Ref. Ares(2022)1180918 - 17/02/2022
VICE PRESIDENT VĚRA JOUROVÁ
MEETING WITH

META PLATFORMS
LOCATION: ONLINE - ZOOM
DATE AND TIME: 06 DECEMBER 2021 AT 17H00 – 18H00
MEMBERS RESPONSIBLE: DANIEL BRAUN, WOJTEK TALKO
1

STEERING BRIEF
You are meeting

Meta Platforms (MP, formerly known as Facebook) on 6 December from 17:00-18:00.
Due to pandemic situation the meeting will be online via Zoom.
You will discuss the proposal for a regulation on transparency and targeting of political
advertising, adopted by the Commission on 25 November 2021. Disinformation, also in
relation with COVID-19 and the Code of Conduct could also be brought up. The current
ongoing cases in relation to MP in Ireland’s Data Protection Commission may also be
discussed as well as the current stance on international data flows. The draft digital
services act and digital markets act could also be addressed.

3

KEY MESSAGES

Disinformation
COVID-19 disinformation
•  Thank for participating in the COVID-19 Disinformation reporting
and monitoring programme.
•  Point to drawbacks  limiting  the usefulness of the information
included in the reports to understand the impact of policies –
especially the lack of more granular and country-specific data.
Reports clearly show that super-spreaders can easily amplify
disinformation unnoticed.
•  Going beyond the reporting, ask to look into trends and provide us
more data, so that we can assess if there is anything we can do
together to help those countries with the lowest vaccination rate,
such as RO or BG.
•  At the same time, further promoting expert views and offering space
for communication campaigns could also help, and we can facilitate
contacts in this regard.
Code of Practice
•  Thank for ensuring that WhatsApp formally joins the Code of
Practice, first such commitment to measures against disinformation
on encrypted platforms.
•  The Commission continues to believe that industry and civil society
are well placed to find answers to the difficult questions such as
reducing disinformation while not weakening encryption.
•  The Commission is following closely the efforts to strengthen the
Code of Practice on Disinformation.  We expect the signatories to
deliver a very strong Code that is fully in line with the spirit of the
Commission Guidance.
4

•  Thank Meta/Facebook for the active role taken in the drafting
process, we look forward to stronger commitments.
•  This should include more precise and granular data on the impact of
the measures taken to reduce disinformation or making clear how
they work with local moderators or AI and specify what types of
content they act upon -  with a particular regard for providing
language and Member State level data and metrics.
•  More generally, we need strong progress in particular in areas where
the current Code has so far delivered few results, such as
meaningful key performance indicators and a monitoring
framework, demonetising purveyors of disinformation and giving
researchers sufficient access to data.
On Political ads:
•  I am curious to hear your views on our proposal. I understand that
your current policy is different and it would require some changes,
on transparency and identification of political ads. These are the ads
that drive polarisation and extremism.
•  I am also confident we need to slow down the development of the
targeting techniques. Today, this is too much of a black box. Often,
GDPR is by-passed, either through ignoring sensitive data or in the
ad network (auctions –  there is an ongoing case in the Data
Protection Commission on this – see background). I would like you
to consider stepping up your policies in this regard.
On Privacy Shield 2.0
•  The  Commission remains firmly committed  to facilitating
trusted data transfers (done deals with UK and Korea).
•  We are currently having similar talks with a number of
partners, in particular in Asia and Latin America.
•  This commitment to international data flows is also reflected in
our approach to trade negotiations.
5

•  On 4 June 2021, the Commission adopted modernised
standard contractual clauses (SCCs) for international data
transfers. These have been fully aligned with GDPR and
adapted to modern business realities. They also take into
account the requirements of the Schrems II judgment and
operationalise the clarifications offered by the Court of Justice
of the European Union (CJEU).
•  Through their standardisation and pre-approval, these clauses
provide companies, especially SMEs, a practical tool to assist
them in complying with the GDPR.
•  To further facilitate the use of the SCCS, we are developing a
Q&A  addressing implementation issues, providing further
clarifications etc. This will be a dynamic, online source of
information that will be regularly updated.
•  We are doing this in close cooperation with stakeholders, as
we want this to be a tool as practical as possible –  based on
“real life” situations. For example, we met with a  so-called
‘multi-stakeholder’ expert group established under the GDPR
on 29 October to discuss what the Q&A should focus on.
•  With respect to transatlantic data flows, the most
comprehensive solution remains a new adequacy decision,
which would allow data to flow without the need for any further
authorisation or transfer instrument.
•  The EU and US have been engaged in intense negotiations in
the past months and weeks.
•  We have entered into the substance of the issues
and are
discussing the details of possible solutions.
6

•  What is at stake here are complex and sensitive issues  that
relate to the delicate balance between national security  and
privacy, but we have made good progress even if we are not yet
there.
•  This remains a top priority.
•  At the same time, we will only agree to a new arrangement that
is fully compliant with the Schrems II judgment.
•  This is also the only way to develop a durable solution, one that
ensures the stability and legal certainty that stakeholders expect
on both sides of the Atlantic.

7

TOPICS FOR DISCUSSION

POLITICAL ADVERTISING
Meta Platforms (MP) provides for an authorisation process for placing political ads on
its platform, which requires a procedure for identity confirmation and the establishment
of the advertiser in the country where it wants to target the ad (or, failing that, a local
representative authorised only for that country)
MP current policy political ads does not cover all the requirements envisaged under the
proposed Regulation.

Defensives
What will people be able to find about political ads on the ad libraries of
very large platforms like MP?
•  Very large online platforms will be required to manage and update a
repository with all the political ads that they publish, which will be
publicly available
•  Citizens will be able to see in the repository the following information
linked to each political advertisement:
−  the content of the advertisement;
−  the person on whose behalf the advertisement is displayed;
−  the period during which the advertisement was displayed;
8

−  whether the advertisement was intended to be displayed specifically
to one or more particular groups of recipients of the service and if so,
the main parameters used for that purpose;
−  the total number of recipients of the advertisement;
−  information on the money spent on the advertisement;
−  an indication of the elections to which the advertisement is linked to;
−  information on the mechanism for citizens to indicate political
advertising which may not comply with the regulation.
How does this proposal interact with the recent DSA proposal and why is
it necessary to have additional rules in the field of political advertising?
•  This initiative will complement the proposal for a DSA, which the
Commission announced in December 2020.
•  The DSA proposes horizontal obligations on online intermediaries,
especially for very large online platforms, to provide certain information
about all online advertising. This includes ad libraries and the provision
of information about targeting.
•  The political ads initiative proposes general transparency obligations for
all actors involved in the preparation, publication, placement, promotion
and dissemination of political advertising, offline and online.
•  Compared to the DSA, it expands the categories of information to be
disclosed in the context of political advertising, as well as the scope of
the relevant service providers concerned.
9

•  While the DSA imposes transparency requirements on online platforms,
this initiative covers the entire spectrum of political advertising
publishers, as well as other relevant service providers involved in the
preparation, placement, publication and dissemination of political
advertising.
Will  targeting be banned?
•  Political targeting and amplification techniques using special
categories of personal data will be banned –  unless a person
explicitly consents to it or in the context of political advertising in
the course of the legitimate activities of organisations with a
political, philosophical, religious or trade union aim in a very limited
number of situations, such as when it is about their own members.
•  Anyone making use of political targeting and amplification involving
the processing of personal data will also need:
−  to adopt and implement an policy on the use of such techniques
−  to keep records of the techniques used and sources of personal
information
−  to provide the person being targeted additional information
concerning the targeting or amplification.
•  Publishers of political ads will need to ensure that this additional
information about the targeting of political advertising they publish
is included in the transparency notices they make available with the
political advertising.
10

How is the regulation to be supervised and enforced?
• National data protection authorities designated to supervise and enforce
EU data protection rules will also take the targeting and amplification
requirements of the current proposal into account.
• Member States will designate competent authorities to supervise and
enforce the other provisions of the proposal, and will also provide for
proportionate and effective sanctions.
• Member States will ensure that competent authorities coordinate their
tasks nationally, and cooperation will be supported at the European level
to ensure cross-border enforcement via single national contact points.
• Contact points shall meet periodically at Union level in the framework of
the European Cooperation Network on Elections to facilitate the swift
and secured exchange of information on issues connected to the exercise
of their supervisory and enforcements tasks pursuant to this Regulation.
11

The content from page 12 to 20 is out of the scope of
the request

DISINFORMATION AND THE CODE OF CONDUCT

Meta Platforms (MP) is a signatory of the EU Code of Practice on Disinformation since
its publication in September 2018, and has subscribed to all the commitments of the
original Code.
As a signatory to the Code, MP – together with other current and new signatories – is
taking part in the ongoing negotiations on the revision of the current Code, in line with
the objectives set out in the Commission’s guidance of 26 May 2021. MP and the
signatories should draft the new Code with aim for it to become the “Code of Conduct”
to tackle the risks linked to disinformation once the digital services act (DSA) will be
adopted.
MP has also taken part in the Commission’s monitoring and reporting programme on
COVID-19 disinformation, set up by the 10 June 2020 Communication on Tackling
COVID-19 Disinformation. MP has welcomed the opportunity to cooperate with the
Commission in the measures taken to combat disinformation.
Facebook Papers
In May 2021, Frances Haugen left her position as a product manager at MP and took
tens of thousands of internal documents with her. She gave her testimony on Capitol
Hill on 5 October and in front of the British Parliament on 25 October.
The documents have triggered several allegations and supported the claims that the social
network has valued financial success over user safety. MP knew its products were
•  damaging teenagers’ mental health;
•  fomenting ethnic violence in countries such as Ethiopia; and
•  failing to curb misinformation before the 6 January Washington riots.
MP-owned Instagram fails to keep children under 13 (the minimum user age) from
opening accounts, and MP isn’t doing enough to protect kids from content that, for
example, makes them feel bad about their bodies.
There has been an apparent lack of safety controls in non-English language markets,
such as Africa and the Middle East, where the Facebook platform was being used by
human traffickers and armed groups in Ethiopia. According to one document, 87% of
MP’s global budget for time spent on classifying misinformation goes towards the
United States, while 13% is set aside for the rest of the world — despite the fact that
North American users make up just 10% of its daily users.
Facebook groups amplifies online hate. Algorithms that prioritise engagement take
people with mainstream interests and push them to the extremes. Frances Haugen said
that MP realised that if they change the algorithm to be safer, people will spend less
time on the site, they'll click on less ads, they'll make less money. The former MP data
scientist also said Facebook could add moderators to prevent groups over a certain size
from being used to spread extremist views.
Internal documents confirmed that MP employees repeatedly raised red flags about
misinformation and inflammatory content on the platform during the 2020 presidential
election, but company leaders did little to address the issues. According to Frances
Haugen, Facebook turned on some safety systems to reduce misinformation – but many
of those changes were temporary. As soon as the election was over, they turned them
21

back off or they changed the settings back to what they were before, to prioritise growth
over safety. “And that really feels like a betrayal of democracy to me”, said Haugen.
Press coverage and research
Recent research and press cover has put in question Facebook’s proactive interest in
providing the research community and factcheckers with the relevant access to data.
Moreover, recent research has shown that Facebook’s algorithm has actually been
promoting divisive content, particularly in the context of COVID-19 disinformation.
Leaked internal analysis and whistle-blower accounts have also uncovered that
Facebook’s systems are routinely subject to manipulation and reports reveal that they
are aware that these systems can be manipulated.
Successive news and civil society reports issued only over the past few weeks show
allegations of:
•  Selective application of national laws (NetzDG). Reset and HateAid performed a test
based on 100 hate comments on the platform notably published by far-right
politicians. The platform removed 67 of them, applying the terms and conditions of
the company, not the legal standard. Where the experiment focused on reporting
content violating terms and conditions, the company is reported to have reacted to
50% of the cases.
•  The report also shows concerning ad targeting practices, such as ads for conversion
therapies displayed particularly to LGBTQI youth or racists and defamatory ads.
•  Severe inconsistencies and arbitrariness of policies (e.g. XCheck programme white-
listing accounts without prior public information and leading to arbitrary content
moderation decisions).
•  Lack of consideration for societal concerns in the design, testing and functioning of
recommender systems (e.g. Wall Street Journal reports on a 2018 roll-out of new
recommender systems maximising engagement and, at the same time, amplifying
sensationalist content and misinformation).
On COVID-19 vaccine disinformation
Research shows that a relative small amount of pages that actively distribute anti-vax
and COVID-19 misinformation are among the most influential and viewed in the US. In
July 2021, an analysis of CrowdTangle data showed that 9 of the top 15 top-performing
Facebook posts about vaccines promoted false or alarmist claims, and were shared
hundreds of thousands of times.
Facebook’s own documents show that, when it comes to divisive public health issues
like vaccines, engagement-based ranking only emphasizes polarisation, disagreement,
and doubt. To study ways to reduce vaccine misinformation, Facebook researchers
changed how posts are ranked for more than 6,000 users in the US, Mexico, Brazil, and
the Philippines. Instead of seeing posts about vaccines that were chosen based on their
popularity, these users saw posts selected for their trustworthiness.
The results were striking: a nearly 12% decrease in content that made claims debunked
by fact-checkers and an 8% increase in content from authoritative public health
organisations such as the WHO or US Centers for Disease Control. Those users also had
a 7% decrease in negative interactions on the site. Employees at the company reacted to
the study with exuberance, according to internal exchanges included in the
whistleblower’s documents. Facebook said it did implement many of the study’s
22

findings – but not for another month, a delay that came at a pivotal stage of the global
vaccine rollout.
Failure to act upon those has sparked reactions that have reached even the White House,
with President Biden recently arguing that Facebook is “killing people”, referring to its
role in promoting COVID-19 misinformation. The White House press secretary has also
accused  MP of not doing enough to combat the spread of misinformation by users,
despite backtracking afterwards. A recent US study also indicates that people, who get
most of their news through Facebook, may be less likely to be vaccinated against
COVID-19.
However, when in August 2021, MP shared a report on its most-viewed content on the
platform, none of the top 10 content was divisive political content. The Washington
Post qualifies “the new report as part of a broader push by Facebook to block or
discredit independent research about harmful content on its platform, offering its own
carefully selected data and statistics instead”.
In light of the enhanced monitoring and reporting carried out by online platforms in the
context of the coronavirus pandemic, as first  set out in the Commission’s June 2020
communication on tackling COVID-19 disinformation, and within the framework of its
commitments under the Code of Practice on disinformation and in light of EU and national
consumer protection efforts, Facebook has been providing bimonthly reporting on specific
activities on:
•  the promotion of authoritative source;
•  actions against misinformation;
•  third-party fact checking support;
•  media literacy support;
•  coordinated inauthentic behaviour (interference); and
•  advertising policies.
Elements of this reporting were  included in the Commission’s assessment of the
implementation of the Code of Practice. In most recent report [released in November, attached
to this briefing], Meta/Facebook indicates that it continues in efforts, for instance to remove
inauthentic accounts.
The Commission’s opinion on Meta/Facebook and other platforms actions as set out in the
June 2020 communication remain unchanged, and are essentially:
•  Noting the ongoing bi-monthly reporting on COVID-19 disinformation, the Commission
reiterates its call on Facebook to remain vigilant and to continue its efforts to cut out
potentially misleading ads and product listings.
•  Platforms should deepen their work to combat the risks sparked by the crisis, including
strengthening support for fact-checkers and researchers.
Main messages
•  I would like to thank Meta/Facebook for participating in the reporting and monitoring
programme established under our June 2020 Communication on Tackling COVID-19
Disinformation.
23

•  These reports are essential in helping us understand the incidence of authoritative
information on COVID as compared to false, misleading and harmful information, as well
as the policies and actions Meta/Facebook is taking to reduce the distribution of false and
misleading information on vaccination
•  However, a recent analysis done by ERGA on the first six months of the COVID-19
monitoring programme has highlighted that drawbacks limit the usefulness of the
information included in the reports to understand the impact of policies.
•  In particular, a general improvement of the provision of more granular and country-
specific data, including samples of pieces of content as examples of enforced policies and
information on the impact of activities would benefit greatly the reports.
•  In addition, reporting could be more focused on COVID actions taken in Europe, while
Meta/Facebook mostly reports also on other actions taken globally on other policies.
On the Code of practice
Meta/Facebook is currently an active player of the process to draft the strengthened Code of
Practice on disinformation. Among the very large online platforms  (VLOPs) part of the
process, we can see that an intense commitment of the company to achieve results in the
process of the strengthening the Code. While Meta has implicitly made clear that Facebook,
Instagram and Messenger are part of the Code, despite multiple requests from the
Commission, Meta has been very vague about involving WhatsApp into the process. It would
be good to have a clear commitment from
to have them on board
Main messages
•  The Commission published Guidance setting out its  views on how signatories should
strengthen the Code of Practice on Disinformation and create a more transparent, safe and
trustworthy online environment.
•  The Commission is steering the efforts to strengthen the Code of Practice on
Disinformation, aiming at having a new Code that effectively implements the elements
suggested in the Guidance.
•  The Commission has called upon the Code’s signatories to convene and carry out the
drafting of the strengthened Code, in line with the Guidance
•  The Commission follows  closely the drafting process. We thank Meta/Facebook for the
active role taken in the drafting process, and we look forward to stronger commitments.
•  Meta/Facebook can play a crucial role in reducing the spread of nefarious narratives,
particularly on COVID-19 and vaccination campaigns, as recent reports clearly show that
super-spreaders can easily amplify disinformation unnoticed .
•  Meta/Facebook should also commit to provide more precise and granular data on the
impact of the measures taken to reduce disinformation, with a particular regard for
providing language and Member State level data and metrics.
•  In addition, it would be ideal to better understand how the measures work across the
services, avoiding to report aggregated data, for example on content removals.
•  Moreover, Meta/Facebook should make clear how they work with local moderators, or AI
at specific language level, and specify what types of content they act upon.
•  We expect the signatories to deliver a very strong Code that is fully in line with the spirit
of the Commission Guidance.
24

•  We need strong progress in particular in areas where the current Code has so far delivered
few results, such as a meaningful key performance indicators and a robust monitoring
framework, demonetising purveyors of disinformation and giving researchers sufficient
access to data.
•  Moreover, we would like to see WhatsApp formally joining the Code of Practice,
committing to strong measures against disinformation on encrypted platforms. With
private messaging services, the encryption of private messages systems must be preserved,
however serious measures to reduce the spread of disinformation should be taken.
•  The Commission continues to believe that industry and civil society are well placed to find
answers to such remaining pertinent and pressing questions.
Transparency and working with researchers
In early August 2021, MP cut access to New York University researchers’ access to ad
data, citing privacy concerns. The project’s researchers have regularly briefed staffers
and lawmakers in the House and Senate and officials at agencies, and the sudden move
draw criticism even from the US Federal trade Commission.
At the end of August 2021, researchers at New York University and France’s Université
Grenoble Alpes found that, from August 2020 to January 2021, articles from known
purveyors of misinformation received six times as many likes, shares, and interactions
as legitimate news articles.
At the same time, reports emerged that many Facebook posts from the days before and
after the 6 January 2021 Capitol Hill riots in Washington are missing from
Crowdtangle. After the Capitol Hill riots, the academics said they had planned to
analyse what type of content Facebook had removed related to the insurrection to meet
its content moderation policies, but they discovered that up to 30% of the posts
collected around the 6 January riots were missing, compared to the original
Crowdtangle database. This comes at a difficult time, where reports emerged that MP is
dismantling the team behind the Crowdtangle tool.
On 3 March 2020, AlgorithmWatch launched a project to monitor Instagram’s newsfeed
algorithm. Volunteers could install a browser add-on that scraped their Instagram
newsfeeds. In 13 July, AlgorithmWatch ended the project in fear of being sued by M for
alleged Terms of Service breaches.
Political content and manipulation of the service
In February 2021, MP published news that it would expand a trial to reduce the
distribution of political content on feeds. The company announced it would expand the
trial to  scale back breaking news and political content in and beyond the US after
receiving “positive feedback” on the changes. Critics from the marketing sector said the
changes could reduce traffic to news publishers or accounts that post too much political
content, based on negative user feedback.
Still, Facebook’s report on the popular content on its platform goes against evidence
that stories published by The Daily Wire, founded by conservative commenter Ben
Shapiro, received more likes, shares and comments than any other news publisher over
the past year by a wide margin, according to an NPR analysis of social media data. And
Shapiro’s personal Facebook page had more followers than The Washington Post.
In September 2021, it was uncovered that troll farms reached 140 million Americans a
month on Facebook before 2020 election. Facebook’s most popular pages for Christian
25

and Black American content were being run by Eastern European troll farms. Their
content was reaching 140 million US users per month – 75% of whom had never
followed any of the pages. They were seeing the content because Facebook’s content-
recommendation system had pushed it into their news feeds.

26

DATA PROTECTION AND PRIVACY

The following information concerns investigations and ongoing cases involving
Facebook Ireland Limited, WhatsApp Ireland Limited and Instagram.
Recent fines imposed by the Irish DPA
Ireland’s Data Protection Commission (DPC) has fined on 02 August 2021 WhatsApp
EUR 225 million. This was the largest penalty ever handed down by the DPC and the
second highest under the General Data Protection Regulation (GDPR). The case goes
back to 2018 when the Commission received many complaints concerning the data
processing activities of WhatsApp Ireland, especially regarding transparency.
The DPC, in its draft decision, proposed a fine in the region on EUR 30-50 million.
Eight EU DPAs raised objections on this and other aspects, saying that the fine was not
high enough given the seriousness of the matter and the numbers involved. The issue
was solved within the consistency mechanism (Article 65 GDPR), during which the
European Data Protection Board (EDPB) requested in a decision that the DPC amends
the WhatsApp decision with clarifications on transparency and on the calculation of the
amount of the fine due to multiple infringements.
On 15 September 2021, WhatsApp has challenged this decision in front of the national
court.
On 01 November 2021, WhatsApp lodged a direct action  against the EDPB decision
addressed to the DPC in this case (T-709/21).

New draft decision submitted by the DPC in the cooperation mechanism
Currently there is another draft decision submitted by the DPC as a lead DPA before the
EDPB. The DPC submitted on 06 October 2021 under Art 60 GDPR draft decision. It
concerns the complaints lodged among others by M. Schrems concerning Facebook
practice to use “contract”  (Art 6(1)(b) GDPR) as a legal basis for the processing of
user’s data necessary for the provision of its service, including through the provision of
behavioural advertising insofar as this forms a “core” part of that service offered to and
accepted by the user under the contract between Facebook and its user.
The question of the legality of such action is also before CJEU in the case C-446/21.
The Commission will submit its observations shortly.
In addition, this case will be most probably subject to dispute resolution mechanism.
Between June and December 2018, the controller notified a number of personal data
breaches. This inquiry is examining the controller’s compliance with articles 32, 24, and
5 of the GDPR in the context of the occurrence of those breaches. The decision maker is
in the process of considering the relevant and reasoned objections made by Cloud
Security Alliances.
Ongoing investigations DPC
As provided by the last update in October 2021 the DPC is investigating several matters
in relation to Meta Platforms (MP).
27

DPC follow up CJEU judgements
In the light of the Schrems II judgment of 16 July 2020 (C-311/18), the DPC is
conducting an inquiry to examine whether or not Facebook Ireland Limited is acting
lawfully. This, in particular, in compliance with the provisions of Article 46(1) of the
GDPR, when, by reference to the standard contractual clauses, it transfers, to the US,
personal data relating to individuals who are in the EU/ European Economic Area who
visit, access, use or otherwise interact with products and services provided by Facebook
Ireland Limited.
28

Other points of interest/ no formal investigation by the DPC or other DPA
MP together with and Italian producer (Luxottica) are planning to bring on the EU
market smart glasses that would record the surrounding of the person. The DPC and
Italian data protection authority are closely monitoring the situations and engaging with
both companies. The Italian data protection authority on several occasions has
mentioned that the working relation in this case with the DPC is very good. The
consultation with the DPC and the Italian DPA is ongoing. In parallel, the EDPB is
considering formulating general position regarding the deployment of such technology
in the EU.
Pending CJEU concerning GDPR and MP
Questions to the CJEU concern the competence of another supervisory authority to
interpret the GDPR to determine the potential infringement of competition law. The
case concern the interpretation of consent as legal basis for processing by Facebook by
supervisory authority that is not a data protection authority. The Commission submitted
arguments against in support of one-stop-shop as a sole GDPR enforcement mechanism.
The case C-252/21 was submitted in April 2021.
Question to the CJEU concern the competence to bring an action against Facebook by a
consumer organisation that is not explicitly mandated by a data subject as required by
art. 80 GDPR.

The case C-319/20 was
submitted in July 2020.

29

INTERNATIONAL DATA FLOWS

Concerning the follow-up to the Schrems II judgment, Meta Platforms (MP) has been
very vocal about the ongoing investigation of the Irish data protection authority (see
background), including by claiming that it will no longer be able to offer its services in
Europe if the Irish DPA prohibits data transfers to the US and ”threatening” to leave the
European market. Contrary to other important business players in the US that are taking
a more “responsible” position, MP is perceived

to push for an quick arrangement for EU-US data transfers that could be
put in place as soon as possible, regardless of whether it would meet the requirements of
the Court of Justice.

Main messages
•  This remains a top priority on both sides. We have been engaged in intense
negotiations in the past months and weeks.
•  We have entered into the substance of the issues

and are discussing the details of possible solutions.
•  What is at stake here are complex and sensitive issues that relate to the delicate
balance between national security and privacy, but we have made good progress,
even if we are not yet there.
•  At the same time, we will only agree to a new arrangement that is fully compliant
with the Schrems II judgment.
•  This is also the only way to develop a durable solution, one that ensures the stability
and legal certainty that stakeholders expect on both sides of the Atlantic.

Background
Ongoing procedures in Ireland following the Schrems II judgment
The  Schrems II case  was based on a complaint of Austrian privacy activist Max
Schrems before the Irish data protection authority (Data Protection Commission, or
DPC) about data transfers by MP Ireland to its headquarters in the US on the basis
of SCCs. As the Court of Justice has issued its judgment, the DPC needs to apply the
clarifications provided by the Court. The DPC will have to decide whether MP can
continue to transfer data to the US on the basis of SCCs, in light of the Court’s
assessment of the relevant US surveillance laws, to which MP-US is subject.
Following the judgment, the DPC decided to open a so-called ‘own volition’ inquiry
(i.e. an ex officio investigation), which means that it will carry out this general
investigation (which concerns the data transfers by MP more generally), instead of first
finalising its specific investigation of the complaint lodged by Max Schrems. The DPC
explained that it has taken this approach, which has been criticised by civil society
(including Max Schrems) and other data protection authorities, because it wants to
address MP’s transfers with respect to all users, instead of focusing only on one
complainant.
30

Max Schrems initiated a judicial review procedure against the DPC, arguing that his
complaint should be resolved independently of the ‘own volition’ investigation. Before
the case was heard before the Irish courts, the DPC reached a settlement with Mr.
Schrems in January 2021, indicating that it would finalise his complaint procedure
swiftly.
In the context of the own volition investigation, MP also initiated legal proceedings
against the DPC  before the Irish High Court on procedural grounds, after the DPC
issued a preliminary order to MP in fall 2020 to suspend its data transfers to the US.
While this was only an intermediary step as part of the ongoing investigation, on which
MP was requested to provide its views (the investigation was therefore not yet finalised
and no decision had been taken), MP claimed that it did not receive sufficient time to
present its views.
In May 2021, the Irish High Court dismissed MP’s claim. Following that decision, the
DPC pursued its investigation in the context of which it received numerous submissions
(by the parties by also by third parties such as the US etc.). Several parties that have
intervened before the DPC have asked to wait until the conclusion of the negotiations
between the Commission and the US, before taking a final decision.
Once the DPC will have reached a conclusion on the lawfulness of MP’s data transfers
on the basis of SCCs, its draft decision wil  be submitted to the EDPB for its opinion.
The timeline is not yet known.
Post-Schrems II actions of other data protection authorities
US companies are increasingly putting pressure

to agree on a successor arrangement to the Privacy Shield as soon as
possible. This is fuelled in particular by fear of upcoming enforcement action by
European data protection authorities (DPAs) after the Schrems II judgment. In the
past months, the first “post-Schrems II” cases have appeared, e.g. the suspension by the
Portuguese DPA of the transfer of census data from a Portuguese public authority to the
US, cases before the Belgian and French Council of States (insisting on the importance
of specific protections, such as encryption).

hese
cases were triggered by complaints from None of Your Business, the non-profit
organisation headed by Max Schrems.
Certain DPAs have also started to issue specific guidance  on the Schrems II
judgment. Companies have for instance criticised recent guidance from the Berlin DPA,
where it advises companies to switch to providers (referring in particular to cloud
service providers) in the EU or countries benefiting from an adequacy decision, and to
move personal data stored in the US back to the EU.

31

link to page 32 link to page 32 DIGITAL MARKETS ACT AND DIGITAL SERVICES ACT
In an interview in Le Monde1 in the first quarter of 2021,
noted that Meta
Platforms (MP) is largely in agreement with the objectives pursued by the DSA which
seem sensible.
MP noted that the text of the DSA seems to be well reflected and supported the
transparency related obligations, in particular in relation to content moderation. The
current policy of MP already supports regular 3-months interval reporting on its content
moderation decisions.
MP noted conversely that the enforcement framework seems relatively complex, but
considered that the legislative process may provide an opportunity to further discuss the
governance set up.
In response to the Irish Government’s call for views on the DSA in January 2021, MP
further added on the DSA that2:
It welcomed that harmful content was not equated to illegal content and that harmful
content  was included in the DSA through co-regulation, risk assessments and
mitigation measures. At the same time, it highlighted that these provisions were quite
broad and that there should be more clarity about the trigger for sanctions.
It noted that the compliance burden  for very large online platforms was very
significant.
It highlighted that the restrictions on personalised algorithms needed to be carefully
considered as such restrictions would directly impact the quality of the service and
negatively impact the user experience.
It noted its concern on the role of the European Commission in the enforcement of the
DSA. According to MP, the Commission has disproportionate powers  and these
powers do not have appropriate safeguards. In addition, MP highlighted that there
was uncertainty around the role of the digital services coordinator and other competent
authorities.
Finally, it noted that there should be increased proportionality in the out-of-court
dispute settlement provisions.
MP seems more critical about the DMA proposal.
It considers that the Commission should build more on the past examples of ex-ante
regulatory framework, such as for telecoms, and base the intervention on a case-by-
case analysis  similar to competition law as opposed to the approach proposed (i.e.
directly applicable obligations clearly defined in the Regulation itself).
In particular, MP considers that a list of behaviours to be prohibited should not be the
way in which regulatory intervention would considered. According to MP lists of
prohibited practices risks being a roadblock to the innovation. Blanket banning of
market  behaviours also risks being inefficient, negatively impacting consumers, and
actually risks worsening the problems at hand given that it will render possible new
entrants limited in how they can innovatively challenge any incumbent.

1 https://www.lemonde.fr/pixels/article/2021/01/23/facebook-sur-la-moderation-on-nous-reproche-une-
chose-et-son-contraire_6067357_4408996.html.
2 Facebook-DSA-Submission.pdf (enterprise.gov.ie)
32

MP considers that the platform economy has seen a number of market entries to
challenge the incumbent and this dynamic fosters competition and delivers considerable
consumer benefit. Such innovation would be put at risk if businesses were possibly pre-
emptively restricted in how they could compete in other markets
In the reply to the open public consultation MP itself referred to several unfair
practices they have been exposed to, in particular as app developers in relation to
opaque terms of Apple AppStore.

33

The content of this page is out of the scope of the
request

Document Outline