Ireland’s Data Protection Commission and Meta: What You Need to Know

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

Ireland’s Data Protection Commission has fined Meta Ireland 1.2 billion EUR.

While you have probably heard about that, there is much, much more to this case and the larger Schrems II cross border saga. Here is what you need to know:

The question at hand is simple: Could Meta use Standard Contractual Clauses (SCCs) for transfers to the U.S.?

Decision:

  • SCCs (old or new) and the supplemental measures Meta used are not enough for cross border transfers to the U.S.
  • The Data Transfers are made in circumstances which fail to guarantee a level of protection to data subjects that is essentially equivalent to that provided by EU law, and in particular, by the GDPR read in light of the Charter of Fundamental Rights of the European Union (the Charter). Accordingly, Meta Ireland is infringing Article 46(1) GDPR by making the Data Transfers.

Effective result:

  • 1.2 billion EUR fine. Taking into account the nature and scope of the processing, as well as the very high number of data subjects affected, Meta IE committed an infringement of significant nature, gravity and duration
  • Transfers need to stop
  • This includes storage, in the U.S. of personal data of European Economic Area users transferred in violation of the GDPR, which means de facto deletion
  • Effective immediately, but stayed for 6 months

The things that were generally agreed on:

  • The holding of the case applies to the new SCCs (as well as the old ones)
  • It applies (officially) only to the Facebook service (but, of course, the implications regarding the validity of SCCs alone and what constitutes an effective supplemental measure apply beyond Facebook and Meta)
  • The “processing” of personal data undertaken by Meta Ireland in connection with the Data Transfers is “cross-border processing” within the meaning of Article 4(23)(a) GDPR in circumstances where all such Meta US products and services are provided to users in the EU/EEA by Meta Ireland, being a controller in the EU which, whilst understood to have a number of establishments within the EU, has its place of central administration in the EU in Ireland, where decisions on the purposes and means of the processing of Users’ personal data are taken. As such, Ireland is its main establishment and the DPC is the lead supervisory authority
  • The Facebook Service is provided to EU data subjects by Meta Ireland, and as such, processing undertaken in that context substantially affects or is likely to substantially affect data subjects in more than one Member State
  • Meta Ireland makes the Data Transfers pursuant to the 2021 SCCs and by reference to the assessments contained or comprised in the TIA
  • Meta Ireland is a company that is an electronic communications services provider, subject to Section 702 FISA and to the PRISM program
  • Meta US complies with U.S. law, and this includes complying with access requests made by the U.S. government when such access requests are made in accordance with U.S. law

FISA and PRISM:

  • PRISM results in U.S. law not providing a standard of protection that is essentially equivalent to that provided by the GDPR
  • UPSTREAM (data in transit): DPC says encryption may resolve the UPSTREAM problem but in view of the PRISM conclusion it declines to assess this in depth
  • EO 12333: In my analysis, DPC declines to consider EO 12333 or the reliability of the end-to-end encryption in light of the conclusions reached in relation to PRISM
  • Recent changes in U.S. laws fail to remedy the particular gaps or deficiencies in U.S. law, as identified by the CJEU in the Judgment and cannot be considered to provide essentially equivalent protection for data subjects compared to those provided under EU law
  • Even if (not tested) there is no de-facto bulk collection, FISA Section 702 does not indicate any limitations on the power it confers to implement surveillance programs for the purposes of foreign intelligence or the existence of guarantees for non-U.S. persons potentially targeted by those programs. Meta remains susceptible to bulk collection
  • The fact that the UK is adequate despite its own surveillance program does not in itself demonstrate that bulk collection does not, in itself, undermine the essential equivalence of a regime. Rather, you need to consider the other elements relating to oversight and enforceable data subject rights and the role of the UK’s Information Commissioner’s Office contained in the UK Adequacy Decision

Derogations:

No Art 49 derogations apply to these transfers

  • Derogations are permissible only where they: “first, are ‘provided for by law’, secondly, respect the ‘essence’ of that freedom and, thirdly, respect the principle of proportionality”
  • The assessment of whether there has been an interference with the essence of the fundamental right at issue must be made prior to and independently of the assessment of the proportionality of the measure in question
  • It is only where a derogation from a fundamental right respects the “essence” of that right that it is necessary to proceed to a balancing test
  • Per the CJEU: Legislation (like in the U.S.) not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter
  • The well-established principle that a derogation cannot become “the rule” in practice, reflected in the final draft of the EDPB Regulations, applies to all Article 49 derogations

Contractual Necessity Derogation:

  • Data can be transferred under the contractual necessity derogation to a third country that does not ensure a level of protection that is “essentially equivalent” to that guaranteed by the EU, but that nevertheless respects the “essence” of the fundamental rights arising, provided that transfer meets the requirements of Article 49(1)(b) GDPR and is subject to the proportionality test in the second line of Article 52(1) of the Charter
  • Contractual necessity derogation cannot be relied on to justify the systematic, bulk, repetitive and ongoing transfers to the U.S. comprised within the Data Transfers because it interferes with the essence of a fundamental right; or even if not: it can be for occasional (not bulk) transfers only

Public Interest Derogation:

  • Article 49(1)(d) GDPR cannot be interpreted or applied so as to permit the systematic, bulk, repetitive and ongoing transfers comprised within the Data Transfers, where the transfers thereby effected would give rise to a breach of the essence of the fundamental rights of EU/EEA users
  • Even those derogations which are not expressly limited to “occasional” or “not repetitive” transfers have to be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place

Consent Derogation:

  • Meta Ireland has not in fact obtained the explicit consent of EU/EEA users to any of the Data Transfers at this point. It follows, therefore, (and I so find), that Meta Ireland cannot rely on the derogation under Article 49(1)(a) GDPR to justify the Data Transfers
  • Whether Meta Ireland could rely on Article 49(1)(a) GDPR to justify any of the Data Transfers in the future, if it were to obtain the explicit consent of EU/EEA users, cannot be determined in the abstract
  • Generally, it may be possible for reliance to be placed on Article 49(1)(a) GDPR to justify a transfer or set of transfers to the U.S., where all of the requirements of that sub-article are followed
  • Although identified legislation in the United States does not respect the “essence” of Article 47 Charter rights, I accept that that does not necessarily or automatically mean that a derogation that permits a specific transfer of data to the United States, subject to explicit and fully informed consent in accordance with Article 49(1)(a) GDPR, will interfere with the “essence” of that fundamental right
  • This is because, in order to obtain explicit consent under Article 49(1)(a) GDPR to “the proposed transfer,” it is necessary that the data subject is “informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”
  • You need to disclose: the information that would be provided for ‘normal’ consent, inter alia: (i) that the data will not be subject to equivalent protection to that afforded by Article 7 and Article 8 of the Charter, (ii) that identified laws in the United States interfere with the essence of Article 47 Charter rights with respect to that data, and (iii) of the possible risks of the proposed transfer to the data subject
  • It is unclear how, on a practical level, Meta Ireland could justify all of the Data Transfers based on Article 49(1)(a) GDPR in the event that it sought to put in place a scheme by which the explicit consent of EU/EEA Users to any proposed transfer of their personal data to the United States was obtained, sufficient to meet the requirements laid down in Article 49(1)(a) GDPR and elsewhere in the GDPR
  • In particular, the DPC preliminary view is that a single consent by an EU/EEA data subject could not be sufficient to justify any and all future transfers of that user’s personal data to the U.S

SCCs:

In circumstances in which the law of a third country allows its public authorities to interfere with the rights of the data subjects to which that data relates, SCCs will not suffice to guarantee the necessary protection of the data. This is the case for the U.S.

  • The Commission Nationale de l'Informatique et des Libertés (CNIL) and European Data Protection Board already said this
  • Neither the 2010 nor the 2021 SCCs can compensate for the inadequate level of protection provided by U.S. law
  • The requirement on a controller is to take measures which “compensate” for the lack of data protection in the third country, and not those which alternatively “address” or “mitigate” the deficiencies
  • Nothing in the 2021 SCCs change the fact that Meta Ireland and/or Meta US is an electronic communications service provider subject at a minimum to the obligations imposed under the FISA 702 PRISM program
  • Meta Ireland's reliance on the 2021 SCCs (which are not, of course, binding on the U.S. Government) does not (and cannot) compensate for the deficiencies in U.S. law identified in the Judgment

Remedies:

General Factors:

  • You need a remedy that is a deterrent both to the company in question and to other controllers, especially since transfers to the U.S. are prevalent. This is in order to prevent them from breaching until they get caught
  • The mere finding that an undertaking is in an adverse or loss-making financial situation does not automatically warrant a reduction of the amount of the fine
  • The number of data subjects affected should mean “concretely but also potentially affected.” In other words, “affected” data subjects are not only data subjects whose accounts have been subject to access requests, but also data subjects whose accounts could have been subject to access requests

Suspension:

  • Suspension of data transfers is not required in all cases where there is non-compliance with Article 46 GDPR. This is true only where protection can be “ensured by other means.” In this case, DPC is not satisfied that such “other means” have been demonstrated by Meta Ireland.
  • Supervisory authorities should suspend any data transfer if “in light of all the circumstances of that transfer, the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means”
  • Where a measure compromises the essence of a fundamental right (the right to effective judicial protection), it is per se incompatible with the Charter, without there being a need to carry out a balancing exercise between such competing interests (if any) as may also be engaged
  • In the circumstances, and noting Meta Ireland’s position that, if it cannot make the Data Transfers, it would not be in a position to maintain the provision of its services in the EU/EEA, the exercise of any corrective power other than one directing the temporary or permanent cessation of the offending transfers would result in a situation where the essence of a fundamental right of users would be compromised on an ongoing and indefinite basis
  • The fact that Meta’s architecture does not enable the continuation of its service in the EU without transfers is not a good enough reason to not order a suspension when one is warranted.
  • The orders will remain effective unless and until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by way of new measures, not currently in operation, such as the possible future adoption of a relevant adequacy decision by the European Commission pursuant to Article 45 GDPR.

Negligence:

Meta IE committed the infringement with the highest degree of negligence, and this has to be taken into account when deciding whether an administrative fine should be imposed.

  • With respect to the finding of the IE SA that reliance on Article 49 GDPR was not open to Meta IE for the purpose of carrying out the FB International Transfers, the EDPB is of the view that at the very least Meta IE could not have been unaware of the guidance of the EDPB and of the findings of the CJEU that the derogations cannot be relied upon for systematic and massive transfers and have to be strictly construed
  • Although a company for which the processing of personal data is at the core of its business activities is expected to have sufficient measures in place for the safeguard of personal data and for the thorough understanding of its duties in this regard, this does not per se demonstrate the willfulness of an infringement. In this regard, the EDPB notes that Meta IE has taken steps in order to achieve compliance with Chapter V of the GDPR following the Schrems II judgment, but these steps were not sufficient to achieve compliance as established by the Draft Decision. Consequently, the EDPB takes the view that, on the basis of the objective elements in the case file, “willfulness” on the side of Meta IE is not fully demonstrated.
  • Nevertheless, the EDPB stresses that Meta IE’s position that the relevant U.S. law and practice were already providing a level of protection equivalent to the one provided under EU law in spite of the Schrems II judgment, the lower standard applied by Meta IE when implementing the SCCs and supplementary measures, as well as the subsequent failure to implement supplementary measures that were aimed to compensate (and could compensate) for the inadequate protection provided by U.S. law (rather than address or mitigate “any relevant remaining inadequacies in the protection afforded by U.S. law and practice,” as argued by Meta IE), indicate a very high degree of negligence on the side of Meta IE.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide