The Irish Data Protection Commission (Irish DPC) has published its decision and issued a press release concerning the transfer of Facebook users’ personal data from Meta Platforms Ireland Limited (Meta) in the EU / EEA to Meta’s head office in the United States. The headlines are emphatic: Meta has been fined a staggering 1.2 billion euros and, perhaps even more significantly, has been ordered to stop transferring Facebook users’ data from the EU (via Ireland) to the US. That “stop processing” order will take effect within five months – having a potentially seismic effect on Facebook operations if it is implemented – and the €1.2 billion fine is the largest ever made under the GDPR. In addition, Meta has been ordered to cease the processing of EU Facebook users’ personal data in the US – which means deleting EU users’ data stored in America within six months. Unsurprisingly, Meta has announced that it will appeal all aspects of this decision.
How did we get here? The Schrems litigation to date
The Irish DPC’s decision concludes the latest round of the long-running challenges originally brought by Austrian privacy campaigner Max Schrems and his non-profit organisation NOYB (from “none of your business”). Schrems and NOYB allege that Meta is transferring the data of European Facebook users to the US in contravention of those users’ rights and freedoms under the GDPR. Schrems’ previous victories against Facebook / Meta include a 2015 judgment of the European Court of Justice which declared the old “Safe Harbor” EU to US personal data transfer regime to be invalid, followed by a 2020 decision of the CJEU which declared Safe Harbor’s replacement – the “Privacy Shield” framework – to be invalid as well. We wrote about those CJEU decisions here and here. That second judgment left it open to data controllers like Meta to transfer personal data from the EU to the US relying on “standard contractual clauses” (SCCs, ie model clauses issued by the European Commission) provided that certain additional requirements are met (which we wrote about here). However, this latest decision of the Irish DPC has found that Meta are not using the SCCs lawfully, either.
An alternative route for Meta? The Trans-Atlantic Data Privacy Framework
Since the Privacy Shield was invalidated by the 2020 “Schrems II” decision, the EU and the US have been negotiating a new data transfer mechanism, known as the Trans-Atlantic Data Privacy Framework (TADPF) which could provide a lifeline for Meta’s EU to US data transfers if it is concluded in the next few months. As things stand, that timing does seem a realistic possibility, given that the European Commission has already published a draft adequacy decision for the TADPF following President Biden’s Executive Order 14086 which introduces new safeguards concerning the access to / collection of personal data by US intelligence agencies (and so paves the way for the TADPF to take effect). The final hurdles for the TADPF are to resolve the criticisms and concerns raised by the European Parliament and the European Data Protection Board (EDPB). Meta’s (and many other businesses’) commercial incentives to see the TADPF finalised will be obvious but the political pressure on the European Commission is now enormous.
European regulators versus American businesses? The influence of the EDPB
As a reminder, the EDPB is the group of data protection authorities from each European Union member state, and their opinion on the TADPF is likely to be very significant given the role that they have just played in the Irish DPC’s decision to issue a record fine to Meta and to order the cessation of transfers and data storage in America. Following the “Schrems II” litigation referred to above, the Irish DPC had commenced its own inquiry into Meta’s transfers of personal data from Ireland (from where Meta runs its operations for all European users of Facebook) to the Meta head office in the US. In its draft decision of July 2022, the Irish DPC found that Meta’s transatlantic data transfers were in breach of the GDPR and should be suspended – but when the Irish DPC submitted that draft decision to the other EU / EEA data protection authorities under the GDPR’s “one-stop-shop” regulatory co-operation procedure, four of the other supervisory authorities raised objections to the Irish DPC’s proposed corrective measures, insisting on a huge administrative fine for Meta on top of an order that data transfers should cease. When no consensus could be found, the Irish DPC referred those objections to the EDPB for determination – which has ultimately led to Meta’s record fine and punitive “stop processing” orders.
What does this mean for EU to US data transfers relying on the SCCs?
When the CJEU declared in “Schrems II” that the SCCs would still provide a valid mechanism for transferring personal data out of the EU / EEA, the Court added an important caveat. The CJEU said that it was not enough for data exporters and data importers simply to include the SCCs in their contracts. They must also now assess whether the SCCs will be effective in protecting the data once transferred to a third country. That requires the data exporter, with the help of the data importer, to review the laws and practices in the third country to assess whether they undermine the effectiveness of the SCCs. If they potentially do, then the data exporter and the data importer have to assess whether “supplementary measures” are necessary to ensure that the transferred personal data will nevertheless enjoy “essentially equivalent” protection as required by the GDPR.
In Meta’s case, the “supplementary measures” in question included encryption of data in transit, transparent reporting of requests from US government authorities to access European Facebook users’ personal information, and a number of policies and procedures about such access by US authorities. Meta argued that those supplementary measures would “address” or “mitigate” any “relevant remaining” inadequacies in the protection for personal data provided by the SCCs and by US law. However, the Irish DPC said that such supplementary measures must go further and “compensate” for any deficiencies in US law.
This leaves open the question of whether Meta could introduce new, stricter supplementary measures (whether they be contractual, technical, organisational or other measures) to “compensate” for US laws and practices – or whether Section 702 of the US Foreign Intelligence Surveillance Act (FISA), Executive Order 12333 and other legislation enabling the US government to access personal data relating to individuals based in the EU simply cannot be reconciled with those individuals’ GDPR rights.
While the Irish DPC’s decision is made in respect of Meta based on particular facts, including the “systematic, repetitive and continuous” nature of the data transfers and the massive volumes of Facebook users’ data being transferred, the fundamental questions about the validity of the SCCs and what, if any, supplementary measures will be effective to compensate for FISA and other US laws will be of interest to many data controllers who transfer personal data from the EU / EEA to the US. According to Max Schrems himself, the only way to resolve this tension once and for all is for the US to reform its government surveillance practices and change its laws accordingly.
What about UK to US personal data transfers?
While it may be tempting for UK based organisations to reach for the popcorn and watch from the ringside as EU regulators go another round with US big tech firms, the Irish DPC’s decision is technically applying the CJEU’s judgment in “Schrems II”, which is binding in the UK since it was handed down during the Brexit transition period. In addition, the ICO could decide to enforce the use by UK data exporters of the SCCs (and / or the ICO’s own International Data Transfer Agreement) in a manner which is consistent with this Irish DPC decision, at least where personal data are being transferred to America. That said, the ICO has for the time being taken a different approach with its Transfer Risk Assessment tool, which focuses on the human rights impact of data transfers rather than the comparison of the laws and practices in the data exporter’s and the data importer’s countries.
The EU’s €1.2 billion “mega fine” for Meta – and the “stop processing” orders which accompany it – are rightly dominating the headlines. For now, this is a GDPR enforcement decision affecting one data exporter – but it could have similarly enormous impacts for other organisations which transfer personal data from the EU to the US, especially those who do so regularly and on a large scale. This should at least prompt such data exporters to undertake thorough risk assessments of those data transfers and to document them properly, including to identify “supplementary measures” and, crucially, to ensure that those measures are being implemented in practice.
European data exporters should also keep close tabs on the progress of the Trans-Atlantic Data Privacy Framework, while data importers in America should consider signing up to it – which may well involve getting familiar with its requirements now, in its published draft form.
UK based data exporters will not be able to use the TADPF (which, once adopted, will provide a means of transferring personal data from the EU to the US without a transfer risk assessment being carried out first) but they may feel more relaxed about using the ICO’s Transfer Risk Assessment tool and either the SCCs with the UK’s Addendum or the ICO’s bespoke International Data Transfer Agreement as the contractual basis for transatlantic data transfers.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2023