Irische Datenschutzbehörde: 1,2 Milliarden EUR Strafe für Meta wg. unerlaubtem US-Datentransfer

Wie die Irische Datenschutzbehörde in einer Pressemitteilung erklärt, hat sie ein Geldstrafe von 1,2 Milliarden EUR gegen Meta verhängt.

Es geht dabei um den unerlaubten US-Datentransfer von personenbezogenen Informationen von Europa in  die Vereinigten Staaten:

"The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022. Notably, it found that:

1. the data transfers in question were being carried out in breach of Article 46(1) GDPR; and

2. in these circumstances, the data transfers should be suspended.

Under a cooperation procedure mandated by the GDPR (Article 60), the draft decision prepared by the DPC was submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”).  The nature of the processing under examination by the inquiry was such that all other EU/EEA Supervisory Authorities were engaged as CSAs for the purpose of the cooperation procedure.

On the question of Meta Ireland’s non-compliance with the GDPR, and the DPC’s proposal to make an order to suspend the data transfers, the CSAs agreed with the DPC’s decision."

Neben der Geldstrafe wurden dem Konzern auch weitreichende Umsetzungspflichten auferlegt:

"The EDPB adopted its decision on 13 April 2023.  Consistent with its obligations to adopt its final decision “on the basis of” the EDPB’s decision, the DPC’s decision of 12 May 2023 records the exercise of the following corrective powers by the DPC:

  1. an order, made pursuant to Article 58(2)(j) GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
  2. an administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed, to sanction the infringement that was found to have occurred. The DPC determined the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision); and
  3. an order, made pursuant to Article 58 (2)(d) GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland."

Meta hat bereits mit einer eigenen Stellungnahme reagiert und angekündigt, sich rechtlich gegen die behördliche Maßnahme zu wehren. Das Unternehmen stellt dabei heraus, dass es sich um kein Facebook-bezogenes Einzelproblem handle, sondern der US-Datentransfer Tausende von Unternehmen in Europa betreffe und daher grundsätzlicher Natur sei:

  • "Thousands of businesses and organisations rely on the ability to transfer data between the EU and the US to operate and provide everyday services.
  • This is not about one company’s privacy practices — there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer.
  • We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.
  • There is no immediate disruption to Facebook in Europe."