In a highly anticipated decision, the Irish Data Protection Commission (“DPC”) fined Meta
1.2 billion euro on 22 May 2023 in addition to giving the company 6 months to suspend its
transfer of EU personal data to the US. The decision has received global attention.
While the DPC’s findings apply directly to Meta, there are important consequences for all
organisations. We have outlined the key points below.
Background
The findings are the culmination of a decade long process beginning with the disclosures of
far-reaching US surveillance by Edward Snowden. These prompted Max Schrems, an
Austrian law student at the time, to question the legality of Facebook’s data transfers to the
United States under the EU General Data Protection Regulation.
Two high profile “Schrems” judgments invalidated the EU-US Safe Harbour Framework,
through the CJEU’s 2015 “Schrems I'” ruling, and the EU-US Privacy Shield, through the
CJEU’s 2020 “Schrems II” ruling.
Following the second of these rulings Facebook, now trading as Meta, was forced to move
away from the now-defunct Privacy Shield and instead rely on Standard Contractual Clauses
(“SCCs”) as well as supplementary measures to facilitate its transfer of personal data from
the European Economic Area (“EEA”) to the US. These SCCs are core to the Data Protection
Commission’s findings.
The Main Findings
The DPC provided four key findings which led to its decision (Paragraph 10.1):
- US law does not provide a level of protection that is essentially equivalent to that provided by EU law;
- Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law;
- Meta Ireland does not have in place supplemental measures which compensate for the inadequate protection provided by US law; and,
- Meta Ireland cannot rely on the derogations provided for at Article 49(1) GDPR, when making the Data Transfers
What About a New Adequacy Decision?
It is uncertain whether a new adequacy decision will be reached in time to allow Meta to
continue transferring data through the much-anticipated Transatlantic Data Agreement.
The European Commission and the US government have been negotiating for more than
two years to finalize the new EU-US Data Protection Framework and it is not clear when this
will arrive, nor whether it will be able to withstand a likely Schrems III challenge.
What About Me and My Organisation?
While it is easy to focus on Meta’s situation in isolation, similar challenges will be
encountered by every organisation that relies on SCCs as the foundation for their data
transfers outside the EU/EEA.
We will all need to swiftly identify the processing activities within our operations that
depend on SCCs for transferring data outside the EU/EEA (e.g., to India, Australia, South
Africa, etc.) and then carefully examine each destination jurisdiction in light of the DPC’s
decision.
This assessment must be conducted while considering the risk that an EU Supervisory
Authority (any of the 27) might now suspend the use of SCCs as a transfer mechanism within
their jurisdiction, given the precedent set by this decision. This evaluation may have
implications for organisations’ data strategies, prompting questions such as:
- Which transfers can be deemed non-essential and potentially discontinued?
- Are there alternative providers that can be considered for certain processes?
- What additional supplemental measures can be implemented to mitigate the risks
associated with SCCs?
The need to address these crucial questions has become paramount in the wake of the
DPC’s ruling and its potential ramifications. Proactive steps must be taken to ensure
compliance and minimize any adverse impact on data transfers.
We at Pembroke Privacy are here to help you navigate this process and ensure greater
compliance in the context of data transfers. As always, our promise is to “make the complex
clear”.