EDPB resolves dispute on transfers by Meta and creates task force on ChatGPT

April 14, 2023

The European Data Protection has adopted a dispute resolution decision under Article 65 of the GDPR concerning a draft decision of the Irish DPC on the legality of data transfers to the US by Meta Platforms Limited for its Facebook service. The EDOB says that the binding decision addresses important legal questions arising from the DPC’s draft decision. The EDPB’s binding decision plays a key role in ensuring the correct and consistent application of the GDPR by the national data protection authorities. As no consensus was reached on the objections lodged by several data protection authorities, the EDPB was called upon to settle the dispute between the data protection authorities within two months.

In particular, the EDPB has resolved the issue about whether an administrative fine and/or an additional order to bring processing into compliance must be included in the DPC’s final decision.

The DPC is now required to adopt its final decision, addressed to the controller, based on the EDPB’s binding decision considering the EDPB’s legal assessment. The deadline is one month after the EDPB has notified its decision. The EDOB will publish its decision on its website after the DPC has notified its national decision to the controller.

In addition, the EDPB members have discussed the recent enforcement action undertaken by the Italian data protection authority against Open AI about the ChatGPT service.

The EDPB also decided to launch a dedicated task force to foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities.

Finally, the EDPB adopted a letter to the European Parliament, the Council and the European Commission on data sharing for anti-money laundering and countering the financing of terrorism (AML/CFT) purposes. The letter highlights the significant risks to privacy and data protection posed by some amendments introduced by the Council, which would allow private entities, under certain conditions, to share personal data between each other for AML/CFT purposes concerning suspicious transactions and data collected in the course of performing customer due diligence obligations.