The short answer is that Meta transferred Facebook users’ personal data from the EU to the United States without providing appropriate safeguards.
In order to detect precisely where the problem arose, it is necessary to first understand the legal framework of international data transfer. If you want to learn more about the international transfer of data, you can do that on our latest blog International transfer of data – Are you compliant?
Firstly, GDPR sets conditions for the transfer of data to third countries from the European Union. Data can be freely transferred to other countries if EU authorities have assessed that the legislation of the recipient’s country provides adequate protection. Since the United States is not on the list of countries considered to offer equal data protection as EU member states, additional conditions must be met for such transfers to take place.
The agreement previously concluded between the EU and the US known as Privacy Shield has ceased to apply because the Court of Justice of the European Union has deemed that this agreement doesn’t give enough security to the information transmitted from Europe to the US. Although the new agreement (Privacy Shield 2.0), which would provide better data protection, is expected to be adopted soon, data controllers currently cannot rely on any international agreement for their data transfers across the Atlantic.
A weaker level of data protection prescribed by the laws of a country such as the US can be compensated by contracts concluded between data controllers, processors, and/or recipients which include SCCs (Standard Contractual Clauses) and Data Transfer Impact Assessment (DTIA).
However, Meta Platforms Ireland Limited has transferred personal data in accordance with the transfer and processing agreement concluded with its US equivalent, Meta Platforms, Inc. which incorporated the European Commission’s 2021 Standard Contractual Clauses (SCCs), and it was still found to be in breach of the GDPR. The agreement between those two companies even included a Data Transfer Impact Assessment (DTIA) which determined the risks and consequences of such a transfer.
You must be wondering what exactly is wrong with this transfer of Facebook users’ data if Meta implemented the measures mentioned above.
Namely, in 2020, the European Court of Justice issued the Schrems II judgment that tightened the rules of data transfer to third countries. This judgment established that SCCs are still considered good practices, but these clauses are not enough anymore. Data controllers must understand that they can’t just rely on a signed paper, but they must inform themselves of the recipient country’s degree of compliance with the GDPR.
In this case, DPC in cooperation with European Data Protection Board (EDPB) and other European Concerned Supervisory Authorities (CSA) has decided that all the efforts that Meta has done were not adequate to protect the rights and freedoms of the people whose personal data was being transferred.