The European Union’s (“EU”) Data Protection Commission (the “Commission”) recently fined Meta Ireland $1.3 billion (or €1.2 billion) for improper data transfers from the European Economic Area (“EEA”) to the United States in violation of the EU’s General Data Protection Regulation (“GDPR”). The decision applies to personal data like names, email and IP addresses, messages, viewing history, geolocation data and data used for targeted online ads.
The $1.3 billion fine is a record privacy penalty issued by the EU, and the decision also imposes notable requirements. Meta Ireland was ordered to suspend data transfer to the U.S. for a period of five months and was given six months to come into full compliance.
The landmark fine reinforces the importance of paying careful attention to the GDPR’s specific requirements for transferring data out of the EEA.
The GDPR regulates the processing of data within the EEA, as well as transfers of personal data out of the EEA. Under the GDPR, there are three scenarios in which an entity can legitimately transfer personal data to a receiver outside the EEA: (1) the receiver is located within an area covered by an adequacy decision; (2) appropriate safeguards have been established to protect individuals’ rights to their personal data; or (3) an exception, such as explicit consent, covers the transfer.
As the EU-U.S. Privacy Shield has been invalidated and the U.S. has not received an adequacy decision from the Commission, companies are faced with limited options. While the GDPR lists several kinds of appropriate safeguards, one of the most common is the use of standard contractual clauses (“SCCs”) — template clauses that are preapproved by the Commission.
The Meta decision confirms that — standing alone — SCCs are insufficient to legitimize data transfer under the GDPR.
The Commission evaluated Meta’s transfer of data to the U.S. and found the following:
The Commission was particularly concerned with the ability of U.S. intelligence agencies to access EU user data without the user’s knowledge or consent. More specifically, quoting a 2013 European Commission Report on the matter, the Commission highlighted reporting that electronically stored data was collected “by means of directives addressed to the main U.S. internet service providers and technology companies” on the basis of Section 702 of the Foreign Intelligence Surveillance Act 1978 (“FISA”).
In a report provided to the Commission, Meta describes various supplementary measures —organizational, technical, and legal — designed to (i) protect data transferred from the EEA to the U.S. and (ii) ensure that EEA data subjects receive essentially equivalent protection to those protections required under EU law.
Meta’s reported organizational measures included various internal reporting procedures and policies. For example, Meta U.S. is required to promptly notify Meta Ireland where it receives a legally binding request from a U.S. public authority, unless prohibited by law. Technical measures include standard encryption protocols, asset management controls, management of Meta employee mobile devices, implementation of encryption on Meta laptops, and deployment of cryptographic protection of passwords and third party security policies. Legal measures include the data transfer agreement between Meta Ireland and Meta U.S. and the use of SCCs.
Even taken together, these supplementary measures did not provide adequate protection. According to the Commission, Meta’s encryption in transit may provide sufficient safeguards for “upstream” U.S. intelligence surveillance, but the technical measures taken together were still insufficient to safeguard data subjects from “downstream” surveillance. According to the European Data Protection Board’s report on recommendations for supplementary measures, U.S. data importers subject to Section 702 of FISA would be obligated to provide personal data “and any cryptographic keys necessary to render the data intelligible.” As a result, the Commission found Meta’s technical measures to be insufficient. Similarly, Meta’s legal and organizational measures were considered insufficient because Meta U.S. would still be obligated to share personal data in response to a valid request from the U.S. government under FISA.
Meta has issued a public response to the decision: “This is not about one company’s privacy practices — there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer.”
President Biden and Commission President von der Leyen announced an agreement in principle on the new Trans-Atlantic Data Privacy (“TADP”) Framework in March of 2022. Once implemented, the TADP will replace the now-invalidated EU-U.S. Privacy Shield as a mechanism enabling data transfer.
Companies should be aware EU regulators are willing to impose hefty fines for GDPR data transfer violations. Companies should assess whether their use of SCCs — even with supplementary measures — are sufficient to comply with the GDPR. At present, entities transferring data from the EEA to the U.S. face the difficult situation of balancing the competing objectives of complying with both FISA and the GDPR.
Assuming the TADP becomes operational, companies may wish to continue using the technical, contractual, and organizational supplementary measures, as it is possible the TADP — like the transfer mechanisms that came before it — could itself be invalidated.