The European Data Protection Board (EDPB) has given Ireland’s data-protection watchdog a month to implement a decision on the legality of data transfers made by Facebook’s parent company Meta from the EU to the US.
The Data Protection Commission (DPC) had begun an investigation into the legality of such transfers after a judgment made by the EU’s highest court in 2020.
The DPC is the lead regulator for Meta, as its European headquarters is in Ireland, but other regulators can object to its findings.
The EDPB steps in to make legally binding decisions when there are disputes among national data-protection authorities.
In a statement yesterday (13 April), the EDPB said that it had adopted a dispute-resolution decision on a draft ruling made by the Data Protection Commission (DPC) on Meta.
“The binding decision addresses important legal questions arising from the draft decision of the Irish DPA as lead supervisory authority (LSA) regarding Meta,” the EDPB said, though it did not give details of its ruling.
It added, however, that it had settled a dispute over whether an administrative fine and/or an additional order to bring data-processing into compliance must be included in the DPC’s final decision.
ChatGPT task force
The DPC must now issue its final decision to Meta on the basis of the EDPB binding decision, taking into account the EDPB's legal assessment, “at the latest, one month after the EDPB has notified its decision”.
The EDPB will publish its decision on its website after the DPC has notified its national ruling to Meta.
EDPB members also discussed recent action taken by the Italian data-protection authority against Open AI about its ChatGPT service.
The board has now decided to launch a dedicated task force “to foster cooperation and to exchange information on possible enforcement actions conducted by data-protection authorities”.