The Data Protection Commission (DPC) has today announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. (Meta Ireland was previously known as Facebook Ireland Limited).
Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).
Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.
The inquiries concerned two complaints about the Facebook and Instagram services, each one raising the same basic issues. One complaint was made by an Austrian data subject (in relation to Facebook); the other was made by a Belgian data subject (in relation to Instagram).
The complaints were made on 25 May 2018, the date on which the GDPR came into operation.
In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. (Under Article 6 of the GDPR, data processing is lawful only if and to the extent that it complies with one of six identified legal bases). Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations.
If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).
Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR.
Following comprehensive investigations, the DPC prepared draft decisions in which it made a number of findings against Meta Ireland. Notably, it found that:

1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.

2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis.

Under a procedure mandated by the GDPR, the draft decisions prepared by the DPC were submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”).
On the question as to whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions, albeit that they considered the fines proposed by the DPC should be increased.
Ten of the 47 CSAs raised objections in relation to other elements of the draft decisions (one of which was subsequently withdrawn in the case of the draft decision relating to the Facebook service). In particular, this subset of CSAs took the view that Meta Ireland should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising.  In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.
Following a consultation process, it became clear that a consensus could not be reached. Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (“the EDPB”).
The EDPB issued its determinations on 5 December 2022.
The EDPB determinations rejected many of the objections raised by the CSAs. They also upheld the DPC’s position in relation to the breach by Meta Ireland of its transparency obligations, subject only to the insertion of an additional breach (of the “fairness” principle) and a direction that the DPC increase the amount of the fines it proposed to impose.
The EDPB took a different view on the “legal basis” question, finding that, as a matter of principle, Meta Ireland was not entitled to rely on the “contract” legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising.
The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.
In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has increased the amount of the administrative fines imposed on Meta Ireland to €210 million (in the case of Facebook) and €180 million in the case of Instagram. (The revised levels of these fines also reflect the EDPB’s views in relation to Meta Ireland’s breaches of its obligations in relation to the fair and transparent processing of users’ personal data).
The DPC’s existing requirement that Meta Ireland must bring its processing operations into compliance with the GDPR within a period of 3 months has been retained.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.
Compliments of the Irish Data Protection Commission.
The post Data Protection Commission announces conclusion of two inquiries into Meta Ireland first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

With the right tools, policymakers can help to manage the climate risks impacting economies and financial systems

When it comes to the devastating impact of climate change, most people think of the harm inflicted on lives and livelihoods. Yet the effects of more frequent and extreme weather are just as consequential for the health of financial systems.
The physical impacts of climate-related shocks, such as hurricane damage to power grids, affect financial institutions and how they make decisions. So do the risks of transition to a low-carbon economy. Think of the costs of new carbon taxes or new laws that require phase-outs of fossil fuels before greener replacements are available.
To make well-informed decisions about future operations, banks, insurers, and others in the financial sector need tools to manage climate risks in their operations and balance sheets. At the same time, as financial supervisors monitor the resilience of the system, they need tools to adequately assess and supervise these risks.
Financial risk analysis
With the right tools, financial sector authorities can start to assess climate risks as a crucial input to gauging how to manage them with the right policies.
This is where the IMF comes in. The Fund’s Financial Sector Assessment Program already regularly examines the resilience of banks and other institutions, including with stress tests to better gauge systemic risks. These procedures are being retooled to incorporate climate risk analysis to better gauge financial stability risks from climate change.
Risk analysis typically entails development of scenario-based stress tests for assessing bank solvency. The process incorporates adverse macroeconomic scenarios specifically designed for the tests—including elements like economic contraction, rising unemployment, exchange-rate shocks, and falling asset prices.
These scenarios are then used as inputs when looking at relationships between these macro drivers and risk factors, such as credit risk and interest income, to estimate impacts on bank income and capital. Bank resilience is then assessed based on whether capital levels fall below regulatory thresholds.
Beyond the standard approach
Unlike conventional stress testing, climate risk analysis, at this stage, doesn’t focus on quantifying possible capital needs of financial institutions relative to the regulatory thresholds. Instead, the IMF approach focuses on measuring and raising awareness of risks. This reflects new challenges, including the complexities of modeling climate risk and its economic impacts over very long horizons and major data gaps.

While the consequences of climate change will play out over decades, risks that could arise in the next three to five years are considered in typical stress testing exercises. The incidence and impact of extreme events is rising and there is sizable uncertainty over policies. All these can potentially have large effects on the value of companies, and thus banks, as markets price in the effects of longer-term risks on business prospects.
The first step in the IMF’s climate risk analysis is to assess which hazards are the most relevant for a country. Where climate risks are important, the bank solvency stress testing framework incorporates the physical and transition risk.
This often starts with temperature and emissions scenarios based on figures from the United Nations Intergovernmental Panel on Climate Change and adapted by the Network for Greening the Financial System, a coalition of central banks working on climate change.
Climate scenarios then map emissions and temperature scenarios to physical risks, like extreme weather, and transition risks, such as future carbon taxes. These scenarios point to the trade-offs between physical and transition risk—the more orderly the transition, the lesser the increase in temperatures and the occurrence of physical climate risk.
Data and projections
The overall assessment of bank stability involves measuring how physical or transition risks impact the economy and bank capital. Physical risks are localized and require new approaches to understanding where storms and floods may strike. The analysis uses new data and projections of the likelihood and impact of different hazards on physical assets like buildings or infrastructure, and economic activity, such as extreme heat that reduces working hours. This approach was applied to consider risks to banks from typhoons in the 2021 Philippines FSAP.
Policies to support transition to a lower carbon world seek to shift resources from brown to green sectors, impacting the prospects for the brown sectors. For the purposes of analyzing how this impacts the financial sector, we assess the impact of carbon taxes (as a proxy for the wide set of policies to foster transition) on individual economic sectors and, where possible, directly on firms’ balance sheets and therefore to banks.
We also assess what happens if investors reassess the value of businesses because of the effect of unforeseen changes in policies on long term earnings. Such an outcome, sometimes referred to as a climate Minsky moment, could lead to increases in credit risk today, affecting bank capital. This was discussed in this year’s United Kingdom FSAP which gauged how firm valuations, and thus credit risk, could be suddenly affected by climate change.
Enhancing the policy framework
At this early stage, climate risk analysis can help raise awareness around the prudent management of climate risks and incentivize banks in improving their frameworks. At the same time, it will help to inform supervisors about the potential magnitude of climate-related risks in their jurisdictions and better understand transmission channels to the financial system.
Currently, several supervisors and central banks use climate stress tests to measure the exposures to related risks. This helps to understand the challenges to banks’ business models, the implications for the provision of financial services, and desired policy responses. Ultimately, climate risk analysis will help financial institutions disclose and manage related risks.
Authors:

Tobias Adrian
Vikram Haksar
Ivo Krznar
This blog reflects research by Pierpaolo Grippa, Marco Gross, Sujan Lamichhane, Caterina Lepore, Fabian Lipinsky, Hiroko Oura and Apostolos Panagiotopoulos.

Compliments of the IMF.
The post IMF | How Economies and Financial Systems Can Better Gauge Climate Risks first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

Blog post by Fabio Panetta, Member of the Executive Board of the ECB |

Trading in unbacked digital assets should be treated by regulators like gambling.

Last year marked the unravelling of the crypto market as investors moved from the fear of missing out to the fear of not getting out.
TerraUSD — a stablecoin that was stable in name only — was among the first to fall in a chain of collapses that brought down several lending platforms, a hedge fund, a leading crypto asset exchange and most recently a large US-listed crypto mining company. Other crypto companies are likely to be added to this list in the coming months.
These failures occurred in rapid succession, reflecting crypto players’ incredibly high leverage, their interconnectedness across the crypto ecosystem and their inadequate governance structures.
Yet remarkably, the crypto market rout has left the financial system largely unscathed. Many therefore think it preferable to let crypto burn rather than regulate at the risk of legitimising cryptos. Let me voice two important reservations about this view.
First, despite their fundamental flaws, it is not certain that crypto assets will ultimately self-combust.
Take unbacked crypto assets, for instance. They do not perform any socially or economically useful function: they are rarely used for payments and do not fund consumption or investment. As a form of investment, unbacked cryptos lack any intrinsic value, too. They are speculative assets. Investors buy them with the sole objective of selling them on at a higher price. In fact, they are a gamble disguised as an investment asset.
But it is precisely for this reason that we cannot expect them to disappear. People have always gambled in many different ways. And in the digital era, unbacked cryptos are likely to continue to be a vehicle for gambling.

This year’s crypto market meltdown caught millions of investors off guard.

Second, the cost to society of an unregulated crypto industry is too high to ignore. For one, this year’s crypto market meltdown caught millions of investors off guard. Uninformed investors were left with significant losses. It is not just cryptos that are being burnt.
In addition, unregulated cryptoassets can be used for tax evasion, money laundering, terrorist financing and the circumvention of sanctions. They also have high environmental costs.
That is why we cannot afford to leave cryptos unregulated. We need to build guardrails that address regulatory gaps and arbitrage and tackle the significant social costs of cryptos head-on.
This is easier said than done. Regulators must walk a tightrope. Like Ulysses, they must resist the beguiling crypto sirens to avoid falling prey to the industry’s intense lobbying. And on their journey, they must steer clear of the Scylla of poor regulation and the Charybdis of legitimising unsound crypto models.
The EU’s Regulation on Markets in Crypto-Assets is an important step. It is crucial that it is implemented as soon as possible. However, further work needs to be done to ensure that all segments of the industry are regulated, including decentralised finance activities such as crypto asset lending or non-custodial wallet services.
In addition, regulation should acknowledge the speculative nature of unbacked cryptos and treat them as gambling activities. Vulnerable consumers should be protected through principles similar to those recommended by the European Commission for online gambling. They should be taxed in accordance with the costs they impose on society.
To avoid the risk of regulation lagging behind because of the time needed for legislative processes, regulators and supervisors need to be empowered to keep pace with crypto developments.
And to be effective and prevent regulatory arbitrage, regulation must have a global reach. The recommendations of the Financial Stability Board for the regulation and oversight of crypto asset activities and markets should be finalised and applied urgently, as should the rules recently published by the Basel Committee for the treatment of banks’ exposures to cryptos.
However, regulation and taxation alone will not be sufficient to address the shortcomings of cryptos. To build solid foundations for the digital finance ecosystem, we need a risk-free and dependable digital settlement asset, which can only be provided by central bank money. That is why the ECB and central banks around the world are working on both retail and wholesale central bank digital currencies. By preserving the role of central bank money as the anchor of the payment system, central banks will safeguard the trust on which private forms of money ultimately depend.
Author:

Fabio Panetta, Member of the ECB’s Executive Board

Compliments of the European Central Bank.
The post ECB | Caveat emptor does not apply to crypto first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

The European Commission launched the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
Today’s draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by the US Attorney General Merrick Garland. These two instruments implemented into US law the agreement in principle announced by President von der Leyen and President Biden in March 2022.
The draft adequacy decision, which reflects the assessment by the Commission of the US legal framework and concludes that it provides comparable safeguards to those of the EU, has now been published and transmitted to the European Data Protection Board (EDPB) for its opinion. The draft decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.
Key elements
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.
In addition, the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, which addressed the issues raised by the Court of Justice of the EU in the Schrems II judgment:

Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security;
EU individuals will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.

European companies will be able to rely on these safeguards for trans-Atlantic data transfers, also when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules.
Next steps
The draft adequacy decision will now go through its adoption procedure. As a first step, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with European data protection authorities, and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.
Background
Article 45(3) of the General Data Protection Regulation grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures ‘an adequate level of protection’, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow freely from the EU (and Norway, Liechtenstein and Iceland) to a third country without further obstacles.
After the invalidation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the EU, the European Commission and the US government entered into discussions on a new framework that addressed the issues raised by the Court.
In March 2022, following intense negotiations between the lead negociators, Commissioner Reynders and Secretary Raimondo, President von der Leyen and President Biden announced an agreement in principle on a new transatlantic data transfer framework. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which was complemented by regulations adopted by the US Attorney General. Together, these two instruments implemented the US commitments into US law, as well as complemented the obligations for US companies. On this basis, the Commission is now proposing a draft adequacy decision on the EU-U.S. Data Privacy Framework.
Once the adequacy decision is adopted, European entities will be able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.
For More Information
Draft adequacy decision
Q&A
Factsheet – Transatlantic Data Privacy Framework
The post Data protection: Commission starts process to adopt adequacy decision for safe data flows with the US first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

Today, the EU’s work on its ‘digital DNA’ – the European Declaration on Digital Rights and Principles – has culminated: In the margins of the European Council, Commission President Ursula von der Leyen signed the text together with the President of the European Parliament Roberta Metsola, and Czech Prime Minister Petr Fiala for the rotating Council presidency.
The Declaration, put forward by the Commission in January this year, presents the EU’s commitment to a secure, safe and sustainable digital transformation that puts people at the centre, in line with EU core values and fundamental rights. The Declaration shows citizens that European values, as well as the rights and freedoms enshrined in the EU’s legal framework, must be respected online as they are offline. Shaped around six chapters, the text will guide policy makers and companies dealing with new technologies. The Declaration will also steer the EU’s approach to the digital transformation throughout the world.
President of the Commission, Ursula von der Leyen, said: “The signature of the European Declaration on Digital Rights and Principles reflects our shared goal of a digital transformation that puts people first. The rights put forward in our Declaration are guaranteed for everybody in the EU, online as they are offline. And the digital principles enshrined in the Declaration will guide us in our work on all new initiatives.”
Rights and principles to guide the digital transformation
The digital transformation affects every aspect of people’s lives. It offers opportunities for greater personal wellbeing, sustainability and growth, but can also raise risks to which a public policy response is needed. With the Declaration on digital rights and principles, the EU wants to secure European values by:

 Putting people at the centre of the digital transformation;
 Supporting solidarity and inclusion through connectivity, digital education, training and skills, fair and just working conditions and access to digital public services;
 Restating the importance of freedom of choice and a fair digital environment;
 Fostering participation in the digital public space;
 Increasing safety, security and empowerment in the digital environment, in particular for young people;
 Promoting sustainability.

Concretely, these rights and principles mean: affordable and high-speed digital connectivity everywhere and for everybody, well-equipped classrooms and digitally skilled teachers, seamless access to public services online, a safe digital environment for children, disconnecting after working hours, obtaining easy-to-understand information on the environmental impact of our digital products, control about how personal data is used and with whom it is shared.
Next Steps
The signature of the European Declaration of digital rights and principles at the highest level reflects the shared political commitment of the EU and its Member States to promote and implement these principles in all areas of digital life, and to reach the objectives of the 2030 Digital Compass. The Declaration will also guide the concrete work on the Digital Decade Policy Programme, the monitoring and cooperation mechanism to attain the common digital objectives for the end of this decade. To achieve the 2030 goals, and for the Declaration to produce concrete effects, the Commission will monitor progress and report through the annual ‘State of the Digital Decade’ report. Furthermore, the Declaration will guide the EU in its international relations on how to shape a digital transformation that puts people and human rights at its centre.
Background
On 9 March 2021, the Commission laid out its vision for Europe’s digital transformation by 2030 in its Digital Compass: the European way for the Digital Decade Communication. In September 2021, the Commission put forward a Path to the Digital Decade, a robust governance framework to reach these digital targets.
The Commission proposed the Declaration of Digital Rights and Principles in January 2022. The Commission, Parliament and the Council reached an agreement on the Declaration in November 2022. The Declaration adds to previous digital initiatives from Member States, such as the Tallinn Declaration on eGovernment, the Berlin Declaration on Digital Society and Value-based Digital Government, and the Lisbon Declaration – Digital Democracy with a purpose.
The Commission also conducted an open public consultation which showed broad support for European Digital Principles – 8 EU citizens out of 10 consider it useful for the EU to define and promote a common European vision on digital rights and principles – as well as a special Eurobarometer survey.
The declaration, and the rights contained within, is rooted in the treaties and the Charter of Fundamental Rights. It builds on existing digital policies, such as data protection, ePrivacy, workers’ rights and case law of the Court of Justice. It complements the European Pillar of Social Rights.
Compliments of the European Commission.
The post Digital Rights and Principles: Presidents of the Commission, the European Parliament and the Council sign European Declaration first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.