DP News – Week 21. Record-breaking 1.2 billion EUR fine is imposed on Meta, the Swedish Postal and Telecoms Agency has updated its guidance on cookies
On 22 May, Ireland’s data protection authority (DPC) published its decision against Meta Ireland, examining the basis upon which it transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service. The decision was made on the basis of the previous EDPB’s decision.
According to the DPC’s official press release, the decision implies the following:
– suspension of any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
– an administrative fine in the amount of €1.2 billion; and
– a requirement for Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland.
Interestingly, according to the DPC’s comments, the authority do not basically agree with an imposition of the fine and was mostly forced to impose it due to the decision of the EDPB.
According to the statement that came from Meta, this decision “is not about one company’s privacy practices — there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer”. Meta also confirmed that it “will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts”.
In Sweden, the Postal and Telecoms Agency (PTS) has updated its guidance on cookies.
In particular, the updated guidance explains information provision obligations in more detail, highlighting that the information provided to the data subject should be clear and complete and indicate at least who stores the cookies, what the purpose for this is, how long the cookies will be stored, and if the data obtained via cookies is shared with third parties.
As for consent rules, PTS highlighted that the consent should be collected before the cookies are actually placed, it should be clearly given, specific, revocable and unconditional.
Comments are closed.