Introduction:
On 22 May, the Irish Data Protection Commissioner (the DPC) published its decision against Meta Platform Ireland Ltd (Meta Ireland) in relation to Facebook’s transfer of user’s personal data to the US (the Decision). In it, the DPC ordered Meta Ireland to suspend Facebook’s future transfers of personal data to the U.S. within five months of the date of the Decision. Following instructions from the EDPB to do so, the DPC also issued Meta Ireland with a record fine of 1.2 billion euros and ordered it to “bring its processing operations into compliance …by ceasing the unlawful processing, including storage, in the US of personal data of EEA users” (i.e. to remedy past non-compliance) within 6 months of the date of the Decision.
In this post, we summarise 9 key takeaways from the Decision.
9 key takeaways from the decision:
- EO 14086 and Rule / Regulations 28 CFR 201 don’t help (yet). Meta Ireland wanted the recent changes in US laws that will underpin the new EU/US Data Privacy Framework, once approved, to be taken into account by the DPC. However, whilst the DPC acknowledged that these US legal developments may in due course address the deficiencies identified, they do not currently do so as: (a) the EU has not yet been designated by the US as a “qualifying state”; and (b) the processes and guidance that underpin the new US laws have not yet been adopted, meaning that the new protections issued by the US law are not currently accessible to EU citizens.
- The PRISM programme under FISA 702 presents the greatest challenge. The DPC reserves its position in relation to EO12333 and the FISA702 UPSTREAM (which both deal with access to data in transit), but appears to acknowledge that end-to-end encryption in transit may be a technical safeguard that prevents the US Government from accessing personal data in transit under these programmes. However, no such technical safeguards exist in relation to data at rest because, under the FISA702 PRISM programme, the US Government can compel US electronic communications service providers to hand over the personal data they hold or can access.
- The 2021 SCCs don’t remedy the situation. Although they were introduced to deal with deficiencies in the 2010 SCCs, the DPC found that the 2021 SCCs do not themselves implement any new measures that compensate for the inadequacies in the level of protection afforded to personal data under US law. This is primarily because the US Government bodies continue to have the right to compel access to the personal data are not party to the SCCs.
- The supplemental measures that Meta implemented were not sufficient. Meta had implemented a number of legal, organisational and technical measures, many of which will be familiar to other organisations that are transferring personal data overseas. The DPC found that none of these provided appropriate safeguards to data subjects against the disclosure of data that could be compelled in response to a valid request made by the US Government under the PRISM programme.
- Measures must “compensate”, not just “mitigate” – but a risk based approach is not dead. The DPC took issue with Meta’s arguments that its supplemental measures sufficiently “addressed” and “mitigated” US access excesses, stating that only measures that ensure that data subjects receive essentially equivalent protection to EU law are effective. However, the DPC also stated that the EDPB Supplemental Measures Recommendations do not exclude a risk based approach highlighting that this concept was deliberately added to the final version of the recommendations. We reproduce the words from the EDPB recommendation here: “you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data.” Meta’s problem was that it couldn’t demonstrate this belief, as it had been subject to FISA702 access, as evidenced by its transparency reports. This will not be the case for many other US importers.
- Usefulness of the derogations were called into question. The DPC reiterated that derogations to the GDPR data export limitations must respect the “essence” of fundamental rights and that, where a derogation does not, it must be considered invalid. The DPC specifically noted that reliance on the “contractual necessity” exemption would result in “personal data of EU data subjects being transferred to the United States and subjected to a legal regime that does not respect the ‘essence’ of the rights guarantees by Article 47 of the Charter” and it follows that it therefore cannot be relied upon by Meta Ireland. This logic could extend to other exemptions, arguably undermining the majority of Article 49. The DPC does acknowledge that consent could be relied upon to make transfers, but that data subjects would have to be informed of the lack of equivalent protection and of all the risks and the consent provided would have to be specific – and not a general consent to all future transfers. The DPC did not see how Meta Ireland could meet all these requirements such that it could rely on consent for its transfers of personal data.
- Justification for the fine. In its original draft decision the DPC considered that adding a fine to the suspension of the data transfers would be disproportionate as: (a) the suspension alone would “right the particular wrongs identified”; (b) a fine would not make the DPC’s findings any more effective or dissuasive; and (c) Meta Ireland was continuing to transfer under mechanisms provided for at law in good faith whilst the legal process was resolving the precise requirements. Similarly the DPC considered bulk return or deletion of previously transferred data from an identified point in time would be excessive and could be dealt with through individual user deletion requests. The EDPB, in response to complaints raised by the Austrian, German, Spanish and French data protection authorities disagreed, citing the following factors: (a) the scale of the processing (255m users in the EEA), (b) its scope and sensitivity (social interactions), (c) that it had a high degree of responsibility in this context to implement appropriate technical measures, (d) that it considered Meta Ireland had committed the infringements knowingly, and although not wilfully, with the highest degree of negligence, in applying its own incorrect test of what supplemental measures were required in the face of the CJEU Schrems II judgment, the EDPB Recommendations and the DPC’s preliminary draft decision, (e) its belief that a suspension order alone would not be enough to deter Meta Ireland itself or other controllers generally and (f) that Meta Ireland should be punished for such historic infringement.
- Meta argued fining it was discriminatory when other DPAs had not fined Google LLC in the NOYB “101 complaints” cases. The DPC also took this line of reasoning in its draft decision, but the EDPB dismissed this on the basis that the similar or identical nature of the cases has not been demonstrated by Meta and instead required the DPC to impose the fine. This highlights that a fine will not be merited in every case but is more likely in analogous situations.
- The decision binds Meta only but has implications for other US FISA702 electronic communications service providers. The DPC states that the Decision may expose that other US exports to FISA702 electronic communications service providers who “may fall foul of the requirement of Chapter V GDPR “; but that it is not open to the DPC to suspend such transfers generally – each case would have to be assessed and ruled on separately.
Our take
The decision reflects a determination on the part of the EDPB (prompted by Austria, France, Germany and Spain) to fully enforce the Schrems II ruling and to closely follow the position in the EDPB Recommendations, at least in respect of US FISA702 electronic communications service providers.
The pressure on the EU Commission to approve the EU/US Data Protection Framework adequacy decision is now greater than ever. This is meant to take place over the summer which just happens to be before the implementation period for this decision expires. Meta Ireland is reported to be appealing the Decision, including seeking a stay of the orders in the courts, so the suspension still may not be implemented even if the EU/US Data Protection Framework is delayed. Whether further enforcement in relation to other US transfers will take place in the interim is unclear; with the EU/US Data Protection Framework adequacy decision so close enforcement now would seem perverse (but not impossible).
It should be noted that there are other non-adequate countries that personal data is exported to with surveillance rules that potentially fall outside the EU limits and which do not have a pending adequacy decision as a proximate solution; the inflexibility of the DPC’s approach (prompted and endorsed by the EDPB) has made determining the compliance of these transfers harder and the risks of such a transfer being suspended appear to have increased.
Please get in touch if you would like to discuss the impact of this decision on your data transfers.