On May 22 the Irish Data Protection Commission (“DPC”), Ireland’s data privacy watchdog, issued its final and binding decision against Meta with respect to Facebook’s exporting of personal data from Europe to the US from July 2020 (the date of the collapse of the Privacy Shield framework) onwards. The decision includes a record $1.2 Billion dollar fine against Meta, and an order directing Meta to suspend data transfers to the US within five months and cease other unlawful data processing.
Meta states it has been “singled out” by the DPC decision which it says reflects a “fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans. It is a conflict that neither Meta nor any other business could resolve on its own.”
Meta will appeal the decision, and seek a stay of the orders while its appeal is pending.
The DPC decision reflects core uncertainties around international data transfers from Europe, following the Court of Justice European Union (CJEU)’s 2020 Schrems II decision invalidating the US-EU Privacy Shield Framework. In addition to invalidating the US-EU Privacy Shield, the Schrems II decision also cast doubt on the validity of relying on Standard Contractual Clauses as a transfer mechanism, where the CJEU emphasized its ongoing concerns about US Government access to private sector data, including data of EU individuals subject to the European Union’s General Data Protection Regulation (GDPR).
Following Schrems II, Meta, like the majority of companies, adopted updated SCCs and also rolled out a range of protective supplementary measures. What Meta, nor any company, could do, however, was provide redressability (i.e. administrative or judicial review) of complaints by EU individuals that their data was or may have been accessed by the US government under its Section 702 Foreign Intelligence Surveillance Act (FISA). The Irish DPC decision follows almost one year of negotiation between the Irish DPC and the European Data Protection Board (which played a key role in the process arising from the cooperation and consultation process underpinning Ireland’s role as lead supervisory authority for Meta), which held that Ireland’s draft decision did not go far enough and, given the data exports at issue were “systematic, repetitive and continuous” and massive in volume (over 300m European users of Facebook), essentially directed the Irish DPC to issue a fine against Meta.
In March 2022, President Biden and European Commission President Von der Leyen announced that they reached an agreement on the principles of a new framework to enable the free flow of transatlantic data – known as the Data Privacy Framework (DPF). Policymakers have committed to passing the framework as quickly as possible, and the Irish DPC decision states that the suspension orders may be resolved by DPF adoption.
Practical Takeaways of the DPC Meta Decision
Though not unexpected, the decision is striking in a number of ways and merits close attention for any company accessing or transferring personal data from Europe.
First, the DPC investigation made several key findings that are stated to be potentially applicable to other internet platform companies and other companies subject to US foreign intelligence surveillance access laws:
- The US does not guarantee the same level of protection as the EU regarding personal data – there is no “essential equivalence;”
- The model contractual clauses used by Meta to “legalise” the data export to the US were not sufficient to make up for that failure;
- There were no supplemental measures in place to compensate for the above two factors.
Perhaps the most concerning takeaway from the decision is that the standard contractual clauses (plus the numerous supplementary measures implemented by Meta) were not a sufficient basis for the transfer or to avoid liability. The refusal of the DPC to credit Meta’s supplementary measures, in particular, calls into question the possibility of compliance with GDPR and its international data transfer regime if a company of the scale and resources of Meta cannot achieve compliance. This goes to the crux of the “fundamental conflict” noted by Meta in its press release.
To put it another way, the DPC decision appears to undermine the ability of businesses transferring personal data from the EU to the US to rely on SCCs and any supporting transfer impact assessments (TIAs) as a sufficient safeguard to continue to lawfully transfer data to the US pursuant to GDPR Article 46. The decision suggests the validity of the SCCs and related safeguards will come under increased scrutiny, including potentially by other Supervisory Authorities.
What Can Your Organization Do? Drilling Down on Your TIAs.
At the end of the day, Meta’s data transfers were of a large scale and volume unique to that organization. Additionally, the personal data transferred by Meta was understood to be in-scope of FISA Section 702 surveillance, making the data transfers distinguishable from ordinary business operations such as transferring employee data for remote EU operations, for example.
Helpfully, the DPC decision expressly states that “the EDPB Supplemental Measures Recommendations do not exclude a so-called risk-based approach” for most organizations (although the decision found the risk-based approach adopted by Meta did not compensate for exposure to US surveillance laws).
Nonetheless, as a part of an organization’s transfer impact assessment, particular attention should be placed on determining whether the personal data transferred is likely subject to FISA Section 702 and the degree of likelihood that surveillance under FISA will (or will not) take place. Those organizations with a high degree of confidence that their data transfers are not subject to Section 702 may consider their data transfers low risk and should be able to continue to rely on SCCs and additional measures for transfer.
Until the DPF is formally adopted, expected to be later this summer, transfers of “high-risk” data should be subject to additional scrutiny, including supplementary measures and safeguards.