In recent US filings, Meta Platforms, Inc. has announced it is anticipating that the Irish Data Protection Committee (IDPC) will suspend Meta’s transfer of users’ personal data from the EU to the US, and that a fine will be imposed under the EU General Data Protection Regulation (GDPR).
These filings precede a final decision from the IDPC regarding its inquiry into the legality of Meta’s transfer of Facebook users’ data from the EU to the US, which currently relies upon Standard Contractual Clauses. An initial draft decision from the IDPC, alongside the European Data Protection Board, preliminarily concluded that such transfers should be suspended. This preliminary view also indicated that the social media giant will face a requirement to “bring its relevant processing operations into compliance with the GDPR” and to pay a potentially “substantial” fine.
Meta’s filings further state that it expects the final decision to be issued this month, and that it will be required to comply with the IDPC’s order by “no earlier than the fourth quarter of 2023”. It is anticipated that any transfer suspension order will become effective after a period of time, unless a new EU-US data privacy framework is finalised before such date, or the IDPC revisits the suspension due to material change in US law. In this respect, Meta state that it has been in ongoing consultations with policymakers within Europe and the US; these discussions suggest that “the proposed new EU-US Data Privacy Framework will be fully implemented before the deadline for suspension of such transfers”. Despite this, Meta warns investors that it cannot rule out the possibility the framework will not be implemented in time to prevent a transfer ban.
Our recent Regulatory Blog containing an update on the EU-US Data Privacy Framework can also be found here.