DP News – Week 48. Tough days for big techs.
On 28 November, the Irish Data Protection Commissioner (DPC) announced an imposition of the 265-million-euro fine on Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network. The fine is coupled with a range of corrective measures applied.
The DPC has been conducting its investigation since April 2021 in respect of processing occurring between 25 May 2018 and September 2019, with several Meta’s products falling within its scope (Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools). Those tools have been verified for compliance with the GDPR requirements on Data Protection by Design and Default (Articles 25(1) and 25(2)).
As the DPC explains, there was “a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC. The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on MPIL”.
Meanwhile, in Germany, the Data Protection Conference (DSK) (that is the committee of the independent German data protection supervisory authorities of the federal and state governments) issued a report on privacy compliance of the Microsoft cloud-based 365 products. From the report it follows that Microsoft has not resolved compliance issues raised by the DSK two years ago, in September, 2020. Among the issues raised – lack of clarity in Microsoft’s contractual documentation, unclear allocation of data processing roles, lack of certainty in respect of lawful basis for the data processing, as well as issues with international data transfers (given that Microsoft has a clear U.S. nexus).
As TechCrunch reports, the Irish DPC informs that “it does not currently have any open inquiries into Microsoft, so it appears more likely that regional enforcement of cloud compliance concerns will be pushed through via decentralized (but coordinated) attention to public sector contracts Microsoft has inked around the bloc by regulators in different member states”.