EDPB has previously explained, Article 83(2)(k) GDPR gives the supervisory authority room to take into account any other aggravating or mitigating factors applicable to the circumstances of the case in order to ensure that the sanction applied is effective, proportionate and dissuasive in each individual case[302]. For example, financial benefits gained, or losses avoided, directly or indirectly, from the infringement should be taken into account when deciding whether an administrative fine should be imposed. In addition, the EDPB recalls that the scope of Article 83(2)(k) GDPR is necessarily open- ended and should include all the reasoned considerations regarding the socio-economic context in which the controller or processor operates, those relating to the legal context and those concerning the market context[303]. More specifically, economic gain from the infringement could be an aggravating circumstance if the case provides information about profit obtained as a result of the infringement of the GDPR[304].
138. The DE SAs provide an overview of the Meta Group’s financial position - of which Meta IE is a part - in order to illustrate Meta IE’s high profitability[305]. In the DE SAs’ view, Meta IE’s turnover would not be possible without the data transfers to the US ‘as it is a result of processing the data cumulatively by one infrastructure from different markets with all effectivity and efficiency that results from that’[306]. However, according to the DE SAs, Meta IE has not made an effort to ‘reinvest this turnover in order to withdraw the data from the US’ and to ‘build up data centres in the EU’ which, in their view, allowed Meta IE to directly benefit from its own non-compliance and non-action to establish compliance[307]. The DE SAs argue that ‘the considerable economic and financial capacity should be taken into account when calculating the fine […] even if there would be no specific financial benefit gained with the infringement or where it could not be determined and/or calculated’[308].
139. Meta IE responds to this by arguing that it has ‘invested significantly in data centres’ and already operated ones in the EU to support the provision of the Facebook service, but ‘cannot “localise” the Facebook Service to support Meta Ireland Users solely from servers in the EU’[309]. In addition, as noted by the IE SA in the Draft Decision, Meta IE’s position is that, if it cannot make the FB International Transfers, it would not be in a position to provide its services in the EU/EEA[310]. Meta IE explains that this is due to ‘the inherently global, interconnected nature of the Facebook Service and the highly complex technical infrastructure that has been developed to support it’[311].
140. Given that Meta IE acknowledges that it would not be able to offer its services in the EU/EEA without performing the transfers, it can be inferred that transferring the data to the US in a way that infringes the GDPR is inextricably linked to the provision of the service to EU/EEA individuals. In this regard, the EDPB recalls that it is the business model which must adapt itself and comply with the requirements that the GDPR sets out in general and for each of the legal bases and not the reverse[312]. Moreover, Meta IE indicates that the suspension order proposed by the IE SA would have ‘severe consequences’ for Meta IE[313] and ‘would clearly have a devastating impact on FIL’s business, revenue and employees’[314], which also suggests that a considerable part of its profits derived from the provision of the service in the EU arise from the breach of the GDPR.
***
141. In summary, with respect to the assessment of the factors under Article 83(2) GDPR, the EDPB takes the view that, taking into account the scope of the processing, as well as the very high number of data subjects affected, Meta IE committed an infringement of significant nature, gravity and duration. The EDPB also recalls its view that Meta IE committed the infringement at least with the highest degree of negligence, that a wide range of categories of personal data have been affected by the infringement, including special categories of personal data under Article 9 GDPR, and that the provision of the service by Meta IE in the EU is inextricably linked to the breach of the GDPR.
142. The analysis of the relevant factors under Article 83(2) GDPR speaks in favour of the need to impose an administrative fine. Now the EDPB proceeds with an assessment of the criteria under Article 83(1) GDPR.
***
The application of the criteria under Article 83(1) GDPR, in particular effectiveness and dissuasiveness
143. The EDPB recalls that the administrative fine to be imposed in addition to the suspension order needs to be ‘effective, proportionate and dissuasive’ in accordance with Article 83(1) GDPR, which, read in conjunction with Recital 148 GDPR, makes it clear that the imposition of effective, proportionate and dissuasive fines, is a means to achieve the more general objective of effective enforcement of the GDPR.
144. As previously mentioned, the IE SA in its Draft Decision takes the view that the imposition of an administrative fine in addition to a suspension order ‘would not be "effective, proportionate and dissuasive”’ as required by Article 83(1) GDPR and ‘would not render the DPC’s response to the findings of unlawfulness any more effective’[315]. In its Composite Response, the IE SA also notes that the objections and comments received by the CSAs ‘broadly focus on concerns of deterrence and effectiveness’[316].
145. In Meta IE’s view, ‘the imposition of an administrative fine ‘would not be “appropriate, necessary and proportionate”, as required by Recital 129 GDPR’ and as explained in the IE SA’s Draft Decision[317].
146. The DE SAs, FR SA, ES SA and AT SA all raise concerns with regard to the effectiveness and dissuasiveness of the measures proposed by the Draft Decision and consider that the imposition of a fine is necessary in order to meet the requirements of effectiveness and dissuasiveness under Article 83(1) GDPR[318].
147. As explained in the EDPB Guidelines on calculation of fines, a fine can be considered effective if it achieves the objectives with which it was imposed[319]. The same reasoning applies to the choice of corrective measures under the GDPR in general. The EDPB recalls that the objective pursued by the corrective measure chosen can be to re-establish compliance with the rules, or to punish unlawful behaviour, or both[320]. In addition, in accordance with Recital 148 GDPR, penalties including administrative fines should also be imposed ‘in order to strengthen the enforcement of the rules of this Regulation’. As to dissuasiveness, the EDPB consistently recalls that a dissuasive fine is one that has a genuine deterrent effect[321].
148. The EDPB agrees with the ES and FR SAs’ view that the suspension order proposed by the IE SA has a forward-looking nature, while an administrative fine would have a punitive effect with regard to the already committed or ongoing infringements[322]. This position is reinforced by the AT SA’s view that an administrative fine would be effective in the present case ‘for counteracting the established infringement in the past’[323]. Considering the wording of Article 58(2)(i) GDPR ‘in addition to’ and of Recital 148 GDPR ‘penalties including administrative fines’, the EDPB agrees with the ES, FR and AT SAs that the suspension order and an administrative fine would be compatible and complementary corrective measures.
149. The EDPB recalls that a fine is dissuasive where it prevents its addresses from infringing the objectives pursued and rules laid down by Union law[324]. What is decisive in this regard is not only the nature and level of the fine but also the likelihood of it being imposed - anyone who commits an infringement must fear that the fine will in fact be imposed on them[325]. In this regard, the criterion of dissuasiveness and that of effectiveness overlap, as they seek to produce similar effects[326]. This has also been confirmed by AG Geelhoed who has explained that enforcement activities are considered ‘effective’ if they create a credible probability that, in case of non-compliance, the individuals or entities concerned run a high risk of being detected but also of being imposed sanctions which would at least deprive them of any economic benefit accruing from the transgression of the legal provisions at stake[327].
150. In that respect, the EDPB recalls that a distinction can be made between general deterrence (i.e. discouraging others from committing the same infringement in the future) and specific deterrence (i.e. discouraging the addressee of the fine from committing the same infringement again)[328]. The EDPB has previously held that, in order to ensure deterrence, the fine must be set at a level that discourages both the controller or processor concerned as well as other controllers or processors carrying out similar processing operations from repeating the same or a similar unlawful conduct[329]. The EDPB notes that all of the relevant and reasoned objections raise concerns with regard to the lack of general and specific deterrence of the proposed corrective measures.
151. As regards specific deterrence, the EDPB notes that according to the AT SA, ‘Meta Ireland does not seem to have shown any efforts to refrain from transferring personal data to Meta Platforms, Inc.’ but seems instead to have ‘expressed that these data transfers are a fundamental requirement to be able to continue to provide its services in the EU/EEA area’. The AT SA derives from this that Meta IE ‘might not be prepared to stop the data transfer in question’[330]. In the same vein, the DE SAs consider that ‘the individual case at hand does not allow to conclude that Meta is sufficiently deterred’ because it has not recognised its non-compliance in the past and has not shown any form of active repentance[331]. The DE SAs are concerned that a suspension order alone would not suffice to change the overall attitude of Meta towards general data protection compliance[332].
152. The EDPB shares the AT SA’s and DE SAs’ concerns. Indeed, there is nothing in the case file that allows the EDPB to consider that the imposition of a suspension order would be sufficient to achieve the effective and dissuasive effect that a fine can produce, as required under Article 83(1) GDPR. The EDPB recalls that Meta IE argues, throughout its submissions, that the applicable US law and practices relevant to the FB International Transfers, in conjunction with the appropriate safeguards provided pursuant to the 2021 SCCs, provide the requisite protection for Meta IE users’ data for the purposes of Article 46(1) GDPR[333] and therefore disagrees with the IE SA’s finding of an infringement. The EDPB also takes note of Meta IE’s criticism of the EDPB Recommendations on Supplementary Measures and of its view that they ‘make a number of recommendations which appear to be based either on an erroneous interpretation of the CJEU Judgment and/or which seek to impose a higher standard upon data exporters seeking to rely on SCCs than the CJEU Judgment itself requires’[334]. Moreover, Meta IE itself recognises that ‘despite the TIA [Transfer Impact Assessment] being an assessment envisaged by the CJEU Judgment, the DPC did not request FIL’s assessment prior to the issue of the PDD’, so Meta IE did not present it proactively but only after the IE SA requested it[335].
153. The EDPB concurs with the FR SA’s observation that suspending the unlawful transfer and bringing the processing into compliance with the GDPR is already an obligation resulting expressly from the GDPR and the Schrems II Judgment[336]. The EDPB also agrees that the burden imposed by the suspension order is not greater than the burden which derives from the controller’s legal obligations[337] and that in the absence of a dissuasive effect arising from the final decision to be adopted by the IE SA, the controller will have no incentive to refrain from repeating its unlawful behaviour. As correctly noted by the FR SA, in the current version of the Draft Decision, ‘the only risk for a controller who fails to comply with its obligation to suspend an unlawful transfer would be that a supervisory authority would order it to do so’[338].
154. In light of the above, the EDPB considers that on the basis of Meta IE’s statements and position described in the above paragraphs, a suspension order alone would not be enough to produce the specific deterrence effect necessary to discourage Meta IE from continuing or committing again the same infringement.
155. As regards general deterrence, the EDPB agrees with the FR, DE and AT SAs’ view that it is necessary to take into account not only the effect of the corrective measures in this particular case with regard to Meta IE, but also with regard to other controllers in general. More specifically, the AT SA points out that transferring data to the US is ‘a widely used practice among numerous controllers’ and that not imposing a fine on Meta IE would send a message that past infringements of the GDPR would not be properly addressed, which would also give no incentive to other controllers to comply with the GDPR[339]. The FR SA highlights that, if an administrative fine is not imposed, other controllers transferring personal data under similar conditions as Meta IE would have no incentive to bring their transfers into conformity with the GDPR[340]. Indeed, as the AT SA notes, the imposition of an administrative fine also has an awareness-raising function among other controllers who should be given a clear signal that non-compliance with the GDPR has consequences which also cover past behaviour[341].
156. The EDPB concurs with the AT SA view that if Meta IE is not fined for the infringement of Article 46(1) GDPR in the present case, other controllers might conclude that ‘the cost of continuing an unlawful practice will outweigh the expected consequences of an infringement and will be less inclined to comply with the GDPR’. In the same vein, the DE SAs consider that if the only thing that the undertakings affected by the Schrems II Judgment need to fear is an order to stop future transfers, then ‘many managers might decide to just continue the transfer until they get caught’. In this regard, the EDPB recalls AG Geelhoed’s explanation that the threat of repressive action must generate sufficient pressure to make non-compliance economically unattractive and therefore to ensure that compliance with the legal rules is realised in practice[342]. In this regard, the EDPB takes note of the DE SAs observation that a fine would produce a deterrent effect if the costs of non-compliance with the GDPR are higher than the costs for compliance with the GDPR[343].
157. The EDPB agrees that the above-mentioned arguments are especially relevant in view of the high degree of responsibility of Meta IE as a controller. The DE SAs pointed out that Meta IE is an ‘extremely profitable’, ‘data driven undertaking’, whose turnover is ‘almost completely a direct result of Meta IE’s data processing’[344]. Therefore, it is likely that Meta IE’s behaviour has an impact on the behaviour of other controllers who would be inclined to follow the same model. The same is valid for the response of the supervisory authorities in case of an infringement - as pointed out by the DE SAs, if no fine is imposed on Meta IE by the IE SA, other controllers ‘may demand to be treated by other supervisory authorities as the DPC treated Meta’[345].
158. In light of the above, the EDPB takes the view that the imposition of an administrative fine in addition to the suspension order would have an important deterrence effect, which the imposition of a suspension order alone cannot have. The additional imposition of an administrative fine in the present case would be effective and dissuasive especially because of the punitive element concerning the infringement that has already materialised, which the suspension order proposed by the IE SA lacks.
The application of the criteria under Article 83(1) GDPR, in particular proportionality
159. The EDPB recalls that the principle of proportionality is a general principle of EU law which has been explained by the CJEU on numerous occasions. It is consistent case-law that for a measure to be proportionate, it has to pursue a legitimate objective, be appropriate for attaining this legitimate objective, and not go beyond what is necessary to achieve it[346]. More specifically, by virtue of that principle, measures imposing financial charges on economic operators are lawful provided that the measures are appropriate and necessary for meeting the objectives legitimately pursued[347]. In addition, where there is a choice between several appropriate measures, the least onerous measures must be used and the charges imposed must not be disproportionate to the aims pursued[348].
160. Therefore, the EDPB underlines that applying the principle of proportionality in the context of the present case requires a clear determination of the legitimate objective pursued by the imposition of an administrative fine in addition to the suspension order. Then, it is also necessary to ascertain that the imposition of an administrative fine in addition to the suspension order would be appropriate to attain the legitimate objective pursued and would not go beyond what is necessary in order to attain that objective. In order to assess this, due regard should be given to the circumstances of the case, as well as to the infringement viewed as a whole, account being taken, in particular, of the gravity of the infringement[349]. More specifically, the imposition of an administrative fine should be proportionate both to the severity of the infringement and to the size of the undertaking to which the entity that committed the infringement belongs[350].
161. In this regard, the EDPB agrees with the DE SAs and AT SA view that the legitimate aim (or objective) pursued by the imposition of an administrative fine in the present case is to punish unlawful behaviour in order to ensure effective enforcement of and compliance with the GDPR and hence - protect the fundamental rights and freedoms of the data subjects[351].
162. As to the appropriateness (or suitability) of the measure to achieve the legitimate aim, the EDPB notes that according to Meta IE, the imposition of a fine would not be appropriate due to the complexities of this particular inquiry[352]. Meta IE refers to the IE SA’s statements in the Composite Response, and argues that ‘the imposition of an administrative fine, by way of a punitive sanction, would be anything other than a disproportionate response in the circumstances of this particular case’, especially where ‘the objective of an administrative fine is to sanction wrongdoing that has already occurred’[353].
163. The EDPB is not swayed by Meta IE’s reasoning. First, nothing in the Court’s comments in paragraph 202 of the Schrems II judgment suggests that the imposition of an administrative fine in the present case would be inappropriate: the CJEU explains that in view of Article 49 GDPR, the annulment of an adequacy decision is not liable to create a legal vacuum, because it details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) GDPR or appropriate safeguards under Article 46 GDPR. Moreover, the IE SA examines in detail the possibility for Meta IE to rely on Article 49 GDPR for the transfers and concludes that it is not open to Meta IE to rely on the derogations at Article 49(1) GDPR (or any of them)[354].
164. Second, as explained above[355], the additional imposition of an administrative fine in the present case would be effective and dissuasive precisely because of the punitive element, which the suspension order proposed by the IE SA lacks. In this regard, the DE SAs rightly highlight that the ‘effective enforcement can only be reached if the fine is effective and both special preventive and general preventive’. In the same vein, the AT SA considers that ‘to strengthen enforcement of the GDPR, an administrative fine is effective in the present case for counteracting the established infringement in the past’[356].
165. Therefore, the EDPB takes the view that, in the circumstances of the present case as described above[357], the suspension order alone cannot achieve the objective pursued, namely to punish unlawful behaviour in order to ensure effective enforcement of the GDPR. Therefore, the IE SA is not in a situation where it has ‘a choice between several appropriate measures’ putting it under an obligation to choose the least onerous one[358] because the suspension order and the fine pursue different objectives.
166. It is then necessary to assess whether the imposition of an administrative fine in addition to the suspension order would go beyond what is necessary to achieve the objective of ensuring effective enforcement of a GDPR through effective and dissuasive corrective measures.
167. The EDPB has already clarified that, in order to be effective, proportionate and dissuasive, a corrective measure should reflect the circumstances of the individual case, which include not only the specific elements of the infringement but also the specificities of the controller or processor’s position, namely their financial position, as correctly observed by the AT SA[359]. For example, the EDPB has previously recognised, in the context of the assessment of the proportionality of the fine under Article 83(1) GDPR, that an LSA can, in principle, consider a reduction on the grounds of the inability to pay the fine, if the requesting undertaking can demonstrate that its economic viability is jeopardised by the proposed fine[360]. In addition, the EDPB has recognised that the difficult economic context in which a company is operating can be a factor to take into account[361], but has also recalled that the mere finding that an undertaking is in an adverse or loss-making financial situation does not automatically warrant a reduction of the amount of the fine[362].
168. Regarding Meta IE’s size and financial capacity, the EDPB recalls the DE SAs’ observations on the size and turnover of the Meta group[363], indicating that Meta IE is, indeed, a highly profitable undertaking and the imposition of a fine would not, in itself, be a disproportionate measure. The EDPB observes that Meta IE does not invoke concrete arguments to demonstrate that the imposition of an administrative fine would be disproportionate but merely refers to the IE SA statements in the Composite Response[364]. The EDPB agrees with the ES SA’s view that in terms of proportionality, Meta IE is ‘an entity that generates huge profits, so imposing a fine taking into account the gravity of the infringement and the nature of the processing would not be disproportionate and would not cause it harm which it would not have to face as a result of acts contrary to the GDPR’[365]. The EDPB also agrees with the AT SA’s and DE SAs’ view that, considering the assessment of the relevant factors referred to in Article 83(2) GDPR, the imposition of a fine would not be disproportionate[366].
Conclusion
169. In light of the above, the EDPB concludes that, considering the assessment carried out in this Binding Decision of the relevant factors under Article 83(2) GDPR referred to in the relevant and reasoned objections, namely the factors under Article 83(2)(a), (b), (d), (g), and (k) GDPR, as well as of the criteria under Article 83(1) GDPR, the IE SA’s decision not to impose a fine for the breach by Meta IE of Article 46(1) GDPR does not comply with the GDPR. The EDPB considers that the imposition of a suspension order alone would not be sufficient to achieve the objective of effective enforcement of the GDPR.
170. Therefore, the EDPB takes the view that an administrative fine must be imposed on Meta IE for the breach of Article 46(1) GDPR.
171. In addition, the EDPB recalls that the factors under Article 83(2) GDPR also need to be given due regard by the IE SA in the calculation of the amount of the administrative fine, as the ‘conclusions reached in the first stage of the assessment may be used in the second part concerning the amount of the fine’[367].
172. The EDPB Guidelines on the calculation of administrative fines indicate that when classifying the seriousness of the infringement and identifying the appropriate starting amount of the fine, in light of the circumstances of the specific case, the SA must give due regard to the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them (Article 83(2)(a) GDPR); the intentional or negligent character of the infringement (Article 83(2)(b) GDPR); and the categories of personal data affected by the infringement (Article 83(2)(g) GDPR)[368].
173. In this regard, the EDPB recalls the gravity of the infringement at stake carried out by Meta IE, taking into account the particularly large scope of the processing and the very high number of data subjects affected[369], as well as the long duration of the infringement, which is still ongoing[370]. The EDPB also reiterates its view that Meta IE committed the infringement of Article 46(1) with at least the highest degree of negligence. In addition, the EDPB recalls that a wide range of categories of personal data are affected by the infringement, including personal data covered by Article 9 GDPR. Therefore, based on the evaluation of the factors under Article 83(2)(a), (b) and (g) GDPR, the EDPB takes the view that the infringement is of a high level of seriousness[371].
174. The EDPB recalls that the Guidelines on calculation of fines indicate starting amounts for further calculation of the fine on the basis of whether the infringement is classified as being of a low, medium or high degree of seriousness[372]. In accordance with the Guidelines on calculation of fines, the EDPB takes the view that the LSA should determine the starting amount for further calculation of the fine at a point between 20 and 100% of the applicable legal maximum[373]. The EDPB recalls that starting amounts as expressed in the EDPB Guidelines on calculation of fines are starting points for further calculation while SAs have the discretion to utilise the full fining range ensuring that the fine is tailored to the circumstances of the case[374].
175. The EDPB also recalls that after having evaluated the nature, gravity and duration of the infringement as well as the intentional or negligent character of the infringement and the categories of personal data affected, account must also be taken of the remaining aggravating and mitigating factors under Article 83(2) GDPR[375].
176. In this respect, the EDPB reiterates its view that Meta IE bears a high degree of responsibility[376] and that Meta IE’s design of the FB service prevents it from providing this service in the EU/EEA without the FB International Transfers, which were found to be in breach of the GDPR. Consequently, the EDPB considers that the factors referred to in Article 83(2) (d) and (k) GDPR are aggravating and should be attributed sufficiently heavy weight in the calculation of the administrative fine by the LSA.
177. When calculating the final amount of the fine, the LSA should use the total worldwide annual turnover of the undertaking concerned for the preceding financial year, i.e. the worldwide annual turnover of all the entities composing the single undertaking[377]. In the present case, this is the consolidated turnover of the group of companies headed by Meta Platforms, Inc. On the notion of ‘preceding financial year’, the event from which the preceding financial year should be considered is the date of the final decision taken by the LSA pursuant to Article 65(6) GDPR.
178. In light of the above, the EDPB instructs the IE SA to impose an administrative fine on Meta IE for the infringement of Article 46(1) GDPR that is in line with the principles of effectiveness, proportionality and dissuasiveness under Article 83(1), giving due regard to the relevant aggravating factors under Article 83(2) GDPR, namely the factors referred to in Article 83(2)(a), (b), (g), (d), (k) GDPR. When calculating the fine, the IE SA should take into consideration the total turnover of the group of companies headed by Meta Platforms, Inc. for the financial year preceding the adoption of the IE SA’s final decision. The IE SA’s assessment should be guided by the EDPB Guidelines on calculation of fines and the EDPB’s assessment in this Binding Decision.
Additional considerations
179. For the sake of completeness, the EDPB also addresses Meta IE’s allegations in its Article 65 Submissions that the imposition of an administrative fine would breach the general principle of equal treatment or non-discrimination and the principle of legal certainty.
180. As previously noted[378], Meta IE agrees with the IE SA’s reasoning behind the decision not to impose an administrative fine for the breach of Article 46 GDPR set out in paragraphs 9.47 and 9.48 of the Draft Decision[379] and considers this reasoning to be in line with Recital 129 and Article 58(2)(i) GDPR[380]. The IE SA considers that the imposition of an administrative fine in this particular case would risk discriminating against Meta IE, given the absence of any corresponding fine in the decisions issued in response to the ‘101 complaints’ regarding the use of Google Analytics introduced by NOYB following the Schrems II judgement, and given the absence of a comparable action taken vis-a-vis Google LLC[381]. The EDPB also takes note of Meta IE’s argument that the imposition of an administrative fine ‘would breach the principles of non-discrimination and equal treatment, which are fundamental principles of EU law’ and ‘would result in an entirely inconsistent application of the GDPR by the CSAs’[382]. Meta IE also refers to the national decisions taken in response to the ‘101 complaints’ regarding the use of Google Analytics[383], as well as to the ‘EDPS CJEU Decision’[384] and the ‘EDPS EP Decision’[385], and highlights that although infringements have been found in these decisions, no administrative fines have been imposed on the controllers concerned[386]. In addition, Meta IE claims that the imposition of an administrative fine in the present case would be discriminatory against it and would violate the ‘general principle of self-binding effect of the general practice followed by the supervisory authorities to date’[387]. In addition, according to Meta IE, the imposition of an administrative fine on Meta Ireland would violate the principles of proportionality and legal certainty[388].
181. As regards the principles of equal treatment, the EDPB observes that the only argument Meta IE provides to substantiate its view that the imposition of an administrative fine would be discriminatory against it consists of a claim that the decisions adopted following the 101 complaints filled by NOYB and the observation that the EDPS decisions referred to have not imposed administrative fines on the controllers concerned in these cases. However, the EDPB considers that this allegation does not undermine the conclusion that the imposition of a fine was necessary in this particular case.
182. The principles of equal treatment, or non-discrimination, referred to by Meta IE is a general principle of European law that has been explained by the CJEU in the following terms: ‘The different treatment of non-comparable situations does not lead automatically to the conclusion that there is discrimination. An appearance of discrimination in form may therefore correspond in fact to an absence of discrimination in substance. Discrimination in substance would consist in treating either similar situations differently or different situations identically’[389].
183. Therefore, the EDPB does not consider that the imposition of a fine in the present case would be discriminatory vis-a-vis Meta IE, merely because other controllers have not been fined in other cases where transfers have been deemed to be in breach of the GDPR following the Schrems II judgment. As Meta IE points out itself, Article 58(2)(i) GDPR grants each supervisory authority the power to ‘impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case’. In addition, the EDPB recalls the CJEU’s finding that ‘when carrying out their duties, the supervisory authorities must act objectively and impartially’[390]. A reference to ‘individual cases’ is also present in Article 65 GDPR, requiring the EDPB to ensure the consistent application of the GDPR in individual cases.
184. The CJEU has also recognised that discrimination ‘cannot occur if inequality in the treatment of undertakings corresponds to an inequality in the situations of such undertakings’[391]. In this regard, the EDPB notes that the similar or identical nature of the cases brought before the SAs and the EDPB has not been demonstrated by Meta IE. The EDPB also recalls that Articles 83(1) and (2) GDPR have been drafted in such a way as to prevent arbitrary and discriminatory decisions by the supervisory authorities - they provide clear rules and criteria to be taken into account by all SAs when enforcing the GDPR and when deciding on the most appropriate course of action depending on the seriousness of the infringements at stake. In this context, the EDPB has specified, with regard to Article 83(2)(k) GDPR, that it is ‘fundamental importance for adjusting the amount of the fine to the specific case’ and that ‘it should be interpreted as an instance of the principle of fairness and justice applied to the individual case’[392].
185. The EDPB recalls that, pursuant to Article 70(1)(u) GDPR, one of its tasks is to ensure the consistent application of the GDPR by, among others, promoting the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities. Indeed, the need to ensure consistent application of the GDPR is particularly important in circumstances where the supervisory authorities handle complaints with identical content and which concern the same infringements committed by different controllers, as in the case of the ‘101 complaints’.
186. However, the dispute that the EDPB is called to resolve with this Binding Decision concerns a separate own-volition inquiry, the outcome of which is currently disputed before the EDPB by four CSAs. Therefore, the EDPB is under the legal obligation to take a decision on the merits of the objections in this individual case, in accordance with Recital 136 GDPR, Article 65(1)(a) GDPR and the EDPB Guidelines on Article 65(1)(a) GDPR. As the similarity of the cases referred to be Meta IE and the present case has not been demonstrated, the mere fact that in other cases no administrative fine has been imposed for the same infringement does not constitute discriminatory treatment against Meta IE.
187. Therefore, the EDPB cannot accept Meta IE’s argument that, by instructing the IE SA to impose on Meta IE an administrative fine for the breach of Article 46(1) GDPR would violate the principle of equal treatment or non-discrimination.
188. Furthermore, the EDPB cannot agree with Meta IE’s view that the imposition of an administrative fine would breach the principle of legal certainty. The principle of legal certainty, also a general principle of EU law, requires that ‘legal rules be clear and precise and aims to ensure that situations and legal relationships governed by EU law remain foreseeable’[393]. This being said, the EDPB has previously recalled that it is settled case law that legal certainty is not absolute[394] and undertakings are expected to take appropriate legal advice to anticipate the possible consequences of a rule and to assess the risk of infringement with ‘special care’[395]. In addition, the fact that the undertaking concerned has characterised wrongly in law its conduct upon which the finding of the infringement is based cannot have the effect of exempting it from imposition of a fine[396].
189. The EDPB considers that the GDPR lays down sufficiently clear and precise rules both with regard to the lawfulness of transfers of personal data to third countries and with regard to the exercise of corrective powers by the supervisory authorities in case of infringements, including the imposition of administrative fines. Also considering that Article 83(5)(c) GDPR subjects the infringements of Articles 44-49 GDPR to the highest administrative fine possible under the Regulation, the EDPB cannot agree that the imposition of a fine for the breach of Article 46(1) GDPR by Meta IE would be unforeseeable. In addition to the fact that the GDPR provides clear and precise rules on fines, the way in which the EDPB understands the correct application of Article 83 GDPR is explained in detail in the EDPB Guidelines on calculation of fines, which are public and easily accessible. Last but not least, the imposition and calculation of administrative fines is an issue that was addressed by the EDPB in all of its Binding Decisions to date[397], three of which relate to GDPR infringements committed by Meta IE[398].
190. In these circumstances, and taking into account the lack of further arguments put forward by Meta IE, the EDPB considers that the legal situation governed by the GDPR in the present case is sufficiently foreseeable and does not jeopardise the principle of legal certainty.
191. Therefore, EDPB considers that the application of the principles of equal treatment and legal certainty does not contradict the EDPB’s conclusion that an administrative fine has to be imposed for the breach of Article 46(1) GDPR by Meta IE.
5 ON THE IMPOSITION OF AN ORDER REGARDING TRANSFERRED PERSONAL DATA
5.1 Analysis by the LSA in the Draft Decision
192. The IE SA considered ‘whether it could be said to be “appropriate, necessary and proportionate” to direct Meta IE to procure the return and/or deletion of some or of all the personal data that has already been transferred to Meta US’[399]. The IE SA takes the view that ‘the making of an order directing the bulk return and/or deletion of all transferred data from an identified point in time would be excessive’[400].
193. Nevertheless, the IE SA then states that ‘it must (and will) be open to any individual user to exercise the rights conferred on them by Chapter III of the GDPR, in accordance with the law, and to the fullest extent’[401].
5.2 Summary of the objections raised by the CSAs
194. The DE and FR SAs object to the choice of the corrective measures in the IE SA’s Draft Decision.
195. The DE SAs note that the Draft Decisions proposes an order to suspend future transfers from Meta IE to Meta Platforms, Inc. in the US (pursuant to Article 58(2)(j) GDPR), which means the corrective measure does not affect the personal data of EEA users already transferred to and processed in the US. The DE SAs take the position that the Draft Decision should be amended by including a measure pursuant to Article 58(2)(d), (f) or (g) GDPR ordering Meta IE to ‘cease any processing, including any storage, in the US of personal data of users from the EEA transferred to Meta Inc. at least since the Schrems II judgment of 16 July 2020 within a reasonable period of time, which shall not exceed 6 months after the termination of this cooperation procedure’[402]. In this respect, the DE SAs consider that the return or deletion of the data unlawfully transferred to the US constitute a ‘particularly effective measure’[403].
196. The DE SAs put forward several factual and legal arguments for the proposed change[404]. In particular, the DE SAs refer to the ‘disproportionate access by US authorities’ and the lack of effective legal remedies for data subjects[405], which results on the need to cease the processing of previously transferred data. In accordance with the DE SAs, that is ‘the only way to ensure that the GDPR is fully enforced’[406], since ‘other actions […] in the draft decision do not comply with the GDPR because they are not sufficient to remedy the infringement’[407].The DE SAs thus consider that ‘not ordering the cessation of the processing […] would result in tolerating the unlawful transfers that have taken place’[408].
197. The DE SAs also address the responsibility of the supervisory authorities ‘to monitor the application of the GDPR and to ensure its enforcement’ and that, with respect to corrective power, such responsibility entails ‘ensuring that the GDPR is fully enforced with all due diligence’[409]. The DE SAs put forward that the enforcement responsibility of the supervisory authorities is by no means affected by the possibility for individual data subjects to exercise their rights under Chapter III of the GDPR to obtain an end to processing of their data that have been transferred unlawfully[410]. Further, the DE SAs analyse the legal bases that, in their view, provide for the corrective powers to order the cessation of the processing, including any storage, in the US of personal data of EEA users already transferred[411].
198. The IE SA states in the Draft Decision that ‘making of an order directing the bulk return and/or deletion of all transferred data from an identified point in time would be excessive’[412], without - in the DE SAs view - providing arguments as to why such a remedy would be disproportionate[413]. The DE SAs take the view such an order is not excessive, in particular because i) at the latest since the Schrems II judgment, the controller knew that ‘the surveillance programmes based on [the applicable US legislation] cannot be regarded as limited to what is strictly necessary in a democratic society’[414] and ii) the obligation to return or delete the data was already provided both in the former and the new SCCs, ‘if the data importer cannot comply with its obligations under the SCCs’[415]. Given the explicit confirmation of the validity of the former SCCs in the Schrems II judgement and the fact that the new SCCs mirror the wording of the old SCCs with respect to the obligation to return or delete the data transferred, the DE SAs considers that ‘there is no doubt that the obligation of the controller to return/delete the data is also proportionate in the new SCCs’[416]. In addition, the DE SAs recall that, by entering into the SCCs, the parties have committed to return or delete the transferred data ‘if the importer cannot comply with its obligations under the SCCs’[417]. Thus, according to the DE SAs, the imposition of a compliance order couldn’t take the controller by surprise.
199. On the risks posed by the Draft Decision, the DE SAs see a permanent high risk to the fundamental rights and freedoms of the data subjects, namely disproportionate access by US authorities to the EEA users’ data without recourse to effective legal remedies, as identified by both the CJEU and the IE SA in the Draft Decision[418]. In addition, the DE SAs take the view that the Draft Decision as it stands sets a dangerous precedent by not ensuring effective enforcement of the GDPR[419].
200. The FR SA notes that the Draft Decision proposes an order to suspend future transfers to the US, but does not ‘contain any compliance order in relation to data that have already been transferred, have been retained in the US and continue to be processed by the company’[420]. The FR SA takes the position that the Draft Decision should be amended by including a measure pursuant to Article 58(2)(d) GDPR, ordering Meta IE to bring into compliance the processing of data that were unlawfully transferred, at least since the Schrems II judgment, in particular by returning or deleting the data[421]. Regarding the compliance period, the FR SA notes that the order ‘must allow data subjects to exercise their rights. In particular, the company must enable data subjects to retrieve the data relating to the users’ accounts before deleting it, if necessary’[422].
201. The FR SA puts forward several factual and legal arguments for the proposed change[423]. In particular, the FR SA considers that ‘the issues identified in the Schrems II judgment ‘remain after the transfer phase, once the data are stored in the United States’ and those issues should be addressed[424]. Additionally, the FR SA considers that, even though the IE SA concludes that the data transfers were unlawful, it does not ‘draw all the consequences of the unlawfulness’ and therefore ‘does not allow to bring the data processing into compliance’[425].The FR SA also underlines that ‘the return or deletion of personal data that were unlawfully transferred aims at ensuring compliance of a data processing that did not comply with the GDPR’ and notes that this is illustrated by Recital 33 of the Privacy Shield decision, which provided for such measure[426].
202. On the risks posed by the Draft Decision as it stands, the FR SA refers to the Schrems II judgement and the findings in the Draft Decision to conclude that the risks ‘to the privacy of users of the Facebook service’ are materialised ‘in cases where the US Government accesses the data’, in particular considering that Facebook accounts ‘may contain a lot of information about the private life of users’[427].
5.3 Position of the LSA on the objections
203. The IE SA confirmed that it considered the objections raised under this heading to satisfy the applicable threshold such that they ought to be considered ‘relevant and reasoned’[428]. Considering the merits of the objections, IE SA noted that the objections ‘broadly focus on the concerns that, without an order directing the “bulk” return or deletion of personal data that has already been transferred to the US, the Draft Decision fails to completely bring the processing into compliance’[429], and ‘since users had no choice nor means to object to the transfer of their personal data to the US and in light of the primary responsibility of the supervisory authorities to monitor the application of the GDPR and ensure its enforcement, it seems inconsistent to now impose on the data subjects individually the burden of having the process of their personal data ceased, that personal data having been unlawfully transferred to the US’[430].
204. Addressing, firstly, the possibility of whether or not an order might be made to direct the ‘bulk’ return of personal data that has already been transferred to the US, the IE SA noted its understanding that ‘Meta Ireland is unlikely to be in a position to comply with such an order’[431]. The IE SA noted, in this regard, that Meta IE, as part of its Data Transfers Report dated 2 July 2021, explained why, in its view, it is not possible for EEA User Data to be segregated from non-EEA User Data[432]. In light of the identified limitations, the IE SA noted that it appeared that Meta IE could not comply with an order directing the ‘bulk’ return of personal data that has already been transferred to the US.
205. In light of the above, the IE SA takes the view, that ‘it would be ineffective to make an order directing the “bulk” return of personal data that has already been transferred to the US, the terms of which cannot be complied with by the data controller or processor concerned’[433].
206. Addressing, secondly, the possibility of whether or not an order might be made to direct the ‘bulk’ deletion of personal data that has already been transferred to the US, IE SA noted that Recital 129 GDPR provides that: ‘The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law […]. In particular each measure should […] respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken […].’ The IE SA then considered the differences between an order to direct the ‘bulk’ deletion of personal data that has already been transferred to the US and the order to suspend transfers already envisaged in the Draft Decision. In this respect, the IE SA noted that, as regards the order for suspension proposed by the Draft Decision, ‘any consequent impact on individual users would arise as a result of the architecture of the systems developed and deployed by Meta IE in the delivery of its services and not by the proposed order itself’[434]. In the view of the IE SA, the position, however, would be very different if the Draft Decision were to also include ‘an order requiring the “bulk” deletion of any personal data that has already been transferred to the US’ given that, according to the IE SA, this would ‘clearly constitute an individual measure that would not only affect Meta Ireland but also all of the data subjects whose personal data would be subject to erasure as a result of the implementation of the order. Such an order would also likely impact on businesses and other (non-profit) organisations that currently conduct their business operations exclusively through, or in reliance on, Facebook’[435]. The IE SA ‘considers that these individuals and entities would be adversely affected’[436] by such an order and detailed the likely adverse effects that it considered would be suffered by data subjects, businesses and non-profit organisations. In addition, the IE SA highlights the difficulty to reconcile the temporary nature of the order to suspend transfers, which was not challenged by any CSA, with an order to delete any data that has already been transferred[437].
207. The IE SA further noted that ‘it is unclear how the requested order could take account of the exemptions provided for in Article 17 and how it could be complied with by Meta Ireland in a way which does not result in the deletion of personal data which is being processed jointly by data subjects, businesses and other organisations for the purposes identified in Article 17 (3)’[438]. In these circumstances, the IE SA concluded that it could not amend the Draft Decision to include the requested order without affording the individuals and entities who/which risk being adversely affected by the requested order the right to be heard beforehand[439].
208. In light of the above, the IE SA concludes that ‘the most appropriate course of action is to leave it open to individual data subjects to consider whether or not they might wish to exercise their right to erasure in respect of any personal data that might have already been transferred to the US’[440].
5.4 Analysis of the EDPB
5.4.1 Assessment of whether the objections were relevant and reasoned
209. The objections raised by DE and FR SAs concern ‘whether the action envisaged in the Draft Decision complies with the GDPR’[441].
210. The EDPB takes note of Meta IE’s view that not a single objection put forward by the CSAs meets the threshold of Article 4(24) GDPR[442]. Meta IE argues that CSAs must ‘limit their Objections to the specific corrective measures proposed by the DPC as LSA and whether these comply with the GDPR’ and may not ‘substitute their own view of the appropriate corrective measures’[443], concluding that the DE SAs’ and FR SA’s objections are not relevant.
211. The EDPB recalls its view that CSAs are not restricted to criticising the corrective measures set out by an LSA in its draft decision, but may ask for specific additional corrective measures to be taken by the LSA - provided the objection is sufficiently reasoned to demonstrate that the lack thereof means the envisaged action of the LSA does not comply with the GDPR[444]. This is a possibility both to address infringements already identified in the Draft Decision or, as the case may be, identified by the CSA in an objection raised[445].
212. The DE SAs and FR SA disagree with a specific part of the IE SA’s Draft Decision, namely the section on corrective measures chosen by the IE SA, by arguing that an additional order should have been included in the Draft Decision in addition to the order to suspend transfers[446]. If followed, these objections would lead to a different conclusion as to the choice of corrective measures. In consequence, the EDPB considers the objections to be relevant.
213. The EDPB is not swayed by Meta IE’s submission that the objections at issue are not sufficiently reasoned[447].
214. The EDPB finds that the DE SAs and FR SAs provide sufficient reasoning on why they propose amending the Draft Decision and how this leads to a different conclusion in terms of corrective measures as explained in paragraphs 196-201 above[448].
215. In terms of risks, Meta IE argues that the DE SAs and FR SA do not sufficiently demonstrate that the Draft Decision poses a significant risk to fundamental rights and freedoms of data subjects. In Meta IE’s view, the FR SA and DE SAs do not substantiate ‘the extent to which Historic Meta Ireland User Data is likely to be accessed by USG authorities’[449]. Further, in Meta IE’s view, the FR SA ‘provides no information regarding the alleged risks to Meta Ireland Users, the personal data concerned or the extent to which such data might be accessed by USG authorities’[450] and ‘erroneously seeks to rely on the Privacy Shield Decision, which is no longer in force, to justify its position’[451]. Regarding the DE SAs objection, Meta IE argues ‘there was always only limited practical risk of interference with Meta Ireland Users’ data protection and redress rights as a result of the Meta Ireland Data Transfers, and any such risk only affected a relatively limited number of users’[452].
216. In this regard, the EDPB firstly notes that the IE SA did not accept Meta IE’s submissions whereby government access to data in the US is ‘limited and proportionate in practice’[453]. In fact, the IE SA considers that Meta IE’s submissions in this respect ‘seem to simply ignore the ruling of the CJEU’[454]. The IE SA also notes that Meta IE does not demonstrate ‘that practice in the US is such as to address the deficiencies identified above in the laws of the US’[455]. The EDPB further recalls that none of the findings of the IE SA on the infringements committed by Meta IE is challenged or disputed by the objections raised by the CSAs.
217. The EDPB considers that the DE SAs articulate an adverse effect on the rights and freedoms of data subjects if the Draft Decision is left unchanged, by referring to a failure to guarantee a high level of protection under EU law for the rights and interests of the individuals whose personal data have already been transferred in the past[456]. The significance of this adverse effect is demonstrated by the Schrems II judgment[457]. The DE SAs see a further adverse effect, namely that the Draft Decision sets a dangerous precedent for future decisions regarding other controllers[458]. Therefore, the EDPB finds that the DE SAs clearly demonstrate the significance of the risks to the data subjects posed by the Draft Decision.
218. The EDPB considers that the FR SA articulates an adverse effect on the rights and freedoms of data subjects if the Draft Decision is left unchanged, by leaving personal data transferred in the past exposed to access by the US government, despite the significance of the risks recognised by the Schrems II judgment[459]. Therefore, the EDPB finds that the FR SA clearly demonstrates the significance of the risks to the data subjects posed by the Draft Decision
219. Considering the above, the EDPB finds that the aforementioned objections of the DE SAs and FR SA are relevant and reasoned pursuant to Article 4(24) GDPR.
5.4.2 Assessment on the merits
1. Preliminary matters related to the scope of the order proposed by the FR and DE SAs
220. As mentioned above[460], CSAs can propose in their relevant and reasoned objections alternative or additional corrective measures to those envisaged in the Draft Decision, when they consider that the envisaged measures are not ‘appropriate, necessary and proportionate’ in view of ensuring compliance with the GDPR, taking into account the circumstances of the individual case[461].
221. In this respect, Article 58(2) GDPR provides a list of corrective powers that can be exercised by SAs to ensure the consistent monitoring and enforcement of the GDPR. These powers are common to all SAs, without prejudice to additional powers provided in national laws[462]. The SAs can therefore decide which measure is the most appropriate and necessary considering the circumstances of the case, but must do so in a way that ensures that the GDPR is fully enforced with all due diligence[463]. Against this background, as the EDPB has previously recalled, a relevant and reasoned objection can also relate to actions other than fines, taking into account the range of powers listed in Article 58(2) GDPR[464]. Thus, CSAs can disagree with the corrective action proposed by the LSA, including when the LSA decides not to impose a specific corrective measure[465]. The CSAs shall then clearly explain the reasons why they consider that a different or additional corrective measure should be imposed[466], on the basis of a reasoning and conclusion different from the LSA’s on the facts collected and the findings established.
222. In this case, the FR SA and the DE SAs clearly explain why, in their view, the IE SA should impose an order regarding the data of EEA users unlawfully transferred to and currently stored in the US[467]. In particular, they refer to the risk to the fundamental rights of data subjects whose data was unlawfully transferred to and is currently processed in the US, subject to disproportionate access by US public authorities and without the possibility to have access to judicial remedies[468]. In the view of the DE SAs and the FR SA, by not imposing such an order, the IE SA fails to draw all the consequences of the unlawfulness of the transfers[469].
223. Therefore, the EDPB shall assess whether, in light of the objections raised, the envisaged action (in this case, the absence of a measure) included in the draft decision does not comply with the GDPR and whether, consequently, the IE SA needs to include in its final decision, in terms of envisaged actions, also an order regarding the data unlawfully transferred to the US[470]. In its assessment, the EDPB also takes into consideration Meta IE’s submissions, as well as the relevant case law of the CJEU[471] and the objective pursued by the proposed measure.
224. The EDPB underlines that transfers of personal data should only take place when such data will enjoy, in the third country, a level of protection essentially equivalent to that in the EU[472]. In the Draft Decision, the IE SA acknowledges this obligation by proposing a temporary suspension of transfers in accordance with Article 58(2)(j) GDPR in order to ‘ensure that the ongoing interferences with the rights of data subjects […] are brought to an end as soon as possible’[473]. The temporary nature of such order is justified by the IE SA as ‘new measures […] may yet be capable of being developed and implemented by Meta Ireland and/or Meta US to compensate for the deficiencies identified’ in the Draft Decision[474]. Such deficiencies are found in the ‘very clear inadequacies in US law identified by the CJEU’[475] and their impact ‘in undermining the protection afforded’[476] to data subjects.
225. In particular, the IE SA finds that US law does not provide an essentially equivalent level of protection to that provided in the EU, that the SCCs relied upon by Meta IE cannot compensate for the inadequate protection and that Meta IE does not have supplementary measures that can compensate for it[477]. The IE SA decides on the suspension of transfers as, in its view, there are no other means to ensure the protection of personal data[478], in a situation in which the essence of the fundamental right of effective judicial protection of Meta IE’s users is not respected[479].
226. The IE SA takes the view that, if data continued to be transferred to the US, ‘the general legislative scheme and policy would be significantly undermined’[480]. This is consistent with the IE SA’s findings regarding the breach of Article 46 GDPR due to the lack of supplementary measures that could remedy the identified shortcomings. At the same time, the EDPB notes that, as the FR and DE SAs correctly point out[481], the order to suspend transfers, as framed in the Draft Decision, only concerns future data transfers and, therefore, it doesn’t affect the personal data of EEA users that has already been transferred and is being processed in the US[482]. In this context, the risks identified by the IE SA would continue to be present for the data currently stored in the US despite the corrective measure envisaged by the IE SA[483]. In accordance with the CJEU, SAs shall take appropriate action ‘in order to remedy any findings of inadequacy’ identified in the context of international data transfers[484]. The CJEU further highlights that the primary responsibility of the SAs to monitor and enforce the application of the GDPR is ‘of particular importance where personal data is transferred to a third country’[485].
227. Against this background, the DE SAs underline that the cessation of processing in the US, including any storage, is the only measure that can effectively address such risks and, together with the order to suspend the transfers, restore and maintain the level of protection[486] for the personal data of EEA users. The DE SAs also underline that the cessation of the processing could be ordered in the context of, inter alia, a compliance order under Article 58(2)(d) GDPR. Likewise, the FR SA considers that Meta IE should be ordered to bring processing into compliance with the GDPR[487].
228. The DE SAs also indicate that the return or deletion of the EEA users data stored in the US constitute a ‘particularly effective measure’ to cease the processing[488]. Likewise, the FR SA indicates the return or deletion of the EEA users’ data stored in the US as a measure aimed at ensuring compliance with the GDPR[489].
229. The EDPB takes note of Meta IE’s views in its A65 Submissions and the documents referred therein. In its submissions, Meta IE focuses on the concrete means that the FR SA and the DE SAs consider particularly effective at ensuring compliance with the GDPR, namely the return or deletion of the personal data of EEA users stored in the US. In short, Meta IE states that, from a technical perspective, an order to return personal data would entail the deletion thereof and that the deletion of personal data stored in US data centres would, in turn, entail the deletion of all personal data of EEA users, including personal data stored in the EEA[490].
230. In this respect, the EDPB underlines that, in accordance with the accountability principle, controllers are responsible for and shall be able to demonstrate compliance with the GDPR[491]. This general principle translates into specific obligations of the controller, including the obligation to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR and that such measures shall be reviewed and updated if necessary[492]. As the EDPB has previously underlined, the right to data protection has an active nature and, in the context of international transfers, it requires exporters and importers to comply in an active and continuous manner by implementing legal, technical and organisational measures that ensure its effectiveness[493].
231. Therefore, it is within the accountability obligations of controllers to design or, if necessary, update their data processing systems in a way that ensures the lawful processing of personal data under GDPR. This obligation should also apply with regard to systems that require the continuous transferring of personal data to third countries, especially in a case such as the one at hand, in which the CJEU has already declared in two different occasions that the level of protection provided in the US was not essentially equivalent to that in the EU.
232. The EDPB recalls that compliance with the GDPR can be achieved in different manners and, in this particular case, it may not necessarily entail the return or deletion of EEA users’ data stored in the US, as other technical solutions could be identified by the controller[494]. For the avoidance of doubt, and given Meta IE’s submissions addressing the return and deletion of the EEA users’ data stored in the US, the EDPB emphasises that the objections of the FR SA and the DE SAs explicitly request the imposition of an order to bring processing into compliance which, in the case of the DE SAs’ objection, is phrased in the form of an order to cease processing[495]. In both cases, the objections mention the return or deletion of the EEA users’ data in the US as measures that could achieve such compliance. However, other possible measures are not excluded. This is especially clear in the DE SAs objection, where the DE SAs acknowledge that the cessation of the processing can be implemented by different measures, and only refer to the deletion of personal data as an example thereof[496].
233. Considering the above, the EDPB will assess whether it should instruct the IE SA to impose an order to Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR. If such an order is imposed, it will be the responsibility of Meta IE to identify and implement the appropriate means to bring processing operations into compliance, in accordance with its accountability obligations.
2. Preliminary matters related to the legal basis
234. For the avoidance of doubt, and given Meta IE’s arguments regarding the legal basis to impose an order to cease processing as suggested by the DE SAs, the EDPB wishes to address this aspect as a preliminary question.
235. In accordance with Article 58(2)(d) GDPR, an SA can order a controller or processor to bring processing operations into compliance with the provisions of the GDPR, where appropriate, in a specified manner and within a specific period. The FR SA and the DE SAs explicitly mention this provision as providing for a suitable corrective measure in this case[497]. Meta IE argues that Article 58(2)(d) GDPR ‘does not provide the power to require deletion or to require a controller to facilitate the return […] of data that is being processed by a third party, including its processor’[498]. Meta IE also raises that Article 58(2)(j) empowering SAs to order the suspension of data transfers to a third country does not make any reference to the return or deletion of data already transferred and, in Meta IE’s view, ‘this omission indicates a preference for the suspension of transfers […] without affecting personal data transferred prior to the suspension’[499].
236. As mentioned above, the FR SA and the DE SAs provide in their objections examples of measures that, in this context, appear particularly effective to bring processing into compliance or to cease the processing in the US, namely the return or deletion of the EEA users’ data stored in the US. However, the EDPB emphasises that other means to achieve compliance may be available, as recognised by the DE SAs in the objection[500].
237. In any case, the EDPB wishes to clarify that Article 58 GDPR represents the means for the SAs to perform the tasks enshrined in Article 57 GDPR[501]. In particular, Article 57(1) GDPR provides the obligation of each SA to ‘monitor and enforce the application’ of the GDPR. In this context, Article 58(2)(d) GDPR clearly sets out the possibility for the SA to order the controller to bring processing into compliance, where appropriate, in a specified manner. In other words, the GDPR provides sufficient flexibility for the SAs to decide, where appropriate, the most appropriate, necessary and proportionate measure to bring processing into compliance.
238. Whenever the legislator considered necessary to specify the content of a type of corrective measure, it did so - this is the case with most of the measures under Article 58(2) GDPR. The fact that the order to comply leaves discretion to the SA on the most appropriate manner to implement it, is a reflection of the intention of the legislator to allow the SAs to decide, where appropriate, on the suitable corrective measure in accordance with the circumstances of the case. Therefore, the EDPB considers that Article 58(2)(d) GDPR cannot be interpreted in such a way that would prevent SAs from specifying the most suitable measure, if the SA considers it appropriate to do so. Such interpretation would render the provision meaningless and would directly contradict settled case law of the CJEU, whereby data protection concepts should be interpreted in light of the fundamental rights enshrined in the CFR[502]. In addition, the EDPB underlines that the fact that Article 58(2)(j) does not make any reference to the fate of the data already transferred does not prevent SAs from imposing additional corrective measures that will be suitable to the particular circumstances of the case.
239. Therefore, the EDPB agrees with the DE SAs and the FR SA that Article 58(2)(d) GDPR empowers the IE SA to impose in the present case an order to bring processing into compliance with Chapter V, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR as long as this is the appropriate, necessary and proportionate measure in view of ensuring compliance with the GDPR. Contrary to Meta IE’s position, the mere fact that such an order may require the controller to procure assistance from their processor to comply is from a legal point of view irrelevant. Otherwise, the effectiveness of an order to bring processing into compliance would depend on the circumstance of whether a processor is involved or not[503].
240. The DE SAs also consider that the cessation of the processing could also be based on an order to limit processing in accordance with Article 58(2)(f) GDPR, by limiting it with regard to the geographical scope. Meta IE argues that a measure with a ‘permanent and irreversible’ effect cannot be based on Article 58(2)(f) GDPR[504]. The EDPB notes that Article 58(2)(f) GDPR clearly distinguishes two types of limitations or bans on processing: temporary or definitive. Therefore, an order to cease processing, independently of the nature of the cessation, would clearly be within the powers of the SAs under Article 58(2)(f) GDPR.
241. Finally, with regard to Article 58(2)(g) GDPR, the EDPB takes note of Meta IE’s disagreement with the EDPB position in Opinion 39/2021[505]. However, the EDPB upholds its position that Article 58(2)(g) GDPR is a valid legal basis for a supervisory authority to order ex officio the erasure of unlawfully processed personal data in a situation where such request was not submitted by the data subject[506].
242. In any case, as already explained, the scope of the objections is broader, as the FR SA explicitly requests an order to bring processing into compliance and the DE SAs refer to an order to cease processing, which, in their view, could be imposed on the basis of Article 58(2)(d) GDPR.
243. Given the wording of the objections of the FR SA and the DE SAs, it is clear to the EDPB that in both cases, the aim is to ensure compliance with the GDPR with regard to the processing of EEA users’ data unlawfully transferred and currently stored in the US[507]. Therefore, in this particular case, the EDPB considers that Article 58(2)(d) GDPR provides for the most suitable corrective measure in order to remedy the infringement.
3. The appropriateness of an order to bring processing into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR
244. In the next paragraphs, the EDPB will assess the appropriateness, necessity and proportionality of the order requested by the FR SA and the DE SAs considering the aim pursued, namely, that processing of EEA users’ data unlawfully transferred to and currently stored in the US be compliant with the GDPR. Such compliance would be achieved by ceasing the unlawful processing of EEA users’ data in the US, including storage, as the DE SAs indicate in their objection.
Appropriateness
245. The EDPB notes that providing for the fate of personal data transferred to a third country, once the relevant transfer(s) is suspended or terminated is not a novelty. In fact, as the DE SAs rightly point out[508], the former European Commission’s SCCs for transfers between controllers and processors[509] included a clause detailing the obligations of the data importer with regard to the personal data already transferred, once the parties agreed to the termination of the data-processing services[510]. This clause has been implemented as an obligation in case of termination of the contract in all modules of the updated SCCs[511]. Likewise, as underlined by the FR SA, Recital 33 of the Privacy Shield decision also provided for the fate of the transferred personal data, in the case of organisations that persistently failed to comply with the Principles. This is especially relevant in the context of a controller-processor relationship where, according to Article 28(1) GDPR, controllers shall only use processors providing sufficient guarantees to comply with the GDPR and ensure the protection of the rights of data subjects.
246. The EDPB takes note of Meta IE’s arguments in this respect[512]. The EDPB agrees that the situations envisaged under Recital 33 Privacy Shield, and Clause 12 and 16(d) of the old and current SCCs, respectively, are different from the present case, where the suspension of the transfers will happen as a consequence of the order imposed by the IE SA. However, those provisions clearly highlight that, once the data importer does not have any legal basis for the processing of the transferred data and/or cannot guarantee compliance with the GDPR, and particularly Chapter V thereof, regardless of the reason, there is a need to provide for the fate of the data already transferred. This is a logical consequence of Article 44 GDPR, which ensures the protection of personal data transferred to third countries.
247. Taking into account the findings of the IE SA in its Draft Decision, and in particular the infringement of the GDPR committed by Meta IE and the risks identified in the Schrems II judgement and confirmed by the IE SA, as well as the elements and reasoning above, the EDPB considers that an order to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR is appropriate, in the present case, in order to remedy non-compliance with the GDPR.
248. In the following section, the EDPB will analyse whether the order is also necessary and proportionate taking into account the circumstances of the specific case.
Necessity and proportionality
249. In the Draft Decision, the IE SA considers that an order to return or delete personal data already transferred ‘would be excessive’ and that it is ‘open to any individual user to exercise the rights’ under the GDPR ‘to the fullest extent’[513]. The FR SA and the DE SAs disagree with the IE SA and consider that the processing of personal data unlawfully transferred to and currently stored in the US needs to be brought into compliance with the GDPR, as explained above, and refer to some concrete measures that could achieve such compliance. In its submissions, Meta IE focuses heavily on those concrete measures and argues that the return of the data is not appropriate[514] and the deletion is neither appropriate, given its ‘significant and permanent adverse effects’[515], nor necessary, as the dissuasive effect is already achieved with the order to suspend transfers[516], nor proportionate, in light of the temporary nature of the order to suspend transfers and the irreversible character of the order to delete data[517]. In its submissions, Meta IE does not address other possible means to bring processing into compliance[518].
250. As a preliminary remark, the EDPB underlines that the possibility for data subjects to exercise their rights under the GDPR does not prevent SAs from adopting appropriate corrective measures to remedy an infringement. The EDPB fundamentally disagrees with a position that, in practice, would entail entrusting the enforcement of the GDPR to individual actions without requiring controllers to remedy the infringements identified. This position, in the view of the EDPB, would undermine the effective application of one of the two overall objectives of the GDPR, namely the protection of the ‘fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data’[519].
251. As the EDPB has previously recalled, supervisory authorities are required to react appropriately to remedy infringements of the GDPR, in accordance with the means provided to them by Article 58(2) GDPR[520]. Corrective measures should be applied inasmuch as they are appropriate, necessary and proportionate in accordance with the circumstances of the individual case[521]. This highlights the need for the corrective measures and any exercise of powers by supervisory authorities to be tailored to the specific case[522]. This is in line with settled case law of the CJEU, according to which measures shall not exceed the limits of what is appropriate and necessary in order to achieve the objectives legitimately pursued; where there is a choice between several appropriate measures, recourse must be had to the least onerous and the disadvantages caused must not be disproportionate to the aims pursued[523].
252. The EDPB has consistently referred to the need to ensure, when choosing the appropriate corrective measure, that such measure is necessary to enforce the GDPR and achieve the protection of the data subjects with regard to the processing of their personal data[524]. Thus, when there is a choice between several appropriate measures, the principle of proportionality requires that the least onerous measure be chosen and that it does not create disproportionate disadvantages in relation to the aim pursued[525].
253. The EDPB takes note of the elements raised by the objections of the FR SA and DE SAs to justify the need for imposing an order with regard to EEA users’ personal data unlawfully transferred to and currently stored in the US. In particular, the FR SA refers to the ‘significant risks’ of infringement of the privacy of individuals due to access to data by US public authorities, as identified in the Schrems II judgement and in the Draft Decision[526]. The DE SAs also refer to the risk of ‘disproportionate access by US authorities’ and the lack of effective legal remedies, which, in their view, ‘results in a permanent high risk to the fundamental rights and freedoms of the data subjects that is not remedied’ by the action envisaged in the Draft Decision[527].
254. As mentioned in paragraph 224 above, in the Draft Decision the IE SA considers that the ‘very clear inadequacies in US law’ undermine the protection afforded to data subjects and the essence of their fundamental right to effective judicial protection is not respected[528]. Considering these findings, the FR SA and the DE SAs argue that the processing of EEA users’ data unlawfully transferred to and currently stored in the US needs to be brought into compliance with the GDPR[529]. The IE SA does not address the FR SA and DE SAs’ arguments and concerns on the risks to which the data already transferred to and currently stored in the US are subject.
255. In this respect, the EDPB considers that the objective pursued by the order to bring processing operations into compliance is a legitimate one. The EDPB takes note of Meta IE’s argument that the practical risk of interference with EEA users data transferred to the US ‘has always been extremely limited’ and, in the case of EEA users’ data previously transferred to the US, the potential risk is ‘even more limited’[530]. However, the EDPB is not swayed by this argument, as analysed above[531].
256. The EDPB also takes note of Meta IE’s arguments, whereby an order to delete will be unnecessary in terms of dissuasiveness and disproportionate due to the ‘very significant additional irreparable harm’ that it would cause[532]. However, as stated above, the deletion of the personal data of EEA users stored in the US is only one of the possible ways to bring processing into compliance. Whether such measure would also entail the deletion of all personal data of EEA users would be, in any case, a consequence of the architecture of the system chosen by Meta IE to provide the Facebook service. Consequently, it is the controller’s responsibility to identify and implement the appropriate measures to bring processing of EEA users data unlawfully transferred to and currently stored in the US into compliance with the GDPR.
257. The EDPB recalls that, when assessing whether a specific corrective measure attains the objective pursued, several factors need to be taken into consideration, in addition to the dissuasiveness of the measure, namely, its ability to remedy an infringement and restore the level of protection of the GDPR. In the present case, the above considerations demonstrate that an order to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, is necessary in order to achieve the aim pursued, namely that processing of EEA users’ data unlawfully transferred to and currently stored in the US be compliant with the GDPR.
258. With regard to the proportionality of the proposed order, Recital 129 GDPR provides that consideration should be given to ensuring that measures chosen to remedy an infringement do not create ‘superfluous costs’ and ‘excessive inconveniences’ for the persons concerned in light of the objective pursued. In the present case, the EDPB understands the need, on the one hand, to ensure that data subjects’ personal data are processed in accordance with the GDPR and not subject to disproportionate risks and, on the other hand, to ensure the integrity of such data and the rights of the data subjects.
259. The EDPB has previously recalled that the seriousness of the infringement is an important element to take into account when assessing the proportionality of a corrective measure, as Recital 148 GDPR demonstrates[533]. In this case, the IE SA underlines, following the Schrems II judgement, that the essence of the fundamental right to a judicial remedy is not respected with regard to data subjects whose data is transferred to the US[534]. This contributes to considering the breach at stake as a particularly serious infringement, as concluded in paragraph 99 of this Binding Decision.
260. The EDPB takes note of Meta IE’s submissions where it argues that, given the inherent interconnectedness of the Facebook service’s social graph, ‘any order to “cease the processing” of Meta Ireland User Data in the US […] would in effect be an order to delete such data’[535].
261. The EDPB considers, however, that the order proposed by the FR SA and the DE SAs does not impose a specific manner for the controller to comply with it. On the contrary, it gives enough room of manœuvre to Meta IE to identify the most suitable manner to implement the order, in accordance with its accountability obligations. Taking this into consideration, the EDPB is of the view that this is the least onerous measure possible, as the controller will be the one ultimately making the choice of the specific manner to comply with the order. It goes without saying that, when deciding on the means to comply and when implementing the necessary steps to do so, the rights of data subjects must be respected, as it stems from Article 24(1) GDPR.
262. Therefore, the EDPB is of the view that the proposed order is proportionate to the aim pursued, since it is the least onerous measure possible and it does not create disproportionate disadvantages to the aim pursued.
Conclusion
263. On the basis of the conclusions above, the EDPB considers that an order to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR is appropriate, necessary and proportionate to the circumstances of the case.
264. With regard to the period for compliance with such order, the EDPB takes note of the FR SA’s request that such period shall ‘allow data subjects to exercise their rights’[536]. The FR SA does not specify a concrete timeframe. The DE SAs consider that the order should be complied with ‘within a reasonable period of time, which shall not exceed 6 months after the termination of this cooperation procedure’[537].
265. On one hand, the EDPB understands that compliance with the order may require technical and organisational adjustments on the side of Meta IE. On the other hand, the EDPB notes that the compliance period proposed by the DE SAs is considerably longer than the one envisaged in the Draft Decision regarding the transfer suspension order. Therefore, the EDPB considers that a period of 6 months, as requested by the DE SAs, provides sufficient time for Meta IE to identify and implement the specific measures to bring processing operations into compliance.
266. The order to bring processing operations into compliance with Chapter V GDPR should take effect on the date of notification of the IE SA’s final decision to Meta IE.
267. On the basis of the above considerations, the EDPB instructs the IE SA to include in its final decision an order for Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the IE SA’s final decision to Meta IE.
6 BINDING DECISION
268. In light of the above, and in accordance with the task of the EDPB under Article 70(1)(t) GDPR to issue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following Binding Decision in accordance with Article 65(1)(a) GDPR.
269. The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in accordance with Article 65(2) GDPR.
On the imposition of an administrative fine
270. The EDPB decides that the objections of the AT, DE, FR and ES SAs regarding the absence in the Draft Decision of an administrative fine for the infringement by Meta IE of Article 46(1) GDPR meet the requirements of Article 4(24) GDPR.
271. The EDPB concludes that, considering the assessment carried out in this Binding Decision of the relevant factors under Article 83(2) GDPR referred to in the relevant and reasoned objections, namely the factors under Article 83(2)(a), (b), (d), (g), and (k) GDPR, as well as of the criteria under Article 83(1) GDPR, the IE SA’s decision not to impose a fine for the breach by Meta IE of Article 46(1) GDPR does not comply with the GDPR.
272. More specifically, the EDPB instructs the IE SA to impose an administrative fine on Meta IE on the basis of the assessment of the relevant factors in Article 83(2) GDPR as analysed above and summarised as follows:
- that Meta IE committed the infringement of Article 46(1) with at least the highest degree of negligence (Article 83(2)(b) GDPR)[540];
- that Meta IE bears a high degree of responsibility (Article 83(2)(d) GDPR)[541];
- that a wide range of categories of personal data are affected by the infringement, including personal data covered by Article 9 GDPR (Article 83(2)(g) GDPR)[542];
- that Meta IE’s design of the FB service prevents it from providing this service in the EU/EEA without the FB International Transfers - found to be in breach of the GDPR - which suggests that a considerable part of its profits derived from the provision of the service in the EU arise from the breach of the GDPR (Article 83(2)(k) GDPR)[543].
273. In light of the above, the EDPB instructs the IE SA to impose an administrative fine on Meta IE for the infringement of Article 46(1) GDPR that is in line with the principles of effectiveness, proportionality and dissuasiveness under Article 83(1).
274. The EDPB further instructs the IE SA, in determining the amount of the fine, to give due regard to the relevant aggravating factors under Article 83(2) GDPR, namely the factors referred to in Article 83(2)(a), (b), (g), (d), (k) GDPR, as described and detailed above. Based on the evaluation of the factors under Article 83(2)(a), (b) and (g) GDPR, the EDPB takes the view that the infringement is of a high level of seriousness[544], which in accordance with the EDPB Guidelines on calculation of fines[545] should lead to determining the starting amount for further calculation of the fine at a point between 20 and 100% of the applicable legal maximum.
275. Regarding the turnover of the undertaking, the EDPB instructs the IE SA to take into consideration the total turnover of all the entities composing the single undertaking (i.e. consolidated turnover of the group headed by Meta Platforms, Inc.) for the financial year preceding the date of the final decision.
On the imposition of an order regarding transferred personal data
276. The EDPB decides that the objections of the DE and FR SAs regarding the absence in the Draft Decision of an order with regard to the data unlawfully transferred to and currently stored in the US meet the requirements of Article 4(24) GDPR.
277. The EDPB concludes that the objections of the DE and FR SAs request the imposition of an order to Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR.
278. The EDPB concludes that, considering the assessment carried out in this Binding Decision on the appropriateness, necessity and proportionality of such an order, the IE SA’s decision not to impose an order with regard to the EEA users’ data unlawfully transferred to and currently stored in the US does not comply with the GDPR.
279. In light of the above, the EDPB instructs the IE SA to include in its final decision an order for Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the IE SA’s final decision to Meta IE.
7 FINAL REMARKS
280. This Binding Decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on the basis of this Binding Decision pursuant to Article 65(6) GDPR.
281. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs.
282. According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding Decision without undue delay and at the latest by one month after the Board has notified its Binding Decision.
284. The IE SA will communicate its final decision to the Board[548]. Pursuant to Article 70(1)(y) GDPR, the IE SA’s final decision communicated to the EDPB will be included in the register of decisions that have been subject to the consistency mechanism.
For the European Data Protection Board
The Chair
(Andrea Jelinek)
- ↑OJ L 119, 4.5.2016, p. 1.
- ↑References to ‘Member States’ made throughout this decision should be understood as references to ‘EEA Member States’.
- ↑EDPB Rules of Procedure, adopted on 25 May 2018 (current version: adopted on 6 April 2022).
- ↑All the German SAs were engaged as Supervisory Authorities concerned in this inquiry. The objection was raised by the Hamburg SA also on behalf of the German Federal SA, Baden-Wurttemberg SA, both Bavarian SAs (Der Bayerische Landesbeauftragte für den Datenschutz, Bayerisches Landesamt für Datenschutzaufsicht), Berlin SA, Brandenburg SA, Bremen SA, Hessen SA, Mecklenburg-Western Pomerania SA, Lower Saxony SA, North Rhine- Westfalia SA, Rhineland-Palatinate SA, Saarland SA, Saxony SA, Saxony-Anhalt SA, Schleswig-Holstein SA, Thuringia SA.
- ↑It was clarified by the IE SA that the Inquiry and the Draft Decision relate to the Facebook Service only. Draft Decision, paragraph 1.8. The Facebook Service was defined by Meta IE in its submissions on the Preliminary Draft Decision dated 2 July 2021 (p. 5 and paragraph 1.1 on p. 11) as ‘the Facebook service (available at the website www.facebook.com and via mobile application)’.
- ↑Meta Platforms, Inc. is formerly Facebook, Inc.
- ↑It was clarified by the IE SA that the geographical scope of the inquiry is limited to users of the Facebook Service in the EU/EEA. Draft Decision, paragraph 1.8.
- ↑It was clarified by the IE SA that the Inquiry relates to transfers carried out on the basis of: - the 2010 SCC Decision and the 2010 SCCs (Commission Decision 2010/87, OJ 12/2/2010, repealed on 26 September 2021), - and, then, the 2021 SCC Decision (Commission Implementing Decision 2021/914 of 4 June 2021, OJ L 199, 7.6.2021, p. 31-61) and the 2021 SCCs. See Draft Decision, paragraphs 1.8, 5.20.
- ↑Judgement of the Court of Justice of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18, ECLI:EU:C:2020:559.
- ↑Preliminary Draft Decision, paragraph 1.2.
- ↑Draft Decision, paragraph 9.50. The reference in said paragraph to inquiry ‘IN-18-6-3’ amounts to an editorial mistake and should be read as ‘IN-21-6-3’.
- ↑This complaint was lodged on 25 June 2013 (Draft Decision, paragraph 2.6), then reformulated and resubmitted on 1 December 2015 (Draft Decision, paragraph 2.25) and then further rescoped in the context of the settlement of the subsequent judicial review proceedings (as described in paragraph 2.47 of the Draft Decision).
- ↑Memorandum to the EDPB Secretariat dated 19 January 2023, p. 1. The Draft Decision explains that Schrems also applied for judicial review against the DPC (this occurred on 8 October 2020). Following a settlement reached between the IE SA and Schrems, the application was struck out by Order of the High Court on 13 January 2021 and the complaint referred to in the previous footnote was re-scoped. See Draft Decision, paragraph 2.47, referring to High Court Record No. 2020 / 707JR.
- ↑Memorandum to the EDPB Secretariat dated 19 January 2023, p. 2.
- ↑Draft Decision, paragraphs 4.19-4.20.
- ↑Draft Decision, paragraphs 1.6 and 2.44.
- ↑Draft Decision, paragraph 2.45.
- ↑Draft Decision, pararaph 2.46.
- ↑AT SA Objection, dated 2 August 2022, DE SAs Objection, dated 3 August 2022, ES SA Objection, dated 29 July 2022, FR SA Objection, dated 3 August 2022.
- ↑Comment of the Norwegian SA, 17 July 2022; Comment of the Finnish SA, 22 July 2022; Comment of the Bulgarian SA, 2 August 2022; Comment of the Hungarian SA, 3 August 2022; Comment of the Polish SA, 3 August 2022 Comment of the Dutch SA, 3 August 2022. These comments are not part of the dispute resolution procedure. For the purposes of completeness the EDPB notes that the IE SA provided a reply to the Comment of Finnish SA on 22 July 2022.
- ↑Response of the DE SAs to the Composite Response dated 27 September. In addition, some of the CSAs who raised comments (i.e., the Dutch SA, the Polish SA, the Norwegian SA, and the Hungarian SA) provided replies to the Composite Response.
- ↑This was carried out by withdrawing the initial request in the IMI and re-submitting it.
- ↑EDPB Guidelines on Article 65(1)(a) GDPR, paragraphs 94-108.
- ↑The General Court found in its Order of 7 December 2022, WhatsApp v European Data Protection Board, T- 709/21, EU:T:2022:783 (hereinafter, ‘T-709/21 WhatsApp’) that the controller addressed by the final decision of the LSA was not directly concerned by the EDPB Binding Decision 1/2021, adopted on 28 July 2021 (hereinafter, ‘Binding Decision 1/2021’) since it did not in itself bring a distinct change in the applicant’s legal position and constituted a preparatory or intermediate act. The General Court also clarified the Binding Decision 1/2021 had no legal effect vis-a-vis the controller that was independent of the final decision, on which the LSA had a measure of discretion. As a consequence, the General Court dismissed the action for annulment brought by WhatsApp Ireland Ltd as inadmissible, given that the conditions laid down in the fourth paragraph of Art. 263 TFEU had not been met. See T-709/21 WhatsApp, paragraphs 41-61.
- ↑In particular, Meta IE PD Submissions dated 2 July 2021, Meta IE PD Supplemental Submissions dated 1 September 2021, the Meta IE Response to Schrems PDD Submissions, the Meta IE Revised PD Submissions dated 29 April 2022, the Meta IE Art. 65 Submissions dated 2 November 2022.
- ↑According to Art. 65(1)(a) GDPR, the Board will issue a binding decision when a supervisory authority has raised a relevant and reasoned objection to a draft decision of the LSA and the LSA has not followed the objection or the LSA has rejected such an objection as being not relevant or reasoned.
- ↑DE SAs Objection, p. 1; AT SA Objection, p. 1.
- ↑Draft Decision, paragraph 7.201.
- ↑Draft Decision, paragraph 7.202.
- ↑Draft Decision, paragraph 8.106.
- ↑Draft Decision, paragraph 9.1.
- ↑Draft Decision paragraph 9.24, referring to the Schrems II judgment, paragraph 112.
- ↑Draft Decision paragraph 9.25.
- ↑The AT SA considers this order in its objection as ‘suitable to bring the processing in compliance with Chapter V of the GDPR’ (AT SA Objection, p. 3). The DE SAs ‘strongly welcome and support this order’ (DE SAs Objection, p. 2). See also ES SA Objection, p. 2. The FR SA ‘does not question the statement in the Draft Decision that the suspension of transfers is a measure to resolve the identified infringement’ (FR SA Objection, paragraph 8, p. 3). Therefore, the suspension order is not subject to any objection from the CSAs and falls outside the scope of the dispute and therefore of the competence of the EDPB.
- ↑Annex to the IE SA’s letter to Meta IE dated 28 September 2023.
- ↑Composite response, p. 1.
- ↑Composite response, p. 6.
- ↑Meta IE Article 65 Submissions, paragraph 1.4.
- ↑Meta IE Art. 65 Submissions, paragraph 1.5.
- ↑Meta IE Art. 65 Submissions, paragraph 1.6.
- ↑IE SA letter to Meta IE dated 19 January 2023, p. 2 and 4.
- ↑IE SA letter to Meta IE dated 19 January 2023, p. 4.
- ↑Art. 65(1)(a) GDPR and Art. 4(24) GDPR. Some CSAs raised comments and not per se objections, which were, therefore, not taken into account by the EDPB.
- ↑EDPB Guidelines on RRO. The Guidelines (version 2) were adopted on 9 March 2021, after the commencement of the inquiry by the IE SA relating to this particular case.
- ↑‘The EDPB will assess, in relation to each objection raised, whether the objection meets the requirements of Art. 4(24) GDPR and, if so, address the merits of the objection in the binding decision.’ See EDPB Guidelines on Art. 65(1)(a) GDPR, paragraph 63.
- ↑See paragraphs 21 to 29 above.
- ↑Draft Decision, paragraph 9.47.
- ↑Draft Decision, paragraph 9.48.
- ↑Draft Decision, paragraph 9.48.
- ↑Draft Decision, paragraph 9.48.
- ↑AT SA Objection, p. 1, DE SAs Objection, p. 7, ES SA Objection, p. 3, FR SA Objection, p. 2.
- ↑See footnote 34 above.
- ↑According to the AT SA, ‘in the interest of consistent enforcement as well as to strengthen enforcement of the GDPR, an administrative fine is effective in the present case for counteracting the established infringement in the past’ (AT SA Objection, p. 3). According to the DE SAs, ‘Only the imposition of an administrative fine regarding the infringement of Art. 46 (1) GDPR at least for the time since the Schrems-II judgment can ensure the effective enforcement of the GDPR in this case’ (DE SAs Objection, p. 7).
- ↑AT SA Objection, p. 2 (the suspension ‘does not appear to be sufficient in the present case and does not reflect the seriousness and severity of the infringement’), DE SAs Objection, p. 1 (‘the envisaged actions in relation to the controller in the draft decision do not comply with the GDPR because they are not sufficient to remedy the infringements’).
- ↑ES SA Objection, p. 3; FR SA Objection, paragraph 8, p. 3.
- ↑See paragraphs 37-38 above.
- ↑AT SA Objection, p. 1 (‘the Austrian DPA is not convinced by the DPCs assessment’), p. 2 (‘The fact that the DPC does not make use of its corrective powers according to Art. 58(2)(i) GDPR is based on the inaccurate assessment that an administrative fine would not be effective, proportionate and dissuasive’); DE SAs Objection, p. 7 (‘The draft decision considered, that the imposition of an administrative fine would have no meaningful dissuasive effect. We respectfully cannot share this view’). ES SA Objection, p. 2. FR SA Objection, p. 1-3.
- ↑AT SA Objection, p. 2.
- ↑AT SA Objection, p. 2. The AT SA also argues that ‘Not imposing a fine on Meta Ireland would demonstrate to controllers – including Meta Ireland – that past infringements of the GDPR will not be properly addressed and that the enforcement of the GDPR and its provisions is not as effective. There would be little incentive to bring processing in connection with the transfer of personal data to a third country in compliance with the GDPR.’ (AT SA Objection, p. 2).
- ↑AT SA Objection, p. 2.
- ↑AT SA Objection, p. 2, DE SAs Objection, p. 11 (‘An administrative fine of a substantial amount would need to be imposed under Article 83 (1) and (2) for the unlawful processing of personal data. According to Article 83 (1) GDPR administrative fines shall in each individual case be effective, proportionate and dissuasive. The fine shall be both special preventive and general preventive’) and p. 12 (‘The DPC should impose an effective, proportionate and dissuasive administrative fine against Meta for the infringement of Article 46 (1) GDPR at least for the time of the infringement since the Schrems II judgment of 16 July 2020’); ES SA Objection, p. 3 (‘... imposition of a fine that should be proportionate, dissuasive and effective’). In this regard, the ES SA recalls the Binding Decision 1/2021, paragraph 321 (‘the overarching purpose of Article 83 GDPR is to ensure that for each individual case, the imposition of an administrative fine in respect of an infringement of the GDPR is effective, proportionate and dissuasive’; ‘the ability of SAs to impose such deterrent fines highly contributes to enforcement and therefore to compliance with the GDPR’).
- ↑FR SA Objection, paragraph 9, p. 3. DE SAs Objection, p. 8. ES SA Objection, p. 2. AT SA Objection, p. 2.
- ↑ES SA Objection, p. 2. In this regard, the ES SA stated it disagrees with the IE SA that the suspension or prohibition are the only possible measures to be taken, because the Schrems II Judgment refers to the fact that one of the two must be adopted but does not preclude the adoption of other measures. The ES SA also refers to Art. 58(2)(i) GDPR allowing the imposition of administrative fines ‘in addition to, or instead of’ the other measures depending on the circumstances of each individual case.
- ↑‘The wording of the first sentence [of Recital 148 GDPR] indicates that while it is possible to refrain from an order, when a fine is imposed, the opposite is not true’, DE SAs Objection, p. 8.
- ↑AT SA Objection, p. 3, making reference to Art. 58(2)(i) GDPR and Recital 148 GDPR.
- ↑AT SA Objection, p. 3. The AT SA refers to the Binding Decision 1/2021, particularly paragraph 414, to support the argument that a fine should reflect the circumstances of the case including those of the controller/processor who committed the infringement, namely its financial position.
- ↑DE SAs Objection, p. 7.
- ↑ES SA Objection, p. 2.
- ↑FR SA Objection, paragraph 8, p. 3.
- ↑AT SA Objection, p. 3.
- ↑DE SAs Objection, p. 11. The DE SAs also highlight that an ‘undertaking cannot expect in good faith that the unlawful processing that has been going on for several years will not be sanctioned’ (DE SAs Objection, p. 11).
- ↑ES SA Objection, p. 3.
- ↑AT SA Objection, p. 4; DE SAs Objection, p. 7-9, 11 (p. 11: ‘When weighing in the aspects of specific and general deterrence correctly, this also would have led to the decision to impose a fine. Aspects of both specific and general deterrence in this case additionally lead towards the imposition of a fine. Even if the DPC – as it wrongfully did – considered only a low weight for specific deterrence, all the other factors in quantity as well as quality clearly outweigh the DPC’s mitigating considerations’); ES SA Objection, p. 3; FR SA Objection, paragraphs 16-17.
- ↑AT SA Objection, p. 4.
- ↑AT SA Objection, p. 4. In this regard, the AT SA also argues that if an administrative fine was not imposed in this case ‘controllers would be of the impression that, even in case of an infringement of Art. 46(1) GDPR, respectively Chapter V of the GDPR, a future suspension of data transfers is the “worst-case outcome” and no other consequences for an unlawful behaviour in the past are to be expected’ (AT SA Objection, p. 4).
- ↑DE SAs Objection, p. 8.
- ↑DE SAs Objection, p. 9. According to the DE SAs, if the IE SA ‘would have assessed this correctly, it would have come to a different conclusion regarding the imposition of a fine’ (DE SAs Objection, p. 9).
- ↑DE SAs Objection, p. 7.
- ↑DE SAs Objection, p. 7.
- ↑DE SAs Objection, p. 7.
- ↑ES SA Objection, p. 3.
- ↑FR SA Objection, paragraphs 16 and 17.
- ↑AT SA Objection, p. 4.
- ↑DE SAs Objection, p. 8.
- ↑DE SAs Objection, p. 7.
- ↑DE SAs Objection, p. 8.
- ↑DE SAs Objection, p. 8.
- ↑DE SAs Objection, p. 8. According to the DE SAs, if the IE SA ‘would have assessed this correctly, it would have come to a different conclusion regarding the imposition of a fine’ (DE SAs Objection, p. 8).
- ↑ES SA Objection, p. 3.
- ↑FR SA Objection, paragraph 16.
- ↑On p. 8 of their objection, the DE SAs state that the IE SA ‘applied its discretion incorrectly, by not assessing certain factors, establishing factors incorrectly, weighing individual factors incorrectly and coming to an overall incorrect conclusion in the overall weighing of all relevant factors. If the [IE SA] would have applied this correctly, it would have come to the conclusion that a fine is indispensable and should be imposed in this case.’ Also, on p. , the DE SAs state that the IE SA ‘did not really take into account the factors in Article 83(2) GDPR, but only considerations regarding specific deterrence’ (DE SAs Objection, p. 9).
- ↑AT SA Objection, p. 3.
- ↑DE SAs Objection, p. 9. According to the DE SAs, ‘Even if we assume that the [IE SA] did take these factors into account, it failed to weigh them correctly’ (DE SAs Objection, p. 9), and if the IE SA had considered or correctly weighed these factors it would have come to the ‘conclusion that there a great many of substantial aggravating factors in terms of Article 83(2) GDPR but no mitigating ones’, which ‘alone should have led to the decision to impose a fine’ (DE SAs Objection, p. 11).
- ↑DE SAs Objection, p. 9.
- ↑In its objection, the AT SA carries out an analysis of how certain factors listed by Art. 83(2) GDPR should be taken into account as ‘aggravating’ factors ‘when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine’ (AT SA Objection, p. 3-4). The DE SAs recall that ‘When deciding on whether to impose a fine or not the LSA has to take into account the sanctioning principles in Art. 83(1) GDPR as well as the specific factors in Art. 83(2) GDPR’ and that the ‘wording of Art. 83(2) GDPR […] suggests that the criteria set out in Art. 83 (2) GDPR are not only important for the assessment of the level of an administrative fine, but also influences the discretion to issue an administrative fine. That conclusion is also supported by the French wording’ (DE SAs Objection, p. 7). The DE SAs state that ‘the fulfilment of several of the aggravating factors listed in Art. 83(2) GDPR speaks strongly in favour of the imposition of an administrative fine’ (DE SAs Objection, p. 7). According to the DE SAs, if the IE SA ‘would have considered or correctly weighed these factors it would have come to the conclusion that there are a great many of substantial aggravating factors in terms of Art. 83 (2) GDPR, but no mitigating ones’ and this ‘alone should have led to the decision to impose a fine’ (DE SAs Objection, p. 11).
- ↑ES SA Objection, p. 2-3. FR SA Objection, p. 2-4.
- ↑In this regard, the AT SA notes that Meta Ireland has ‘for several years transferred personal data of numerous data subjects […] to Meta Platforms, Inc. in the United States’ infringing upon Chapter V GDPR and thus ‘substantially and continuously’ violating data subjects’ rights under Art. 7, 8, and 47 of the CFR (AT SA Objection, p. 3).
- ↑The DE SAs noted that ‘the large number of data subjects concerned and the long period of the infringement, result in a very serious infringement, which is an aggravating factor’ (DE SAs Objection, p. 9). With respect to the number of data subjects concerned, the DE SAs consider it is a ‘high number’ in ‘the nine-digit range’ (DE SAs Objection, p. 12), and refer to the fact that Meta has 309 million daily active users in Europe (including Turkey and Russia, according to Meta’s annual report for the year 2021, form 10-K, p. 56) and is therefore one of the biggest operators of online platforms in the EU, resulting in the fact that ‘a large share of the entire population of the European Union is directly affected by the non-compliance of Meta’ (DE SAs Objection, p. 9 and footnote 17). The DE SAs also note that ‘the context of data processing extents to huge amounts of social interactions generated by these data subjects each and every day for the past and ongoing’ (DE SAs Objection, p. 9). With respect to the duration of the infringement, the DE SAs conclude that it is ‘more than two years’ (DE SAs Objection, p. 12) and highlight that ‘the duration of the infringement for the data subjects extents to even before GDPR under the previous regimen with the same legal obligations for controller’ and that at the latest with the Schrems II Judgment Meta became aware of this non-compliance, which is relevant for the factor in Art. 83(2)(b) GDPR (DE SAs Objection, p. 9).
- ↑The ES SA stated in its objection that ‘this infringement is particularly serious since it concerns transfers that are not occasional or sporadic’, but rather ‘systematic, mass, repetitive and continuous in nature’. According to the ES SA, these circumstances ‘make it advisable to impose a fine appropriate to the seriousness of the infringement’. ES SA Objection, p. 2.
- ↑The FR SA highlighted that the infringement at stake ‘is a particularly serious breach in terms of the privacy of the data subjects’ since ‘the transfers at issue expose the personal data of the data subjects to US Government surveillance programs’, and that the infringement ‘concerns a particularly massive volume of data, since the Facebook service has millions of users in the European Union’ (FR SA Objection, paragraph 6-7, p. 2). The FR SA concluded that an administrative fine must be imposed in this case given, inter alia, the ‘gravity of the infringement’, the ‘number of data subjects affected’ and the ‘nature and duration of the infringement’ (FR SA Objection, paragraph 10, p. 3).
- ↑With respect to the ‘Intentional or negligent character of the infringement’ (Art. 83(2)(b) GDPR), according to the AT SA Meta Ireland ‘acted at least with conditional intent (dolus eventualis), since it must have seriously considered a violation of Chapter V GDPR when carrying out data transfers’, in particular following the Schrems II judgment, and the IE SA’s conclusion that Meta Ireland acted in good faith is ‘not convincing’ (AT SA Objection, p. 4).
- ↑The DE SAs note that the ‘data processing of the undertaking is under scrutiny of supervisory authorities since about ten years’ and that ‘Two decisions of the CJEU declared the data transfers unlawful’, with the last decision being about two years ago (DE SAs Objection, p. 9). According to the DE SAs, ‘the controller at hand considered that ruling insufficient and waits for a change of the legal basis by the legislator, without taking sufficient steps on its own to remedy the non-compliance’, and ‘it was obvious that the supplementary measures proposed by Meta would not be able to remedy the situation in terms of the risks identified by the CJEU’ in the Schrems II Judgment (DE SAs Objection, p. 9). The DE SAs conclude that Meta’s ‘inactivity constitutes an intentional infringement’, at least in the form of dolus eventualis, and that this should be considered as an aggravating factor (DE SAs Objection, p. 9 and footnote 18). The DE SAs refer to the infringement as ‘intentional’ also on p. 12.
- ↑The ES SA states in its objection that ‘the entity has been in breach of the GDPR despite its knowledge, since the judgment of 16 July 2020, that these transfers were in breach of the GDPR, because they still state that they cannot provide the service without carrying out the transfers and, in particular, because they have not yet implemented measures to guarantee users’ rights and have not proposed to introduce them until this procedure has been initiated’ (ES SA Objection, p. 3).
- ↑The FR SA argues that ‘the infringement was committed deliberately by the company, which could not have been unaware of the unlawful nature of the transfers implemented, at least since the [Schrems II] judgment, as this judgment concerned the conditions under which the company was transferring personal data to the United States’ (FR SA Objection, paragraph 7, p. 2-3). The FR SA concluded that an administrative fine must be imposed in this case given, inter alia, the ‘intentional character’ (FR SA Objection, paragraph 10, p. 3).
- ↑According to the DE SAs, the degree of responsibility is to be considered ‘not lower than average’, and concerning the ‘amount of data processed’ the ‘responsibility may have been heightened above average’; therefore, this should be considered as an aggravating factor (DE SAs Objection, p. 10).
- ↑With respect to the factor laid down by Art. 83(2)(e) GDPR (‘any relevant previous infringements by the controller or processor’), the AT SA notes that this is ‘not the first case where the DPC has established a violation of the GDPR by Meta Ireland’ (AT SA Objection, p. 4).
- ↑In this regard, the AT SA notes that Meta Ireland has ‘for several years transferred ... a high number of categories of personal data, including special categories of personal data (as laid down for example in paragraph 4.4 of the Draft Decision) to Meta Platforms, Inc. in the United States’ infringing upon Chapter V GDPR and thus ‘substantially and continuously’ violating data subjects’ rights under Art. 7, 8, and 47 of the CFR (AT SA Objection, p. 3).
- ↑According to the DE SAs, the factor under Art. 83(2)(g) GDPR is to be considered as an aggravating factor (DE SAs Objection, p. 10). The DE SAs note that the infringement committed by Meta ‘affects all data that are uploaded by data subjects and analysed by the controller for its own purposes’ and thus ‘concerns everyday data of social interactions with family, friends, acquaintances and others’ (DE SAs Objection, p. 10). The DE SAs also argue that a ‘map of social contacts is very interesting for foreign law enforcement and intelligence agencies, so that such data is an obvious target for these entities’, and that the data allows to infer not only ‘many matters of private and professional lives’ but also ‘further data, including emotional and mental states’ (DE SAs Objection, p. 10). The DE SAs recall the Cambridge Analytica case to highlight that such data ‘can also be misused for political manipulation’ and ‘to manipulate democratic systems as a whole’ (DE SAs Objection, p. 10). In addition, the DE SAs highlight that the data at stake also include special categories of personal data, since the controller is ‘capable to channel advertisings regarding political opinions and possible further criteria’ (DE SAs Objection, p. 10 and footnote 19, where the objection makes reference to Meta’s Announcement of 9 November 2021, available here: https://www.facebook.com/business/news/removing-certain-ad-targeting-options-and-expanding-our-ad-controls).
- ↑The ES SA highlighted that the transfers ‘include special categories of personal data’. According to the ES SA, these circumstances ‘make it advisable to impose a fine appropriate to the seriousness of the infringement’. ES SA Objection, p. 2.
- ↑The FR SA highlighted that the processing at stake concerns personal data including ‘photographs, videos or messages’ as well as possibly ‘[s]ensitive information related to religious convictions or political opinions, or to health status of individuals’ (FR SA Objection, paragraph 6, p. 2).
- ↑In respect of the manner in which the infringement became known, the DE SAs note only that this occurred via ‘a submission of a data subject, not by chance or report by the controller itself’ (DE SAs Objection, p. 10).
- ↑According to the DE SAs, among the other aggravating or mitigating factors applicable to the circumstances of the case to be considered pursuant to Art. 83(2)(k) GDPR there is the fact that the ‘Meta Group is an extremely profitable undertaking’, looking at its turnover for 2021 and its financial report for the second quarter of 2022; this is to be considered as a ‘highly aggravating factor’, as the ‘considerable economic and financial capacity should be taken into account when calculating the fine’, ‘even if there would be no specific fi nancial benefit gained with the infringement or where it could not be determined and/or calculated’ (DE SAs Objection, p. 10). The DE SAs also highlight that ‘Meta is a data driven undertaking and its turnover is almost completely a direct result of Meta’s data processing’, ‘cumulatively by one infrastructure from different markets with all effectivity and efficiency that results from that’, and that ‘Meta did not reinvest this turnover in order to withdraw the data from the US and to instead e.g. build up data centres in the EU’ (DE SAs Objection, p. 10). According to the DE SAs, this means that Meta ‘directly benefitted from its own non-compliance and non-action to establish compliance’ (DE SAs Objection, p. 10).
- ↑DE SAs Objection, p. 12.
- ↑The DE SAs argue that it should be ‘of a substantial amount’ and ‘in a range where it is not expected that the specific controller will commit similar infringements again’, meaning that the fine ‘needs to have such a noticeable impact on the profits of the undertaking that future infringements of data protection law would not be ‘discounted’ into the processing performed by the undertaking’ (DE SAs Objection, p. 11). According to the DE SAs, it has to be recalled also that the amount needs to have a general preventive effect, therefore it must be such that ‘other controllers will take an example in view of the amount of the fine and make significant efforts to avoid similar violations’ (DE SAs Objection, p. 11). The DE SAs also state that the ‘classification of the infringement in the high level of seriousness allows to determine an appropriate starting amount of 20 up to 100% of the fining range’, but ‘the high level of seriousness requires that the fining range must be used in such a way that the amount of the fine does not come close to the lower limit’ (DE SAs Objection, p. 12). The DE SAs also argue that another factor to be taken into account in calculating the amount of the fine is the financial benefit obtained by the undertaking, which should be ‘absorbed by the fine’: according to the DE SAs, ‘the undertaking saved expenses in the high nine-digit or lower ten-digit range’ due to the fact that ‘no complex organisational and technical measures were taken regarding data subjects located in the EEA to process their personal data only in the EEA and third countries with an adequate level of protection’ (DE SAs Objection, p. 12). Additionally, the DE SAs argue that the transfer of personal data to the US allowed ‘more detailed and reliable analyses of the users’ behaviour, which most likely may have increased the advertising value of the processed data’ (DE SAs Objection, p. 12). The DE SAs note that such findings are not part of the Draft Decision. The AT SA highlighted that the calculation of the amount of the fine to be imposed needs to rely upon the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 1.0, adopted on 12 May 2022 (hereinafter ‘EDPB Guidelines on calculation of fines’) (AT SA Objection, footnote 1) and appropriately take into account the circumstances of the individual case (AT SA Objection, p. 5) including the annual turnover of Meta Ireland. ‘The Austrian DPA is not in the position to assess the appropriate amount of the administrative fine as the Draft Decision lacks findings on the annual turnover of Meta Ireland, a relevant factor for this calculation. Therefore, further investigative steps on the annual turnover of Meta Ireland would be necessary.’ (AT SA Objection, p. 5). The FR SA argued that also ‘taking the company’s turnover into account’ a ‘very significant fine must be imposed’ and that a ‘particularly high fine is necessary in order that the sanction may be dissuasive and have a punitive function’ (FR SA Objection, paragraph 11, p. 3). The FR SA makes reference to Meta IE’s inescapable place in France’, to the fact that the Facebook social network dominates the social media market i n France, to the ‘network effects’ generated by this, and to the role occupied by Facebook in other areas such as access to information or civil security (FR SA Objection, paragraphs 12-13, p. 3).
- ↑AT SA Objection, p. 5 (‘In case the Draft Decision is approved in the current version, the absence of an administrative fine poses risks to the fundamental rights and freedoms of data subjects’), DE SAs Objection, p. 11-12, ES SA Objection, p. 2-3, FR SA Objection, p. 3-4.
- ↑AT SA Objection, p. 5. Similarly, the AT SA argued that if the IE SA did not use its corrective powers there would be the ‘danger that other companies continue with unlawfully transferring personal data to the United States’ (AT SA Objection, p. 2).
- ↑AT SA Objection, p. 5.
- ↑AT SA Objection, p. 2.
- ↑AT SA Objection, p. 2.
- ↑DE SAs Objection, p. 12.
- ↑The DE SAs also highlight that Recital 148 GDPR clarifies that administrative fines aim to strengthen the enforcement of the GDPR (DE SAs Objection, p. 11).
- ↑According to the DE SAs, an ‘effective enforcement can only be reached if the fine is effective and both special preventive and general preventive. […] The lack of proposing a fine for the violation of Art. 46 (1) GDPR is, however, not able to create an effect in relation to the undertaking at all, much less a deterrent effect’ (DE SAs Objection, p. 12).
- ↑DE SAs Objection, p. 12. The DE SAs also argue that the « lack of proposing a fine for the violation of Art. 46(1) GDPR is, however, not able to create an effect in relation to the undertaking at all » (DE SAs Objection, p. 12).
- ↑ES SA Objection, p. 3.
- ↑ES SA Objection, p. 3. The ES also highlights that , that it would set a precedent that would make it difficult to impose fines by reducing the enforcement power of the authorities and their ability to ensure effective compliance with the GDPR , that the non-imposition of a fine would lead the infringing entities to consider that the infringement of the GDPR does not have financial punitive consequences, that it would constitute discriminatory treatment in relation to other undertakings which are or may be fined for the same infringement.
- ↑FR SA Objection, paragraph 14, p. 3.
- ↑FR SA Objection, paragraph 14, p. 3.
- ↑FR SA Objection, paragraph 15, p. 4.
- ↑(reference is made to other services of Meta) (FR SA Objection, paragraph 16, p. 4).
- ↑FR SA Objection, paragraph 17, p. 4.
- ↑FR SA Objection, paragraph 18, p. 4.
- ↑According to the AT SA, risks are posed for the ‘consistent application of the GDPR’ as ‘in similar cases ... an administrative fine would likely be imposed’, thus the Draft Decision ‘may lead to the provisions of the GDPR not being consistently implemented’ (AT SA Objection, p. 3, 5). The ES SA argues ‘it would constitute discriminatory treatment in relation to other undertakings which are or may be fined for the same infringement, and it is difficult to understand that such a serious infringement does not entail a fine. In addition it would set a precedent that would make it difficult to impose fines by reducing the enforcement power of the authorities and their ability to ensure effective compliance with the GDPR’ (ES SA Objection, p. 3).
- ↑IE SA’s ‘Internal Assessment of the Status of Objections’, annex to the IE SA’s letter to Meta IE dated 28 September 2023.
- ↑Memorandum to the EDPB Secretariat dated 19 January 2023, p. 2.
- ↑Composite Response, p.1.
- ↑Composite Response, p.2.
- ↑Composite Response, p.2.
- ↑Composite Response, p.2.
- ↑Composite Response, p.2.
- ↑Data Protection Commissioner v Facebook Ireland Ltd and Another, Case C-311/18 ECLI:EU:C:2020:559, judgment delivered by the Court of Justice of the EU on 16 July 2020
- ↑Composite Response, p.2.
- ↑Composite Response, p.2.
- ↑Composite Response, p.3.
- ↑Composite Response, p.3.
- ↑Composite Response, p.3.
- ↑EDPB Guidelines on RRO, paragraph 32.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.28 (AT SA), 2.45 (DE SAs), 2.19 (ES SA), 2.37 (FR SA).
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.29-2.30 (AT SA), 2.46-2.47 (DE SAs), 2.20-2.21 (ES SA), 2.38-2.39 (FR SA).
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.31 (AT SA), 2.48 (DE SAs), 2.22 (ES SA), 2.40 (FR SA).
- ↑EDPB Guidelines on RRO, paragraph 33 and examples 5 and 6.
- ↑See EDPB Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR), adopted on 5 December 2022 (hereinafter, ‘Binding Decision 3/2022’) paragraphs 275-276 and 416, EDPB Binding Decision 4/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Instagram Service (Art. 65), adopted on 5 December 2022 (hereinafter, ‘Binding Decision 4/2022’) paragraph 265, and EDPB Binding Decision 5/2022 on the dispute submitted by the Irish SA regarding WhatsApp Ireland Limited (Art. 65 GDPR), adopted on 5 December 2022 (hereinafter, ‘Binding Decision 5/2022’), paragraphs 232 - 233.
- ↑AT SA Objection, p. 5 ; DE SAs Objection, p. 12 ; ES SA Objection, p. 3 ; FR SA Objection, paragraphs 10-11 and 19.
- ↑Meta IE argues these objections nevertheless present shortcomings as far as the clear demonstration of the significance of the risks posed by the Draft Decision required by Art. 4(24) GDPR is concerned, as further explained below.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.23 (ES SA), 2.42 (FR SA).
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraph 2.24. While Meta IE asserts in this paragraph that ‘Art. 83(2) GDPR sets out an exhaustive list of factors to be considered when deciding whether to impose an administrative fine’, the EDPB deems Art. 83(2) GDPR open-ended in nature. See Binding Decision 3/2022, paragraphs 386-387; Binding Decision 4/2022, paragraph 392; Binding Decision 1/2021, paragraph 410; See also EDPB Guidelines on calculation of fines, paragraph 108-109.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraph 2.24.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraph 2.42.
- ↑EDPB Guidelines on RRO, paragraph 8.
- ↑See Section 4.2 above.
- ↑The EDPB Guidelines on RRO include this example (Example 7, paragraph 34).
- ↑See EDPB Guidelines on RRO, paragraph 17; Binding Decision 3/2022, paragraph 422; Binding Decision 4/2022, paragraph 392.
- ↑ES SA Objection, p. 2 ; Draft Decision, paragraphs 4.4, 4.7, 6.1, 8.45, 8.47, 8.49, 8.50, 8.57, 8.81, 8.82, 8.83, 8.85, 8.87, 8.89, 8.90.
- ↑ES SA Objection, p. 3.
- ↑FR SA Objection, paragraphs 6 and 7. See the summary cited by Meta IE above, paragraph 68.
- ↑EDPB Guidelines on RRO, paragraph 16.
- ↑AT SA Objection, p. 2-4 ; DE SAs Objection, p. 7-11 ; ES SA Objection, p. 2-3 ; FR SA Objection, paragraphs 6- 17. See summary in Section 4 above.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraph 2.32, citing AT SA Objection, p. 3.
- ↑‘[T]he Austrian DPA believes that in addition to the suspension of data transfers an administrative fine should be imposed’, AT SA Objection, p. 1.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraph 2.25, citing ES SA Objection, p. 2.
- ↑On the contrary, the ES SA states that ‘The AEPD agrees with the DPC’s conclusion that the suspension measure is less onerous than the prohibition and agrees that, as argued by the Irish authority, this measure is imposed instead of the prohibition. However, it does not agree that these are the only possible measures to be taken.’ (ES SA Objection, p. 2) and ‘the measure suspending transfers has effects with a forward-looking nature but has no punitive effect on the infringement committed and that which is still committed, so that the measure does not have a deterrent effect’ (ES SA Objection, p. 3). The reference to ‘effects with a forward-looking nature’ cannot be understood to mean the ES SA takes the view proposed by Meta IE.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.34 (AT SA), 2.25 (ES SA), 2.50 (DE SAs), 2.41 (FR SA).
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.50 (DE SAs), 2.41 (FR SA).
- ↑Draft Decision, paragraphs 1.6 and 2.1 and following.
- ↑EDPB Guidelines on RRO, paragraph 37.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.34 (AT SA), 2.50 (DE SAs), 2.25 (ES SA), 2.41 (FR SA). See AT SA Objection, p. 4 ; DE SAs Objection, p. 7, 8-9 ; ES SA Objection, p. 3; FR SA Objection, paragraphs 14-18.
- ↑‘If an administrative fine were not imposed in this specific case, controllers would be of the impression that, even in case of an infringement of Article 46(1) GDPR, respectively Chapter V GDPR, a future suspension of data transfers is the “worst-case outcome” and no other consequences for an unlawful behavior in the past are to be expected. It is a cause of concern for the Austrian DPA that some controllers might come to the conclusion that the cost of continuing an unlawful practice will outweigh the expected consequences of an infringement and will be less inclined to comply with the GDPR.’ AT SA Objection, p. 4. ‘Indeed, there are many undertakings affected by the Schrems-II ruling. The case at hand therefore is a precedent that will affect many if not all other cases of third country data transfers as well and is closely watched by all undertakings participating in the Single Economic Market. If the only thing that they need to fear is an order to stop transfers from the order going forward, many managers might decide to just continue the transfer until they get caught’, DE SAs objection, p. 8. ‘[T]he non-imposition of a fine would lead the infringing entities to consider that the infringement of the GDPR does not have financial punitive consequences.’, ES SA Objection, p. 2. ‘Other controllers carrying out similar processing operations and in particular transferring personal data under similar conditions have thus no incentive to bring their transfers into conformity with the GDPR or to suspend them’, FR SA Objection, paragraph 17.
- ↑See also EDPB Guidelines on RRO, paragraph 37; Judgement of the Court of Justice of 6 November 2003, Lindqvist, Case C-101/01, ECLI:EU:C:2003:596, paragraph 95; C-524/06 Huber, paragraph 50; Judgement of the Court of Justice of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito, C-468/10 and C-469/10, ECLI:EU:C:2011:777, paragraph 28.
- ↑Meta IE Art. 65 Submissions, paragraph 15.2.
- ↑Recital 150 GDPR; EDPB Guidelines on RRO, paragraph 34 and EDPB Guidelines on Article 65(1)(a) GDPR, paragraph 91; Binding Decision 1/2021, paragraph 281; Binding Decision 1/2022, paragraph 57; Binding Decision 2/2022, paragraph 191; Binding Decision 3/2022, paragraphs 291, 351 and 438; Binding Decision 4/2022, paragraphs 278, 292, 344 and 407, Binding Decision 5/2022, paragraphs 259, 303 and 306.
- ↑The EDPB has explicitly confirmed, by means of examples in the EDPB Guidelines on RRO, that, when formulating relevant and reasoned objections, the CSAs can propose additional corrective measures, including fines. See paragraph 66 above and EDPB Guidelines on RRO, paragraph 33, examples 5 and 6.
- ↑In this case, the EDPB can instruct the LSA to engage in a new calculation of the proposed fine on the basis of the criteria in Art. 83 GDPR and of the common standards established by the EDPB. EDPB Guidelines on RRO, paragraph 34.
- ↑Meta IE Art. 65 Submissions, paragraphs 15.1-15.2.
- ↑Meta IE Art. 65 Submissions, paragraph 15.1.
- ↑See Art. 51(2), 60, 61(1) GDPR, and Judgment of the Court (Grand Chamber) of 15 June 2021, C-645/19 Facebook v Gegevensbeschermingsautoriteit, ECLI:EU:C:2021:483, paragraphs 53, 63, 68, 72. The EDPB notes that, in paragraph 7.2 of Meta IE Art. 65 Submissions, Meta IE refers to paragraph 112 of the Schrems II judgement and argues that ‘The DPC has sole competence to make a context-specific determination on what the specific corrective measures should be in each case. This is consistent with the statements in the CJEU Judgment that the competent supervisory authority, in making a determination regarding the exercise of corrective powers, is required to take into consideration all the circumstances surrounding the processing of personal data in question’. However, as previously recalled by the EDPB in paragraph 277 of Binding Decision 3/2022, the cooperation and consistency mechanism of the GDPR is not addressed in the Schrems II judgment.
- ↑Art. 63, 65 GDPR.
- ↑See EDPB Guidelines on RRO paragraph 33.
- ↑Art. 65(1)(a) GDPR.
- ↑See EDPB Guidelines on Art. 65(1)(a) GDPR, paragraph 92.
- ↑Article 29 Working Party, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, adopted on 3 October 2017 (WP 253), endorsed by the EDPB on 25 May 2018, hereinafter ‘EDPB Guidelines on Administrative Fines’.
- ↑Meta IE Art. 65 submissions, paragraph 14.3. Meta IE also recalls Recital 129 GDPR and Art. 58(2)(i) GDPR.
- ↑See e.g. Binding Decision 3/2022, paragraph 441; Binding Decision 4/2022, paragraph 440; Binding Decision 5/2022, paragraph 305. See also Guidelines on Administrative Fines, p. 7.
- ↑DE SA Objection, p. 7, Section II, b.
- ↑Binding Decision 2/2022, paragraph 196.
- ↑Draft Decision, paragraph 9.47.
- ↑Pursuant to Art. 11(2) of the EDPB Rules of Procedure And as also mentioned in paragraph 20 of the Guidelines on Art. 65(1)(a) GDPR.
- ↑Guidelines on Administrative Fines, p. 9.
- ↑Guidelines on Administrative Fines, p. 9. See also the analysis on p. 14 concerning the factor described in Art. 83(2)(f) GDPR.
- ↑Meta IE Art. 65 Submissions, paragraph 18.2.
- ↑Draft Decision, paragraph 9.41.
- ↑DE SAs Objection, p. 9 ‘very serious’ and 12 ‘should be classified in the high level of seriousness’; ES SA Objection p. 2; FR SA Objection, p.2, paragraph 6; AT SA Objection, p.2, Section B.
- ↑ES SA Objection p. 2.
- ↑AT SA Objection, p.3.
- ↑FR SA Objection, p. 2, paragraph 6.
- ↑DE SAs Objection, p. 9.
- ↑Meta IE Art. 65 Submissions, paragraph 18.5.
- ↑In Meta IE Art. 65 Submissions, paragraph Annex 2, paragraph 2.9, Meta IE argues that ’both the SCCs and Chapter V of the GDPR are designed to support large scale and systemic transfers. Accordingly, the mere fact that large scale transfers are taking place cannot in itself be a factor leading to the imposition of an administrative fine.’
- ↑DE SAs Objection, p. 9.
- ↑Draft Decision, paragraphs 8.45, 8.47, 8.49, 8.50, 8.57, 8.81, 8.82, 8.83, 8.85, 8.87, 8.89, 8.90.
- ↑DE SA Objection, p. 9 - the DE SA refers to Meta IE’s annual report for the year 2021 (form 10-k), p.56.
- ↑DE SAs Objection, p. 9.
- ↑FR SA Objection paragraph 7.
- ↑AT SA Objection, p. 2 Section B
- ↑Meta IE Art. 65 Submissions, paragraph 18.7
- ↑Meta IE PDD Submissions, paragraph 1.2.
- ↑Meta IE Art. 65 Submissions, paragraph 18.7, annex 2 paragraphs 2.22(A)(i), 2.29(A), and 2.41(A)(i).
- ↑Meta IE Art. 65 Submissions, paragraph 18.8. In the same paragraph, Meta IE also specifies that ‘based on the then most recent available data, all US Foreign Intelligence Surveillance Act of 1978 (‘FISA’) requests across all accounts globally across all of the Facebook Service, Messenger, Instagram and WhatsApp would involve only approximately 0.00094% of all activated accounts.’
- ↑EDPB Guidelines on calculation of fines, paragraph 54, point b) iv, p. 17.
- ↑The FR SA states in its objection: ‘Insofar as the data at stake come from accounts of the social network Facebook, which may contain a lot of information about the private life of users, there is a significant risk of infringement of the privacy of these individuals in case these data are actually transferred to the intelligence services in response to a request’ (FR SA Objection p. 2). Meta argues that by way of this sentence the FR SA acknowledges ‘that the large number of Meta Ireland Users involved does not equate to the number of Meta Ireland Users whose personal data may actually have been at risk of access by the USG, let alone at risk of suffering damage’ (Meta IE Art. 65 Submissions, paragraph 2.29 (A)). The EDPB highlights the interpretation of the concept of ‘number of data subjects affected’ as encompassing the data subjects ‘concretely but also potentially affected’ (EDPB Guidelines on calculation of fines, paragraph 54). While the FR SA referred in its objection to the further adverse consequences for those data subjects whose personal data is actually transferred to US intelligence services, on top of the data protection breach affecting all the personal data transferred, this should not be seen as limiting the number of data subjects affected as suggested by Meta IE. In this regard, Meta’s assurance that, for the time being, the data protection and redress rights of only ‘a relatively limited number of users globally’ have been put at risk (Meta IE Art. 65 Submissions, paragraph 2.29(A)), does not seem substantiated considering that, according to Meta IE, the transfers were carried out for ‘the purpose of supporting Meta Ireland in its provision of the Facebook Service to Meta Ireland Users’ (Meta IE Art. 65 Submissions, paragraph 18.5.) without any limitations being referred to and, in any event, it does not mean that such risk cannot materialise again and that the infringement will not affect even more users.
- ↑DE SAs Objection, p.9, AT SA Objection p. 3, Section C.2.1
- ↑AT SAs Objection, p.5, Section C.2.
- ↑DE SAs Objection, p. 9.
- ↑DE SAs Objection, p. 9.
- ↑Meta IE Art. 65 Submissions, paragraph 18.3 and Annex 2 p. 61 2.41(A)(ii).
- ↑Draft Decision, paragraph 1.3(1).
- ↑Meta IE Art. 65 Submissions, paragraphs 8.10 - 8.12, paragraphs 16.1 - 16.5 and paragraph 18.10.
- ↑Meta IE Art. 65 Submissions, paragraph 16.1.
- ↑Meta IE Art. 65 Submissions, paragraph 8.10. The IE SA in its Composite Response also argues that this finding was not challenged by the CSAs.
- ↑FR SA Objection, paragraphs 7 and 10, p. 2-3.
- ↑ES SA Objection, p.3.
- ↑AT SAs Objection, p. 4, Section C.2.1, DE SAs Objection, footnote 18 and p. 9.
- ↑EDPB Guidelines on Administrative Fines, p. 11; EDPB Guidelines on Calculation of fines, paragraph 56.
- ↑EDPB Guidelines on Administrative Fines, p. 11; EDPB Guidelines on Calculation of fines, paragraph 56.
- ↑EDPB Guidelines on Administrative Fines, p. 11; EDPB Guidelines on Calculation of fines, paragraph 56.
- ↑EDPB Guidelines on Calculation of fines, paragraph 57.
- ↑DE SAs Objection, p. 9. The EDPB recalls that in both Schrems I and II judgments, the CJEU concluded that the US did not ensure an adequate level of protection and consequently invalided the European Commissions’ Safe Harbour and Privacy Shield Decisions. In Schrems II, the CJEU also considered the validity of standard data protection clauses in a Commission decision adopted pursuant to Art. 46(2)(c) GDPR and concluded that it was not affected.
- ↑Draft Decision, paragraph 2.6.
- ↑Judgement of the Court of 6 October 2015, Case C-362/14, Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650
- ↑Draft Decision, paragraph 2.6.
- ↑Draft Decision, paragraph 2.44 - Meta IE commenced the judicial review against the IE SA on 10 September 2020. In paragraphs 1.5 and 1.6 of the Meta IE PDD Submissions, Meta IE explains the following: ‘Following the CJEU Judgment, this own-volition inquiry IN-20-8-1 was commenced by the DPC under section 110 of the Data Protection Act 2018 (‘DPA 2018’) on 28 August 2020 (‘Inquiry’), by way of a Preliminary Draft Decision (‘PDD’) and letter to FIL dated 28 August 2020. FIL then commenced judicial review proceedings against the DPC (‘FIL JR’). Following the judgment of Judge Barniville in the FIL JR on 14 May 2021 (‘FIL JR Judgment’), the DPC wrote to FIL on 21 May 2021 informing it that it must make submissions in response to the PDD no later than 2 July 2021.’
- ↑Meta IE incorporated the 2021 SCCs into its agreement with Meta US on 31 August 2021.
- ↑Draft Decision, paragraphs 7.154 - 7.172. The IE SA had concluded in the Draft Decision that, in accordance with the Schrems II Judgment, US law does not provide a level of protection that is essentially equivalent to that provided by EU law. Draft Decision, paragraphs 7.173 and 7.202(1).
- ↑Draft Decision, paragraphs 7.174 - 7.202.
- ↑EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, Adopted on 18 June 2021 (hereinafter, ‘EDPB Recommendations on Supplementary Measures’).
- ↑Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, Adopted on 18 June 2021, paragraph 30.
- ↑Meta IE Record of Safeguards, including supplementary measures of 31 August 2021, p.1; See also Meta IE TIA, paragraph 1.3 - ‘FIL’s conclusion as a result of this assessment is that the level of protection afforded by relevant US law and practice to data subjects whose personal data is transferred by FIL to FB, Inc. i n the US pursuant to the 2021 SCCs is essentially equivalent to that guaranteed by Relevant EU Law as reflected by the EU Standard’.
- ↑Meta IE PDD Submissions, paragraph 8.5.
- ↑Draft Decision, paragraph 7.150.
- ↑Draft Decision, paragraph 7.28.
- ↑Draft Decision, paragraph 7.25.
- ↑Draft Decision, paragraph 7.201(3)
- ↑Preliminary Draft Decision, Section 7.
- ↑Revised Preliminary Draft Decision, Section 7.
- ↑In its Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, p.4, the EDPB highlights that the, the derogations must be interpreted restrictively so that the exception does not become the rule. The EDPB also recalls that Recital 111 GDPR refers ‘occasional’ and Art. 49(1) GDPR to ‘not repetitive’ in the ‘compelling legitimate interests’ derogation. The EDPB explains that these terms indicate that such transfers may happen more than once, but not regularly, and would occur outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals. More specifically, a data transfer that occurs regularly within a stable relationship between the data exporter and a certain data importer can basically be deemed as systematic and repeated and can therefore not be considered occasional or not- repetitive. See also Draft Decision, paragraphs 8.11 - 8.16, 8.57, 8.83, 8.87 - 8.90. As the IE SA’s recalls, the CJEU has already established that, contrary to what Meta IE seems to be arguing, recitals explain the content of legal provisions and constitute important elements for the purposes of interpretation (Draft Decision, paragraphs 8.62-8.70).
- ↑Even in criminal proceedings, the CJEU has acknowledged the existence of ‘serious negligence’ rather than ‘intentionality’ when ‘the person responsible commits a patent breach of the duty of care which he should have and could have complied with in view of his attributes, knowledge, abilities, and individual situation’. Judgment of the Court of Justice of 3 June 2008, The Queen, on the application of International Association of Independent Tanker Owners (Intertanko) and Others v Secretary of State for Transport, C-308/06, ECLI:EU:C:2008:312), paragraph 77.
- ↑See Binding Decision 3/2022, paragraph 455 referring to Judgement of the Court of Justice of 3 June 2008, The Queen, on the application of International Association of Independent Tanker Owners (Intertanko) and Others v Secretary of State for Transport, C-308/06, ECLI:EU:C:2008:312), paragraph 77.
- ↑See Binding Decision 2/2022, paragraph 204.
- ↑See Meta IE PDD Submissions, Part E, p. 52 to 86.
- ↑Meta IE PDD Submissions, paragraph 8.5.
- ↑Meta IE PDD Submissions, Part C, paragraph 4.3
- ↑Draft Decision, paragraph 7.175 (‘the supplemental measures introduced must not merely “mitigate” the deficiencies in US law, as Meta Ireland contends,127 but must ensure that data subjects receive essentially equivalent protection to EU law’), referring to Meta IE’s Response to the PDD, Part C, Paragraph 3.12.
- ↑Draft Decision, paragraph 7.27.
- ↑See Draft Decision, paragraphs 7.24 and 7.25; Meta IE PDD Submissions, paragraphs 3.11 and 3.12; Meta IE RPDD Submissions, paragraphs 4.1 to 4.4.
- ↑Recital 108 GDPR, Schrems II judgment, paragraph 95.
- ↑DE SAs Objection, p. 9, footnote 18
- ↑AT SA Objection, p. 4.
- ↑EDPB Guidelines on Calculation of fines, paragraph 57.
- ↑EDPB Guidelines on calculation of fines, paragraph 78, referring to EDPB Guidelines on Administrative Fines, p. 12.
- ↑EDPB Guidelines on calculation of fines, paragraph 79.
- ↑EDPB Guidelines on calculation of fines, paragraph 82.
- ↑EDPB Guidelines on calculation of fines, paragraph 82.
- ↑Meta IE Art. 65 Submissions, paragraph 18.13.
- ↑Meta IE Art. 65 Submissions, paragraph 18.14.
- ↑Draft Decision, paragraphs 7.174-7.202. The IE SA analyses Meta IE’s Record of Safeguards and Supplementary Measures, as well as the Transfer Impact Assessment Summary
- ↑Draft Decision, paragraphs 7.192 - 7.194.
- ↑Draft Decision, paragraphs 7.192 - 7.194.
- ↑EDPB Recommendations on Supplementary Measures, paragraph 83.
- ↑DE SAs Objection, p. 10.
- ↑FR SA Objection, paragraph 12.
- ↑As explained in paragraph 34 of the Expert report of Professor Goldfarb presented by Meta IE as part of its Submissions on the PDD, the Facebook Service benefits at least three key groups: SMEs, non-profits, and individuals.
- ↑See for example the information provided to the Facebook users in March 2021, as referred to by Meta IE in the Meta IE PDD Submissions, paragraph 6.6.
- ↑FR SA Objection, paragraph 13.
- ↑EDPB Guidelines on calculation of fines, paragraph 94.
- ↑EDPB Guidelines on calculation of fines, paragraph 88.
- ↑EDPB Guidelines on calculation of fines, paragraph 85. More specifically, the EDPB has clarified that, for the purpose of Art. 83(2)(e) GDPR, previous infringements of either the same or different subject matter to the one being investigated might be considered as ‘relevant’ (EDPB Guidelines on calculation of fines, paragraph 87). The EDPB has also clarified that, even though all prior infringements might provide an indication about the controller’s or processor’s general attitude towards the observance of the GDPR, infringements of the same subject matter must be given more significance, as they are closer to the infringement currently under investigation, especially when the controller or processor previously committed the same infringement (EDPB Guidelines on calculation of fines, paragraph 88)284.
- ↑AT SA Objection, p. 4, Section C.2.3.
- ↑IE Final decision dated 2 September 2022 in the matter of Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, and the ‘Instagram’ social media network further to an own-volition inquiry; IE SA Final decision dated 31 December 2022 concerning a complaint directed against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in respect of the Instagram Service; IE SA Final decision dated 31 December 2022 concerning a complaint directed against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in respect of the Facebook Service.
- ↑The IE SA found that Meta IE infringed Art. 6(1) GDPR, 5(1)(a), 12(1) and 13(1)(c) GDPR.
- ↑EDPB Guidelines on calculation of fines, paragraph 58.
- ↑EDPB Guidelines on calculation of fines, paragraph 58.
- ↑Draft Decision, paragraph 4.4.
- ↑Draft Decision, paragraph 4.4.
- ↑FR SA, paragraph 6, p. 2.
- ↑DE SAs Objection, p. 10.
- ↑DE SAs Objection, p. 10
- ↑Draft Decision, paragraph 4.4. Part A of Appendix 1 to the Meta US’s Data Transfer and Processing Agreement of 25 May 2018 mentions: ‘Special categories of data - Such data may include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation; and genetic data and biometric data (as those terms are defined in the GDPR) for the purpose of uniquely identifying a natural person.’
- ↑Draft Decision, paragraph 4.4. DE SAs Objection, p.10; FR SA Objection, p. 2, paragraph 6; ES SA Objection p.2; AT SA Objection, p. 3, Section C.2.1.
- ↑Meta IE Art. 65 Submissions, paragraph 18.17.
- ↑DE SAs Objection, p. 10.
- ↑Meta IE Art. 65 Submissions paragraph 18.19.
- ↑Draft Decision, paragraphs 1.3, 1.6, 2.6-2.47. Preliminary Draft Decision, paragraph 1.13.
- ↑EDPB Guidelines on calculation of fines, paragraph 99.
- ↑EDPB Guidelines on calculation of fines, paragraph 107.
- ↑EDPB Guidelines on calculation of fines, paragraph 109.
- ↑EDPB Guidelines on calculation of fines, paragraph 110.
- ↑DE SAs Objections, p. 10.
- ↑DE SAs Objections, p. 10.
- ↑DE SAs Objections, p. 10.
- ↑DE SAs Objections, p. 10.
- ↑Meta IE Art. 65 Submissions, paragraph 18.24(A).
- ↑Draft Decision, paragraph 9.46; Meta IE Art. 65 Submissions, paragraphs 6.3 and 12.8; See also Annex 5 to the Meta IE PDD Submissions - the Meta Ireland Data Transfers Report dated 2 July 2021, and the independent expert report from Professor Nieh of Columbia University dated 24 September 2021 (‘Nieh Expert Report’).
- ↑Meta IE PDD Submissions, paragraph 2.6. (B)
- ↑Binding Decision 3/2022, paragraph 119; Binding Decision 4/2022, paragraph 122;
- ↑Meta IE PDD Submissions, paragraph 2.7 (E)
- ↑Meta IE PDD Submissions, Part D, paragraph 4.56
- ↑Draft Decision, paragraph 9.48.
- ↑Composite Response, p.1.
- ↑Meta IE Art. 65 Submissions, paragraphs 17.1 to 17.8.
- ↑DE SAs Objection, p. 7-9; ES SA Objection, p. 2-3; FR SA Objection paragraphs 15-17; AT SA Objection, p. 3-4.
- ↑EDPB Guidelines on Administrative Fines, paragraph 135.
- ↑EDPB Guidelines on Administrative Fines, paragraph 135.
- ↑The punitive objective pursued by administrative fines is also evident from the wording of Recital 148 which refers to ‘penalties’ which should be subject to appropriate procedural safeguards. See also EDPB Guidelines on Administrative Fines, paragraph 142 ; See also e.g. Binding Decision 01/2020, paragraph 196; Binding Decision 01/2022, paragraph 76 ; Binding Decision 3/2022, paragraph 382. Binding Decision 4/2022, paragraph 354.
- ↑ES SA Objection, p. 2; FR SA Objection, paragraph 8.
- ↑AT SA Objection, p.3, Section C1.
- ↑EDPB Guidelines on calculation of fines, paragraph 143.
- ↑EDPB Guidelines on calculation of fines, paragraphs 142-143, referring to Opinion of A-G Kokott in joined cases C-387/02, C-391/02 and C-403/02, Silvio Berlusconi and Others, paragraph 89.
- ↑EDPB Guidelines on calculation of fines, paragraphs 142-143, referring to Opinion of A-G Kokott in joined cases C-387/02, C-391/02 and C-403/02, Silvio Berlusconi and Others, paragraph 89.
- ↑See Opinion of AG Geelhoed in case C-304/02, Commission v France, paragraph 39.
- ↑EDPB Guidelines on calculation of fines, paragraph 143; referring to Judgement of the Court of 13 June 2013, C-511/11 Versalis, ECLI:EU:C:2013:386, paragraph 94.
- ↑Binding Decision 3/2022, paragraph 382.
- ↑AT SA Objection, p. 4, Section C.3.
- ↑DE SAs Objection, p.8.
- ↑DE SAs Objection, p.8.
- ↑See for example Meta IE Revised PDD Submissions on the, Part B, paragraph 5.1 and Part C, paragraph 5.2; Meta IE PDD Submissions, paragraph 8.4. See also Meta IE Art. 65 Submissions, paragraphs 16.4 and 18.4; Meta Meta IE Art. 65 Submissions, Annex 2, paragraph 2.45.
- ↑Meta IE PDD Submissions, Part C, p. 78-79.
- ↑Meta IE PDD Submissions, paragraph 8.1.
- ↑Schrems II judgement, paragraph 121.
- ↑FR SA Objection, paragraph 15.
- ↑FR SA Objection, paragraph 15.
- ↑AT SA Objection, p. 2, Section B.
- ↑FR SA Objection, paragraph 17.
- ↑AT SA Objection, p. 4, Section C.3.
- ↑See Opinion of AG Geelhoed in case C-304/02, Commission v France, paragraph 39.
- ↑DE SAs Objection, p. 12.
- ↑DE SAs Objections, p. 10.
- ↑DE SAs Objection, p. 7.
- ↑Judgement of the Court of 13 March 2012, Case C-380/09 (P), Melli Bank/Council, ECLI:EU:C:2012:137, paragraph 52; Judgement of the Court of 10 December 2002, Case C-491/01 British American Tobacco (Investments) and Imperial Tobacco, ECLI:EU:C:2002:741, paragraph 122; Judgment of the Court (Grand Chamber) of 6 December 2005, Joined Cases C-453/03, C-11/04, C-12/04 and C-194/04, ABNA and Others, ECLI:EU:C:2005:741, paragraph 68.
- ↑Judgement of the Court of 11 July 1989, Hermann Schräder HS Kraftfutter GmbH & Co. KG v Hauptzollamt Gronau, Case 265/87, ECLI:EU:C:1989:303, paragraph 21.
- ↑Judgement of the Court of 11 July 1989, Hermann Schräder HS Kraftfutter GmbH & Co. KG v Hauptzollamt Gronau, Case 265/87, ECLI:EU:C:1989:303, paragraph 21; See also Judgment of the Court of 12 July 2001, Jippes and Others, Case C‑189/01, Judgment of the Court of 12 July 2001, paragraph 81; Judgment of the Court (Grand Chamber) of 7 July 2009, S.P.C.M. and Others, Case C‑558/07, ECLI:EU:C:2009:430, paragraph 41.
- ↑EDPB Guidelines on calculation of fines, paragraph 138 - the EDPB has explained that ‘It follows that fines must not be disproportionate to the aims pursued (i.e. compliance with the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data), and that the amount of the fine imposed must be proportionate to the infringement, viewed as a whole, account being taken, in particular, of the gravity of the infringement’.
- ↑EDPB Guidelines on caclulation of fines, paragraph 139 referring to Judgment of the Court of of 4 July 2000, C-387/97, Commission v Greece, ECLI:EU:C:2000:356, paragraph 90, and Judgment of the Court of 25 November 2003, C-278/01, Commission v Spain, ECLI:EU:C:2003:635, paragraph 41.
- ↑DE SAs Objection p.12; See also paragraph 50 of this Binding Decision; AT SA Objection, p. 3, Section C.1.
- ↑Meta IE Art. 65 Submissions, paragraph 17.2. Meta IE quotes the IE SA’s finding that an administrative fine would not be appropriate ‘In light of the complexities of this particular inquiry (the circumstances of which must include the comments of the CJEU, as set out in paragraph 202 of the CJEU Judgment, concerning the possible application of the Art. 49 GDPR derogations), [the DPC] remains of the view that the imposition of a punitive sanction is not an appropriate response.’
- ↑Meta IE Art. 65 Submissions, paragraph 17.4, citing the Composite Response, p. 3.
- ↑Draft Decision, paragraph 8.106.
- ↑See paragraphs 143 to 158 above.
- ↑AT SA Objection, p. 3, Section C.1.
- ↑See paragraphs 89 to 142 above.
- ↑Judgment of the Court of 11 July 1989, Hermann Schräder HS Kraftfutter GmbH & Co. KG v Hauptzollamt Gronau, Case 265/87, ECLI:EU:C:1989:303, paragraph 21.
- ↑The AT SA refers to paragraph 414 of Binding Decision 1/2021 where the EDPB underlined that ‘in order to be effective, a fine should reflect the circumstances of the case. Such circumstances not only refer to the specific elements of the infringement, but also those of the controller or processor who committed the infringement, namely its financial position’. The EDPB considers that the same reasoning should be followed when deciding on the imposition of fines in general.
- ↑EDPB Guidelines on calculation of fines, paragraphs 140-141; see also Binding Decision 01/2022, paragraph 68.
- ↑Binding Decision 01/2022, paragraph 69.
- ↑Binding Decision 01/2022, paragraph 70, referring to Judgment of the Court of 28 June 2005, Dansk Rørindustri and Others v Commission, joined cases C-189/02 P, C-202/02 P, C-205/02 P to C-208/02 P and C- 213/02 P, ECLI:EU:C:2005:408, paragraph 327
- ↑According to the DE SAs Objection, the Meta group ‘has an annual profit (net income) of EUR 34.760 billion with a turnover of EUR 104.122 billion in 2021’. DE SAs Objection, p. 10, referring to Meta Reports Fourth Quarter and Full Year 2021 Results, https://investor.fb.com/investor-news/pressrelease- details/2022/Meta-Reports-Fourth-Quarter-and-Full-Year-2021-Results/default.aspx
- ↑Meta IE Art. 65 Submissions paragraphs 17.4-17.8.
- ↑ES SA Objection, p. 3
- ↑AT SA Objection, p. 3, Section C.2. DE SA Objection, p. 11, cc.
- ↑EDPB Guidelines on Administrative Fines, p. 9.
- ↑EDPB Guidelines on calculation of fines, paragraph 52.
- ↑See paragraphs 93 to 96 above.
- ↑The infringement started more than two years ago and is still ongoing. See paragraphs 97 and 98 above.
- ↑See EDPB Guidelines on calculation of fines, paragraph 61.
- ↑See EDPB Guidelines on calculation of fines, paragraph 61.
- ↑EDPB Guidelines on calculation of fines, paragraph 61, third indent.
- ↑EDPB Guidelines on calculation of fines, paragraph 70 and footnote 38.
- ↑EDPB Guidelines on calculation of fines, paragraph 71. The Guidelines clarify that each criterion of Art. 83(2) GDPR should only be taken into account once (paragraph 73).
- ↑[MISSING]
- ↑See also Binding Decision 01/2021, paragraph 291 and Binding Decision 3/2022, paragraph 356.
- ↑See paragraph 84, footnote 190 and paragraph 145 above.
- ↑Meta IE Art. 65 Submissions, paragraph 14.1.
- ↑Meta IE Art. 65 Submissions, paragraph 14.3.
- ↑Composite Response, p.2.
- ↑Meta IE Art. 65 Submissions, paragraph 8.1.
- ↑Meta IE Art. 65 Submissions, paragraph 8.2.
- ↑EDPS Decision authorising temporarily the use of ad hoc contractual clauses between the Court of Justice of the EU and Cisco for transfers of personal data in the Court’s use of Cisco Webex and related services of 31 August 2021
- ↑Decision of the European Data Protection Supervisor in complaint case 2020-1013 submitted by Members of the Parliament against the European Parliament of 5 January 2022
- ↑Meta IE Art. 65 Submissions, paragraph 8.4.
- ↑Meta IE Art. 65 Submissions, paragraph 8.7.
- ↑Meta IE Art. 65 Submissions, paragraph 8.8.
- ↑Judgment of the Court of 17 July 1963, Italian Republic v Commission of the European Economic Community, Case 13-63, ECLI:EU:C:1963:20, paragraph 4(a); Judgment of the Court of 23 February 1983, Wagner v Balm, Case 8/82, ECLI identifier: ECLI:EU:C:1983:41, paragraph 18.
- ↑Judgment of the Court of Justice of 9 March 2010, European Commission v Federal Republic of Germany, Case C-518/07, ECLI:EU:C:2010:125, paragraph 25.
- ↑Judgment of the Court of 27 September 1979, Eridania, Case 230/78, ECLI:EU:C:1979:216, paragraph 18.
- ↑EDPB Guidelines on calculation of fines, paragraph 108.
- ↑Judgment of 15 February 1996, Duff and Others, C-63/93, EU:C:1996:51, paragraph 20.
- ↑Binding Decision 3/2022, paragraph 396, referring to Judgement of the Court of Justice of 14 April 2005, Belgium v. Commission, C-110/03, ECLI:EU:C:2005:223, paragraph 31; Judgement of the General Court of 17 May 2013, Trelleborg Industrie SAS, T-147/09, ECLI:EU:T:2013:259, paragraph 96; Judgement of the General Court of 13 July 2011, Schindler, T-138/07, ECLI:EU:T:2011:362, paragraph 99.
- ↑Binding Decision 3/2022, paragraph 369, referring to Judgement of the Court of Justice of 22 October 2015, AC-Treuhand AG, C-194/14 P, ECLI:EU:C:2015:717, paragraph 42. The AG Campos Sanchez-Bordona also recently emphasized that there are domains where ‘legal advice tends to be the rule and not the exception’ (Opinion of the Advocate-General of 9 December 2021, French Court of Cassation, C-570/20, ECLI:EU:C:2021:992, paragraph 81), which is the case of data protection. See also, ECtHR (Gd ch.), Kononov v. Latvia, 17 May 2010, paragraphs 185 and 215.
- ↑Judgment of the Court (Grand Chamber) of 18 June 2013, Schenker & Co. and Others, C‑681/11, ECLI:EU:C:2013:404, paragraph 38.
- ↑See Binding Decisions 1/2020, 1/2021, 1/2022, 2/2022, 3/2022, 4/2022, 5/2022.
- ↑See Binding Decisions 2/2022, 3/2022, 4/2022.
- ↑Draft Decision, paragraph 9.49.
- ↑Draft Decision, paragraph 9.49.
- ↑Draft Decision, paragraph 9.49.
- ↑DE SAs Objection, p. 6.
- ↑DE SAs Objection, p. 4.
- ↑DE SAs Objection, p. 2-6.
- ↑DE SAs Objection, p.2. The DE SAs also refer in this respect to the Draft Decision, which addresses these aspects, particularly, in paragraphs 7.169 and 9.51.
- ↑DE SAs Objection, p.3.
- ↑DE SAs Objection, p.3.
- ↑DE SAs Objection, p. 3.
- ↑DE SAs Objection, p. 2, citing the Schrems II judgment, paragraphs 108 and 112.
- ↑DE SAs Objection, p. 3.
- ↑DE SAs Objection, p. 5-6.
- ↑Draft Decision, paragraph 9.49.
- ↑DE SAs Objection, p. 4.
- ↑DE SAs Objection, p. 4.
- ↑DE SAs Objection, p. 4.
- ↑DE SAs Objection, p. 4.
- ↑DE SAs Objection, p. 4.
- ↑DE SAs Objection, p. 2-5, citing the Schrems II judgment, paragraphs 184, 197 and following and the Draft Decision, paragraph 10.1.
- ↑DE SAs Objection, p. 5 : ‘Controllers could infringe the GDPR, but would not be required by the supervisory authority to remedy the infringements in full. Consequently, infringements could pay off for controllers. This could lead to a culture of non-compliance with the GDPR. It is clear that this would lead to risks for the fundamental rights and freedoms of the data subjects’.
- ↑FR SA Objection, paragraphs 22-23.
- ↑FR SA Objection, paragraphs 25-27.
- ↑FR SA Objection, paragraph 26.
- ↑FR SA Objection, paragraphs 23-25
- ↑FR SA Objection, paragraph 23.
- ↑FR SA Objection, paragraph 25.
- ↑FR SA Objection, paragraph 24.
- ↑FR SA Objection, paragraph 23.
- ↑IE SA’s ‘Internal Assessment of the Status of Objections’, annex to the IE SA’s letter to Meta IE dated 28 September 2023.
- ↑Composite Response, p. 3.
- ↑Composite Response, p. 3.
- ↑Composite Response, p. 3.
- ↑Composite Response, p. 3-4. In particular, the IE SA refers to Meta IE’s arguments on the interconnectedness of the Facebook service and the impossibility to re-sort the database locations by jurisdiction.
- ↑Composite Response, p.4.
- ↑Composite Response, p.5.
- ↑Composite Response, p.5.
- ↑Composite Response, p.5.
- ↑Composite Response, p.6.
- ↑Composite Response, p.6.
- ↑Composite Response, p.6.
- ↑Composite Response, p. 6.
- ↑EDPB Guidelines on RRO, paragraph 32.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.3 and 2.11.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.4 - 2.6, and 2.12.
- ↑EDPB Guidelines on RRO, paragraph 33 and examples 5 and 6. See above, paragraph 66.
- ↑See Binding Decision 3/2022, paragraph 416, Binding Decision 4/2022, paragraphs 265-269, and Binding Decision 5/2022, paragraphs 231 - 233.
- ↑DE SAs Objection, p. 2 ; FR SA Objection, paragraphs 21-24.
- ↑On the reasoning set out by the DE SAs, Meta IE alleges that the DE SAs do ‘not provide any supporting reasoning as to why it says that the DPC was mistaken in its factual findings’, without indicating which element of the DE SAs objection this allegation refers to. (Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.16). Meta IE includes an example which refers only to the Composite Response and the DE SAs reply thereto, dated 27 September 2022. This example does not clarify which element of the DE SAs objection Meta IE is referring to in its allegation. On the factual elements and legal arguments put forward by the FR SA, Meta IE does not allege any shortcoming. Meta IE’s submissions on the risk posed by the Draft Decision are addressed below.
- ↑DE SAs Objection, p. 2-6. See summary above, paragraphs 195-199. FR SA Objection, paragraphs 21-27. See summary above, paragraphs 200-202.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.7 and 2.14.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.7-2.9.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraph 2.8.
- ↑Meta IE Art. 65 Submissions, Annex 1, paragraphs 2.15. Meta IE refers to its PDD response, Part E, paragraphs 3.9 to 3.12.
- ↑Meta IE’s PDD Submissions, part E, paragraphs 3.9 onwards.
- ↑Draft Decision, paragraph 7.150, citing in particular Meta IE’s PDD Submissions, Part E, paragraphs 3.9 onwards.
- ↑Draft Decision, paragraphs 7.123 - 7126, citing in particular Meta IE PDD Submissions, Part A, paragraph 2.4(C) and Part E, paragraph 4.5.
- ↑DE SAs Objection, p. 4-5.
- ↑DE SAs Objection, p. 3 and footnote 12.
- ↑DE SAs Objection, p. 5.
- ↑FR SA Objection, paragraph 23.
- ↑See above, paragraph 66.
- ↑Recital 129 GDPR. EDPB Guidelines on Article 65(1)(a) GDPR, paragraphs 92-93.
- ↑Art. 58(6) GDPR and Recital 129 GDPR.
- ↑Schrems II judgement, paragraph 112.
- ↑EDPB Guidelines on Article 65(1)(a) GDPR, paragraph 92.
- ↑EDPB Guidelines on RRO, paragraph 32. See also EDPB Guidelines on Article 65(1)(a) GDPR, paragraph 92.
- ↑EDPB Guidelines on RRO, paragraph 33.
- ↑See above, paragraphs 195-202.
- ↑FR SA Objection, paragraph 23; DE SAs Objection, p. 2-5.
- ↑FR SA Objection, paragraph 25; DE SAs Objection, p. 3.
- ↑With regard to the order to cease the processing of personal data requested by the DE SAs, the EDPB notes that, in accordance with the DE SAs, the processing will only cease in the US if the data are returned or deleted (DE SAs Objection, p. 4). Therefore, the EDPB will assess at the same time the request of the DE SAs on the cessation of the processing and the request of the FR SA on the return or deletion of the data. In this respect, ‘returning’ personal data refers to returning it either to the EEA or to a country that provides an adequate level of protection of personal data (see DE SAs Objection, p. 4).
- ↑See, in particular, Case C-311/18, which states that, when several measures are equally appropriate, recourse should be had to the least onerous -paragraph 13.
- ↑Schrems II judgment, paragraphs 93-105 (in particular, paragraphs 94 and 105); Art. 44-46 GDPR.
- ↑Draft Decision, 9.43(7).
- ↑Draft Decision, 9.46. This possibility is also underlined in the Composite Response (p. 6), where the IE SA highlights that the aim is to ‘leave room for the possibility that the deficiencies identified […] might yet be addressed’.
- ↑Draft Decision, 9.43(2).
- ↑Draft Decision, 9.39.
- ↑Draft Decision, 7.201.
- ↑Draft Decision, 9.13.
- ↑Draft Decision, 8.41. See also Draft Decision paragraphs 8.23 - 8.45, 9.18 (in particular footnote 188), 9.28 and 9.41.
- ↑Draft Decision, 9.22.
- ↑FR SA objection, p. 22 ; DE SAs objection, p. 2 section b).
- ↑In this respect the EDPB recalls that Art. 44 GDPR provides that ‘All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined’, which is applicable to ‘[a]ny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation’, and also covers onward transfers of personal data.
- ↑DE SAs objection, p. 2; FR SA objection, paragraphs 23 and 25. For instance, the DE SAs refer to fact that the data subjects do not have effective legal remedies available to them.
- ↑Schrems II, paragraph 111.
- ↑Schrems II, paragraph 108.
- ↑DE SAs Objection, p. 3-4.
- ↑FR SA Objection, 27.
- ↑DE SAs Objection, p. 4.
- ↑FR SA Objection, paragraphs 24 and 26.
- ↑With regard to the return of personal data stored in the US, the EDPB takes note of Meta IE’s views that the only way of ensuring that EEA users’ data is no longer stored in the US would be deletion (Meta IE’s A65 Submissions, 10.2-10.6). The EDPB also takes note of Meta IE’s submissions regarding the interconnectedness of the Facebook Service Social Graph and the replication thereof in all data centres. Thus, the EDPB understands that this design leads to the storage of all users’ data (including EEA users’ data) in all data centres, in the cache layer, as well as in the full copies of the user database available at or near each data centre. According to Meta IE, given the replication of the user database, the only way to remove EEA user data stored in US data centres as part of the social graph would be to remove those users entirely from Facebook (see, in particular: Meta IE Data Transfer Report, 10-14, 19, 24-27; Nieh Expert Report, paragraphs 7-13, 18-21; Meta IE’s reply to Schrems, Part B, paragraph 1.3-1.6; Meta PDD Submissions, part F, paragraphs 5.2-5.3).
- ↑Art. 5(2) GDPR.
- ↑Art. 24 GDPR.
- ↑EDPB Recommendations on Supplementary Measures, paragraph 3.
- ↑The DE SAs also make reference to this in the Objection. See, in particular, p. 4 where the DE SAs state that ‘the only way to ensure that the GDPR is fully enforced - except for an order to delete the personal data that have already been transferred - is to order the cessation of the processing of the personal data in the USA’ (emphasis added) and p. 5, where it is stated that ‘the cessation of the processing of personal data previously transferred to the USA can be implemented by different measures’ (emphasis added).
- ↑The DE SAs refer several times to the need to bring processing into compliance. See, for example, p. 3 ‘full compliance with the GDPR would not be ensured’, p. 4 ‘the imposition of a compliance order cannot be surprising for the controller’ and p. 5, when addressing Art. 58(2)(d) GDPR.
- ↑See DE SAs Objection, p. 5. See also last paragraph of p. 4.
- ↑See FR SA Objection, paragraphs 26-27 and DE SAs Objection, p. 5. In this context, the FR SA considers appropriate to order Meta IE to bring the processing of data already transferred into compliance (paragraph 26). The DE SAs refer to the cessation of the processing as a corrective measure, pursuant to Art. 58(2)(d) GDPR, to restore the level of protection of the GDPR (p. 5).
- ↑Meta IE’s A65 Submissions, 11.4.
- ↑Meta IE’s A65 Submissions, Annex 2, 1.11.
- ↑See DE SAs Objection, end of p. 5.
- ↑See Giurgiu, A., & Larsen, T. A. (2016). Roles and powers of national data protection authorities. European Data Protection Law Review (EDPL), 2(3), 342-352, p. 348.
- ↑Schrems II judgment, paragraphs 99-101. See also Judgment of the Court of Justice of 6 November 2003, Lindqvist, Case C-101/01, ECLI:EU:C:2003:596, paragraphs 84-90; Schrems I judgment, paragraph 38; Judgment of the Court of Justice of 20 May 2003, Österreichischer Rundfunk and Others, C-465/00, C-138/01 and C-139/01, ECLI:EU:C:2003:294, paragraph 68; Judgment of the Court of Justice of 13 May 2014, Google Spain and Google, C-131/12, ECLI:EU:C:2014:317, paragraph 68 ; Judgment of the Court of Justice of 11 December 2014, Ryneš, Case C-212/13, ECLI:EU:C:2014:2428, paragraph 29).
- ↑Meta IE’s A65 Submission, paragraph 11.4. Additionally, it is entirely consistent with the definition of ‘processor’ and with the description of the relationship between controller and processor enshrined in Art. 28 GDPR to consider a scenario where the controller asks the processor to perform actions concerning the personal data the processor is processing on behalf of the controller. The processor only processes data on documented instructions from the controller (Art. 28(3)(a) GDPR). See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.1 Adopted on 20 September 2022, in particular paragraphs 116 - 121.
- ↑Meta IE’s A65 Submission, Annex 2, 1.10 b).
- ↑In particular, Meta IE considers that Art. 58(2)(g) GDPR does not provide a legal basis for SAs to order the deletion of personal data which has not been requested previously by a data subject (Meta IE’s Art. 65 Submission, paragraphs 11.1 and following).
- ↑EDPB Opinion 39/2021, paragraph 28.
- ↑In the objection, the DE SAs refer several times to bringing processing into compliance, see above, footnote 495. See also the Objection of the FR SA, paragraphs 21-27.
- ↑DE SAs Objection, p. 3-4.
- ↑Commission Decision 2010/87, repealed on 26 September 2021 (hereinafter ‘old SCCs’).
- ↑See Clause 12 of the old SCCs.
- ↑Annex to the Commission Implementing Decision 2021/914, (hereinafter ‘current SCCs’), Clause 16(d).
- ↑In particular, Meta IE argues that Recital 33 of the Privacy Shield applied in very specific circumstances of persistent failure to comply, which isn’t Meta IE’s case and, therefore, even if Meta IE would have carried out its transfers under the Privacy Shield, it wouldn’t have been required to return or delete the personal data (Meta IE’s A65 Submissions, Annex 2, 1.4). Further, with respect to the SCCs, Meta IE claims that the return or deletion is only triggered when the SCCs are terminated, but not when they are suspended. This, according to Meta IE, demonstrates that an order to return or delete the data would be disproportionate (Meta IE’s A65 Submissions, Annex 2, 1.17-1.18).
- ↑Draft Decision, 9.49.
- ↑Meta IE’s A65 Submissions, 10.5.
- ↑Meta IE’s A65 Submissions, 12.7.
- ↑Meta IE’s A65 Submissions, 12.9.
- ↑Meta IE’s A65 Submissions, 12.12-12.14.
- ↑In fact, Meta IE argues that ‘any order to “cease the processing” [of EEA users’ data in the US] in a manner requested by the Hamburg SA and the French SA would in effect be an order to delete all such data’ (Meta IE’s A65 Submissions, 10.6). The EDPB addresses this argument in particular in paragraph 261 of this Binding Decision.
- ↑Art. 1(2) GDPR.
- ↑C-311/18, Schrems II, paragraph 111 and Binding Decision 3/2022, paragraph 278, Binding Decision 4/2022, paragraph 280, and Binding Decision 5/2022, paragraph 305.
- ↑Recital 129 GDPR.
- ↑Binding Decision1/2021, paragraph 256; Binding Decision 3/2022, paragraph 278, Binding Decision 4/2022, paragraph 280, Binding Decision 5/2022, paragraph 266.
- ↑Judgment of the General Court of 12 December 2012, Electrabel v Commission, T-332/09, ECLI:EU:T:2012:672, paragraph 279; Judgment of the Court of 13 November 1990, The Queen v Minister of Agriculture, Fisheries and Food and Secretary of State for Health, ex parte: Fedesa and others, C-331/88, ECLI:EU:C:1990:391, paragraph 13; Judgment of the General Court of 26 October 2017, Marine Harvest,T-704/14, ECLI:EU:T:2017:753, paragraph 580; Judgment of the Court of 5 May 1998, United Kingdom of Great Britain and Northern Ireland v Commission of the European Communities, C-180/96, ECLI:EU:C:1998:192, paragraph 96; Judgment of the Court of 3 September 2009, Prym and Prym Consumer v Commission, C-534/07 P, ECLI:EU:C:2009:505, paragraph 223.
- ↑See, for example, Binding Decision 3/2022, paragraph 284, Binding Decision 4/2022, paragraph 286.
- ↑Case T-704/14, Marine Harvest, paragraph 580, referencing case T-332/09, Electrabel v Commission, paragraph 279.
- ↑FR SA Objection, 23.
- ↑DE SAs Objection, p. 2.
- ↑Draft Decision, paragraph 9.43 (2), 9.39, 8.41. See also Draft Decision, paragraphs 7.46 - 7.153 addressing ‘Whether US Law Provides an Essentially Equivalent Level of Protection’.
- ↑See above, paragraphs 195-202.
- ↑Meta IE’s A65 Submissions, Annex 2, paragraph 1.3.
- ↑See above, paragraph 95.
- ↑Meta IE’s A65 Submissions, paragraphs 12.2, 12.5, 12.7, 12.9 to -12.13. See also Meta IE’s A65 Submissions, Annex 2, paragraph 1.21.
- ↑Recital 148 GDPR states, for instance: ‘in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine’. The EDPB confirmed that ‘the indications provided by this Recital can be relevant for the imposition of corrective measures in general and for the choice of the combination of corrective measures that is appropriate and proportionate to the infringement committed’. Binding Decision 1/2021, paragraph 256 and Binding Decision 4/2022, paragraph 280.
- ↑Draft Decision, 8.23, 8.27, 8.37, 8.41, 8.45.a, 9.28 and 9.43.
- ↑Meta IE’s A65 Submissions, paragraph 10.6. In Meta IE’s Data Transfers Report, Meta IE further explains that there’s no ‘discrete repository of a user’s data […] that can be extracted from the rest of the [user database] and moved to a separate physical location’ (paragraph 26). In addition, the Nieh Expert Report states that ‘having an entire replica of the Social Graph at or near each data centre is crucial since any partition of the Social Graph based on geographic location would be unlikely to satisfy most of the queries that cannot be satisfied directly by the caches’ (paragraph 16).
- ↑FR SA Objection, 26
- ↑DE SAs Objection, p. 6.
- ↑See paragraphs 89 to 96 above.
- ↑See paragraphs 97 and 98 above.
- ↑See paragraphs 100 to 115 above.
- ↑See paragraphs 116 to 125 above.
- ↑See paragraphs 128 to 133 above.
- ↑See paragraphs 137 to 140 above.
- ↑See EDPB Guidelines on calculation of fines, paragraph 61.
- ↑EDPB Guidelines on calculation of fines, paragraph 61, third indent.
- ↑Art. 65(6) GDPR.
- ↑Art. 65(5) and (6) GDPR.
- ↑Art. 60(7) GDPR.
Le texte correspond au texte original. Des modifications visuelles ont pu toutefois être apportées pour améliorer la lecture du document.
Source : edpb.europa.eu.