What happened?

On 12 May 2023, the Irish Data Protection Commission ("Irish DPC") imposed a EUR 1.2 billion record fine on Meta Platforms Ireland ("Meta IE") and ordered compliance measures to be taken by the latter as a result of infringements of the General Data Protection Regulation ("GDPR"). Based on the EDPB's binding dispute resolution decision 1/2023 of 13 April 2023, the Irish DPC imposed sanctions on Meta IE because of the massive transfers of personal data from the EEA to the United States related to the management of its Facebook platform, such transfers being considered as infringing the GDPR.

Beyond the record fine (highest fine to date under the GDPR), this decision has brought the issue of data transfers from the EEA to the USA back into the spotlight.

What are the key takeaways?

Meta IE was arguing that the transfers of the Facebook EU users' personal data to servers located in the USA relied upon (i) the EU Standard Contractual Clauses ("SCCs") adopted by the EU Commission and (ii) supplementary measures.

Since the Schrems II ruling of the Court of Justice of the European Union ("CJEU") and the invalidation of the EU-US Privacy Shield Framework, the transfer of personal data from the EEA to the USA has become a sensitive issue. Even if the CJEU reaffirmed the validity of the SCCs, data exporters are, however, responsible for assessing whether the legal standards in the country of the data importer allow for a level of data protection equivalent to that existing in the EU.

Where those standards are not met, data exporters must either provide additional safeguards ensuring that data subjects receive essentially equivalent protection to EU law or suspend the transfer of personal data.

The Irish DPC first found that US law does not provide an essentially equivalent level of protection to that provided in the EU, and that the SCCs relied upon by Meta IE cannot compensate for the inadequate protection.

The Irish DPC then decided that Meta IE failed to implement supplementary measures compensating for the inadequate protection provided by US law (the supplementary measures must not merely "mitigate" the deficiencies in US law). In particular, the Irish DPC criticises Meta IE for failing in its duty of care and for acting at least with the highest degree of negligence.

The fine was accompanied by an order requiring Meta IE to suspend any future data transfers to the USA within five months from the date of notification of the Irish DPC's decision (i.e. until October 2023) and cease, within six months of such date of notification (i.e. until November 2023), the unlawful processing, including storage in the USA of personal data of EEA users transferred in violation of the GDPR.

What's next?

On 22 May 2023, Meta IE already stated on Facebook that it would appeal the decision and underlined that the decision from the Irish DPC "sets a dangerous precedent for the countless other companies transferring data between the EU and USA."

It is true that for the purpose of legal certainty, it is now crucial that transfers of personal data from EEA to the USA rely on a stable transfer mechanism.

As indicated in a previous publication, on 13 December 2022, the EU Commission issued a first draft adequacy decision on a potential upcoming EU-US Data Privacy Framework.

On 28 February 2023, the EDPB rendered a mixed opinion (Opinion 5/2023) on this draft adequacy decision. The EDPB noted the substantial improvements that the new EU-US Data Privacy Framework offers compared to the previous legal framework, in particular with respect to the introduction of the principles of necessity and proportionality, and the individual redress mechanism for EU data subjects. However, the EDPB considers that certain topics such as the "temporary bulk data collection" require further clarification, and invites the EU Commission to amend the draft adequacy decision based on its Opinion.

The coming months may bring the adoption of an amended, solid and durable adequacy decision with respect to the EU-US Data Privacy Framework so that transfers of personal data from the EEA to the USA are no longer synonymous with risks for data controllers and data subjects.

Indeed legal certainty in transfers of personal data presupposes that neither the EU-US Data Privacy Framework nor the adequacy decision mentioned above would be challenged.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.