26 May 2023
On Monday, 22
nd of May 2023, and following the European Data Protection Board’s (EDPB) binding decision on Meta Ireland’s (Meta) personal data transfers to the United States, Ireland’s Data Protection Commission (DPC) has published its long-anticipated ruling on the legality of Meta's EU-U.S. data flows in relation to the delivery of its Facebook service.
The DPC found that the measures used i.e., the Standard Contractual Clauses (SCCs) that were adopted by the European Commission in 2021 in conjunction with the additional supplementary measures that were implemented by Meta, did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its Schrems rulings.
The DPC imposed a record fine of 1.2 billion euros on Meta, which is the highest GDPR fine to date. The DPC also ordered Meta:
- to suspend any future transfers of personal data to the U.S. within 12 weeks after the expiry of the specified statutory limitation periods, i.e., the end of the period allowed to appeal the DPC decision and/or annul the EDPB decision; and
- to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months from the date of which the DPC notified Meta of its final decision.
The “stop transfers order” was originally decided by the DPC in its own draft decision, whereas the other two orders (the fine and the order to bring its processing into compliance) stemmed from the EDPB’s binding decision and the other DPA’s objections.
In reaching its conclusion for the infringement of Article 46 (1) of the GPDR by Meta, the DPC stated the following:
- US law does not provide a level of protection that is essentially equivalent to that provided by EU law;
- Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law;
- Meta Ireland does not have in place supplemental measures which compensate for the inadequate protection provided by US law; and,
- It is not open to Meta Ireland to rely on the derogations provided for at Article 49(1) GDPR, or any of them, when making the Data Transfers.”
As per the EDPB’s decision
“Meta IE committed the infringement of Article 46(1) with at least the highest degree of negligence. In addition, the EDPB recalls that a wide range of categories of personal data are affected by the infringement, including personal data covered by Article 9 GDPR. Therefore, based on the evaluation of the factors under Article 83(2)(a), (b) and (g) GDPR, the EDPB takes the view that the infringement is of a high level of seriousness.”
Meta representatives have already stated that they will appeal the DPC’s decision.
Background:
This decision traces back nearly ten years ago to the
Snowden disclosures and then the Schrems rulings, resulting in the invalidation of two cross-border data protection frameworks, which facilitated data transfers to the U.S., namely the U.S.-EU Safe Harbor Framework, invalidated after the CJEU's 2015
"Schrems I'" ruling, and the EU-U.S. Privacy Shield, invalidated by the CJEU's 2020
"Schrems II" ruling.
On the 13
th of April 2023, the European Data Protection Board (EDPB), announced the adoption of a binding dispute resolution decision, on the basis of Article 65 of the GDPR, concerning the legality of data transfers to the United States by Meta for its Facebook service.
The EDPB’s decision follows a draft decision of the DPC, as lead supervisory authority. Following the landmark "Schrems II" decision, which invalidated the Privacy Shield due to EU concerns regarding the necessity, proportionality and redress associated with U.S. government surveillance authorities, the DPC initiated an "own volition" inquiry to consider whether Facebook's data transfers to the U.S. were legal. Since the 2020 CJEU decision, Meta switched from the Privacy Shield to using the new 2021 SCCs, as well as supplementary measures.
The DPC reached its draft decision to stop Meta from transferring personal data from the EU to the U.S. through its use of SCCs. The draft decision was sent to EU Data Protection Authorities (DPAs). However, due to the several objections raised by various DPAs, the dispute resolution mechanism under Article 65 of the GDPR was activated, leading to the decision of the EDPB in April and now the final decision of the DPC.
Impact:
The impact of this decision goes far beyond Meta, to all businesses, which are transferring personal data from the EU to the U.S. on the basis of SCCs (both old and new), in the absence of an adequacy decision.
Essentially, the DPC’s decision indicates that the use of SCCs and the implementation of supplementary measures, as Meta did, by using several organizational and technical measures, still does not suffice for covering the deficiencies in U.S. law, identified by the CJEU in the Schrems II.
The DPC notes that
“the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA.”
It becomes apparent that the DPC's decision, although only binding to Meta, effectively links to all EU transfers of data to U.S. electronic communications services providers, subject to Section 702 FISA and to the Executive Order 12333.
Following the DPC’s decision, the European Commission issued a statement, declaring that it is expected that adequacy and the EU-U.S. DPF will be
"fully functional by the summer."
Lastly, behind the record fine imposed, unravels the trend of national regulators’ willingness to issue larger fines. It is worth mentioning that prior to the EDPB’s involvement via the dispute-resolution process and the issuance of its binding decision, which included the imposition of a fine, the DPC’s own investigation and draft decision did not include a fine.
In conclusion, it appears that merely mitigating the insufficiencies of US law is not considered enough and unless the US law changes, there is always a possibility of residual data protection risks. A risk-free solution would be to localize your data by switching to local alternatives. This, however, comes with significant operational and financial costs. Data Protection Authorities’ guidance in the weeks to come could be helpful in terms of addressing the concerns of various entities with similar data flows.