Ireland's Data Protection Commission (DPC) has published its decision following its inquiry into Meta Platforms Ireland's transfer of personal data from the EU/EEA to the US for Meta's Facebook service. The corrective steps it has ordered and €1.2 billion fine, the largest ever issued under GDPR, are a substantial, albeit expected, blow for Meta. The DPC has effectively been dragged to this outcome by peer regulators in the EU and the European Data Protection Board (EDPB), who demanded more stringent action. The decision has broader implications for businesses relying on the EU standard contractual clauses (SCCs) and highlights the need for a political solution to facilitate the lawful transfer of personal data to the US. This briefing looks at the DPC's decision and its wider implications.

1 What's the background?

The Snowden revelations in 2013 about US intelligence authorities having access to personal data through tech companies, triggered a decade-long battle, spearheaded by privacy activist, Max Schrems, challenging the legality of Facebook's transfer of personal data to the US. As a result, transatlantic frameworks to facilitate the transfer of personal data to the US, Safe Harbour and then the Privacy Shield, were invalidated by the Court of Justice of the EU (CJEU) in decisions known as Schrems I and Schrems II respectively. This left many businesses, like Meta, exporting data from the EU to territories that do not have an adequacy decision, seeking to rely instead on the EU's SCCs, undertaking transfer impact assessments (including an assessment as to whether the importing territory offers data subjects essentially equivalent protection to that offered by EU law) and, where necessary, implementing supplementary measures to address the risks identified.

The DPC's decision now adds to the existing uncertainty and financial risk to businesses taking this approach.

Regulator in-fighting and a reluctant decision

The DPC's inquiry was started in August 2020 but was stayed, pending court proceedings, until May 2021. The DPC prepared a draft decision on 6 July 2022 but, under the cooperation procedure mandated by GDPR, the draft decision was submitted to peer regulators. There was consensus between regulators over Meta's non-compliance with GDPR. However, some regulators – France, Germany, Austria and Spain - objected to the enforcement action the DPC proposed to take, demanding tougher measures. The matter was referred to the EDPB for determination through the Article 65 GDPR dispute resolution procedure.

The DPC was forced (very reluctantly) to adopt a final decision based on the EDPB's decision: the corrective measures are therefore more severe than the DPC originally proposed. Had the DPC had its way, it would not have imposed corrective measures beyond the suspension of future transfers.

2 What has the DPC decided?

The DPC concluded that:

  • US law does not provide a level of protection that is essentially equivalent to that provided by EU law. Meta's data transfers were in breach of Article 46(1) GDPR as they failed to guarantee an essentially equivalent level of protection to data subjects to that offered by EU law.

  • Neither the SCCs (the 2010 "old" SCCs or the 2021 "new" SCCs), nor the supplementary provisions put in place by Meta could compensate for the inadequate protection provided by US law.

  • Meta could not rely on any of the derogations set out in Article 49 (in Meta's case, explicit consent, contractual necessity, or public interest) to justify the transfer.

The DPC has therefore taken the following corrective action:

  • Ordered that Meta suspend any future transfer of personal data (within 12 weeks of the end of the appeal periods).

  • Ordered Meta to bring processing operations into compliance, by ceasing processing, including storing, personal data of EEA users in the US transferred in violation of the GDPR (within 6 months of the decision). While there's room for debate about the measures this entails (and whether it goes so far as to require the deletion or bulk return to the EEA of historic data), this wording seems to allow some flexibility and the DPC also contemplated compliance being achieved via new developments (such as a US adequacy decision - see section 4 below).

  • Imposed a €1.2 billion fine.

3 What are the wider implications of this decision for data transfers to the US?

This Decision will bind Meta Ireland only. It is clear, however, that the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA.

Extract from the DPC's decision, 12 May 2023

The decision is only binding on Meta's Irish entity and the DPC points out that it is not within its power to make an order to suspend or prohibit transfers to the US generally. However, the message emanating from the EDPB is loud and clear – it has said that the level of the fine should be a "strong signal to organisations that serious infringements have far-reaching consequences".

While Big Tech will undoubtedly be first in line for any further enforcement action around data transfers, the implications are not limited to Big Tech. Meta, according to a statement issued by Nick Clegg and its Chief Legal Officer, has been "singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe". The organisational, technical and legal measures that Meta had implemented were extensive (e.g., policies, encryption of data in transit and challenging government requests for access) but they were nevertheless deemed to be insufficient: they could not prevent non-court supervised access to a user's data without the user's knowledge, which the US section 702 Foreign Intelligence Surveillance Act (FISA) downstream programme PRISM allows. To compensate for the deficiencies of US law, a data exporter "must not merely "mitigate" the deficiencies in US law...but must ensure that data subjects receive essentially equivalent protection to EU law". If the extensive supplementary measures implemented by Meta are not considered to be capable of compensating for the inadequate protection offered by US law, what options are left for other businesses?

Some businesses can show that, in practice, problematic legislation will not apply to their transferred data. The decision is less troublesome for them in that the DPC highlighted that the EDPB Supplemental Measures Recommendations do not exclude a risk-based approach. In Meta's case, the DPC decided that Meta could not rely on a risk-based approach because it could not show that in practice there would be no actual access by surveillance authorities.

Nevertheless, if a company with Meta's resources cannot make up for the privacy shortcomings of US law, it is clear this is a situation that companies cannot address alone and that a political solution is needed.

The UK

This decision is not binding in the UK and we will need to wait and see how the ICO responds to it.

The Data Protection Digital Information (no.2) Bill, which is making its way through the UK Parliament currently, proposes to replace "essential equivalence" with a new "data protection test" to assess adequacy on the basis of the standard of protection being "not materially lower" than in the UK. It would provide the UK Government with more flexibility to assess territories, such as the US, as adequate.

Given the strict application of the essential equivalence test demonstrated in this decision by EU regulators, when the EU comes to re-assess the UK's adequacy, the EU could decide (if the political climate at the time is such that it chooses to do so) that the UK's data protection test fails to offer adequate protection to EU/EEA data routed through the UK.

4 The EU/US Data Privacy Framework

The EU/US Data Privacy Framework (DPF), which we previously wrote about here and which is intended to form the basis of a US adequacy decision, may offer some hope on the horizon as a future data transfer mechanism for those organisations that certify to it. For those not certified, continuing to rely on SCCs coupled with a transfer impact assessment, the DPF would also offer a binding (positive) EU legal assessment of US laws and practices.

That said, on 11 May 2023, the European Parliament voted for a resolution opposing the adoption of a US adequacy decision under the DPF, calling on the European Commission to continue negotiations with its US counterparts. It fears that the DPF, as it stands, will not provide essential equivalence and will be invalidated, causing further uncertainty and disruption for EU citizens and businesses. The resolution is not binding on the Commission but will be taken into consideration, along with the opinion of the EDPB. The EDPB's opinion, while broadly supportive, also recommended changes.

The Commission has suggested, following the DPC enforcement, that the DPF is expected to be in place by the summer.

5 What next?

Meta is anticipating that the DPF will be in place (effectively overtaking the DPC's two orders) before the compliance deadlines referred to in section 2 above expire, although the DPF will not nullify the fine. It will appeal the decision and apply for a stay on the suspension order. It has said that there will be no immediate disruption to Facebook users because of the implementation periods for the decision.

And beyond Meta? If the scale and nature of an organisation's processing is otherwise relatively low risk and its data are unlikely to be subject to surveillance under FISA, its data transfers are much less likely to attract a regulator's attention, for now at least. As we've also seen from the regulator in-fighting surrounding this decision, the regulatory approach to enforcement is far from consistent and there were only four regulators that insisted on more severe action against Meta. We therefore expect most organisations to continue with their current practice of using SCCs and await the DPF, rather than localise their data now. Big tech companies transferring vast quantities of data on the back of SCCs to the US that fall within the scope of the FISA 702 PRISM surveillance programme will feel a much greater pressure to localise data, having seen the heavy price of non-compliance, although they too may hang out to see what the summer brings.

Whether the DPF proves to be a long-term solution is of course another matter: in the absence of a significant change in US surveillance laws, Schrems will no doubt challenge the DPF before the CJEU in the same way as its predecessor frameworks.

Originally published 25 May 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.