Dec 01
Danish DPA Data Protection Digital Markets Act EU-US cooperation EDPB hits Meta, the EU General Court explains the nature

Tough days for big techs.

Tough days for big techs.

Konstantin Tiazhelnikov Konstantin Tiazhelnikov
  • December 1, 2022 -

DP News – Week 48. Tough days for big techs.

On 28 November, the Irish Data Protection Commissioner (DPC) announced an imposition of the 265-million-euro fine on Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network. The fine is coupled with a range of corrective measures applied.

The DPC has been conducting its investigation since April 2021 in respect of processing occurring between 25 May 2018 and September 2019, with several Meta’s products falling within its scope (Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools). Those tools have been verified for compliance with the GDPR requirements on Data Protection by Design and Default (Articles 25(1) and 25(2)).

As the DPC explains, there was “a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC. The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. In addition, the decision has imposed administrative fines totalling €265 million on MPIL”.

Meanwhile, in Germany, the Data Protection Conference (DSK) (that is the committee of the independent German data protection supervisory authorities of the federal and state governments) issued a report on privacy compliance of the Microsoft cloud-based 365 products. From the report it follows that Microsoft has not resolved compliance issues raised by the DSK two years ago, in September, 2020. Among the issues raised – lack of clarity in Microsoft’s contractual documentation, unclear allocation of data processing roles, lack of certainty in respect of lawful basis for the data processing, as well as issues with international data transfers (given that Microsoft has a clear U.S. nexus).

As TechCrunch reports, the Irish DPC informs that “it does not currently have any open inquiries into Microsoft, so it appears more likely that regional enforcement of cloud compliance concerns will be pushed through via decentralized (but coordinated) attention to public sector contracts Microsoft has inked around the bloc by regulators in different member states”.

See more related posts »

Related blog posts

DP News – Week 16. EDPB opinion: Pay-or-Consent models clash with GDPR consent requirements, EU Commission requested a risk assessment from TikTok, ICO launched a privacy notice generator, Catalan Data Protection Authority fines occupational health center for email confidentiality breach, Dutch chipmaker investigates data breach amidst security concerns.
  • April 18, 2024 -

DP News – Week 15. Norwegian DPA imposed a 20 million NOK fine, Denmark’s DPA updated data transfer guidance for third countries, France’s DPA fined retail chain for unsolicited marketing.
  • April 11, 2024 -

DP News – Week 14. Subway operator was fined for covert employee monitoring in Iceland, Finnish DPA imposed fine for data retention violations and published its 2024 inspection plan, France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches.
  • April 4, 2024 -