The case of the Meta vs The People
Reading through the exhaustive account of the Data Protection Commission’s decision regarding Meta Platforms Ireland Ltd (the company previously known as Facebook), it’s intriguing just how many times the company appears to have misunderstood or misinterpreted various parts of GDPR.
When you consider how often Facebook has been accused of being a platform for misinformation, it’s amazing that it appears not to have been completely accurate in how it interpreted EU rulings and regulations.
For example, the DPC notes that Meta Ireland “has made detailed submissions in relation to its intended reliance on the ‘contractual necessity’ derogation under Article 49(1)(b) GDPR”. But the DPC states: “I am satisfied that the contractual necessity derogation cannot be relied on to justify the systematic, bulk, repetitive and ongoing transfers to the US.” Meta’s attempt to use the derogation “would give rise to a breach of the essence of a fundamental right of EU/EEA users”.
Meta Ireland is accused of “misunderstanding the position” and the DPC adds that even if the derogation did not breach Article 47 of the Charter, “I am satisfied that systematic, bulk, repetitive and ongoing transfers are not in any event permitted under Article 49(1)(b) GDPR”.
There are several occasions in the decision where the DPC does “not accept Meta Ireland’s submission”, another contention “is not well-founded”, elsewhere the company “cannot rely on” a specific argument, a “submission overlooks the fact”.
In addition to finding Meta had breached GDPR by transferring personal data from the EU/EEA to the US, the DPC concludes that the data transfers should be suspended.
That wasn’t enough for some of the DPC’s peer regulators in the EU/EEA. A number argued Meta should stop storing and processing the personal data of EU/EEA users it had transferred to the US in violation of the GDPR within six months. They also demanded, contrary to the DPC’s recommendation, that Meta should be fined for infringing GDPR.
The European Data Protection Board (EDPB) agreed. Andrea Jelinek, EDPB chair stated: “Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
The DPC had claimed a fine would not be “effective, proportionate and dissuasive,” but the EDPB argued fines were “a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities”.
The EDPB noted that Meta Ireland claimed it would not be able to offer its services in the EU/EEA without performing the transfers, which could infer that “transferring the data to the US in a way that infringes the GDPR is inextricably linked to the provision of the service to EU/EEA individuals. In this regard, the EDPB recalls that it is the business model which must adapt itself and comply with the requirements that the GDPR sets out in general and for each of the legal bases and not the reverse”.
That seems to be a common thread running through several of Meta’s submissions to the DPC where it appears intent on trying to make the GDPR fit its business model rather than the other way around.
Consequences
The EDPB added that Meta’s argument a suspension would have ‘severe consequences’ and a devastating impact on its business, revenue and employees, suggested that “a considerable part of its profits derived from the provision of the service in the EU arise from the breach of the GDPR”.
It’s strange that the DPC should conclude Meta had breached the GDPR rules and merited a suspension but opt against the logical conclusion of expecting the company to stop storing and processing the data on EU/EEA citizens it had already transferred to the US.
As for the fine, it’s difficult to justify the DPC’s argument it would exceed the powers that could be described as being “appropriate, proportionate and necessary”, particularly given Meta’s continued unrepentant opposition to the decision and its intention to appeal.
As Nick Clegg, president, global affairs and Jennifer Newstead, chief legal officer, wrote in a blog responding to the decision: “We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.”
Is anyone seriously suggesting Meta would have done anything different if the EDPB had stuck with the DPC’s original proposal and chosen not to impose a fine?
The content of the DPC’s decision runs to 216 pages so it will be interesting to see where Meta will find the necessary wriggle room to successfully appeal the substance of the ruling. Yet again, however, it appears that the company is seeking to try to bend the law to fit its view of the GDPR rather than to abide by its provisions.
Subscribers 0
Fans 0
Followers 0
Followers