Earlier this year, the Irish Data Protection Commission ("DPC") published a long-awaited decision (the "Decision") regarding data transfers made by Meta. The Decision imposed the largest ever GDPR fine in the amount of €1.2 billion, ordered the suspension of EU/US transfers of Facebook user data within 5 months, and the cessation of processing EU/EEA user's data in the US within 6 months.
The Decision was reached following the integration of European Data Protection Board ("EDPB") view in the form of its own decision which was handed down as part of the Article 65 GDPR dispute resolution process (designed to resolve disputes under the "one stop shop" mechanism). In accordance with this process, the EDPB’s decision is binding on all data protection authorities .
As expected, Meta have appealed, filing arguments in the General Court of the European Union which seek to annul the EDPB's binding decision. The arguments advanced by Meta are wide-ranging and call into question the entire system of dispute resolution under the GDPR, including the role of the EDPB.
Meta's initial statement in response to the ruling gave an indication of those arguments, after suggesting there were "serious questions about a regulatory process that enables the EDPB to overrule [the Irish DPC] in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard."
Meta has advanced the following arguments:
- The Article 65 dispute resolution process in is in breach of the rule of law, effectively the right to a fair trial, per Articles 41 and 47 of the Charter of Fundamental Rights of the European Union, and Article 6 of the European Convention of Human Rights.
- The EDPB exceeded its competence under Article 65.
- The EDPB infringed the right to good administration and failed to act as an impartial body in line with Article 41 of the Charter.
- By instructing the Irish DPC to bring processing operations in line with Article 5 of the GDPR (principles relating to processing of personal data), the EPDB violated the principle of legal certainty and proportionality, and lacked a lawful basis.
- The EDPB violated various of Meta's right and freedoms under the Charter and the Treaty on the Functioning of the European Union, specifically the rights to conduct a business, right to property and freedom to provide services.
- The EDPB violated Article 83 GDPR (general conditions for imposing administrative fines) and other underlying principles governing how fines are determined under the GDPR.
An appeal challenging the decision was expected, but the challenge to the competency of the EDPB and thus the 'one-stop-shop' mechanism itself are fundamental. However, Meta has found itself at the receiving end of harsher penalties following the intervention of the EDPB.
The DPC's final decision dated 12 May 2023 confirmed that, prior to the intervention of the EDPB, the Commissioner did not intend to impose an administrative fine. The EDPB had also previously compelled the DPC to increase administrative fines in respect of an unrelated investigation into Meta's data processing operations regarding Facebook and Instagram services. Furthermore, in that instance, the DPC itself refused to accept the final part of the EDPB decision, suggesting that the mandating of a new investigation into Meta's processing of special category data was "problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR."
We await the progression of this action with great interest. With the recent European Commission Adequacy Decision in respect of the Data Privacy Framework, Meta's concerns regarding data transfers may have eased slightly, but there still remains the question of the €1.2 billion fine to be paid, meaning that the action filed carries substantial weight, both financially for Meta and, more broadly, in respect of the EDPB's role.
The case is Meta Platforms Ireland v European Data Protection Board, case number T-325/23.