On 22 May 2023, following the adoption of a binding decision by the European Data Protection Board (the “EDPB“), the Irish Data Protection Commissioner (“DPC“) concluded its own-volition inquiry against Meta regarding the legality of international data transfers from Meta Ireland to the US. The DPC concluded that such transfers infringed the GDPR and directed Meta to suspend its transfers to the US within six months of the decision. As directed by the EDPB, it further issued a fine of €1.2 billion and ordered Meta to bring its transfers into compliance with the GDPR.
This decision comes shortly after the DPC’s separate ruling (which also involved a prior binding decision from the EDPB) on the lawful bases relied upon by Meta in the provision of its Facebook and Instagram services.
Background and Decision
In July 2020, the ECJ’s Schrems II decision invalidated the EU-US Privacy Shield that was used as a mechanism to transfer personal data from the EU to the US. In light of the Schrems II decision, the Irish DPC commenced an ‘own-volition inquiry’ on 28 August 2020 into (i) the lawfulness of Meta’s international data transfers in respect of EU/EEA individuals to the US pursuant to standard contractual clauses and (ii) whether corrective powers should be exercised by the Irish DPC pursuant to Article 58(2) of the GDPR.
Given Meta’s European headquarters in Ireland and the scope of its European operations, the Irish DPC assumed the role of lead supervisory authority under the GDPR and followed the decision-making process set out in Article 60 of the GDPR, where the lead supervisory authority is required cooperate with and consult other concerned supervisory authorities (“CSAs“). In July 2022, the DPC issued its draft decision for consultation to the CSAs to provide “relevant and reasoned objections” pursuant to Article 60(4) of the GDPR. A number of CSAs disagreed with the DPC’s approach and, after failing to reach a consensus, the matter was ultimately referred to the EDPB for a binding decision pursuant to Article 65 of the GDPR.
Pursuant to the EDPB’s direction, the DPC ruled that Meta’s use of the EU standard contractual clauses (both the 2010 and 2021 versions) combined with extensive supplemental measures (such as organisational, technical and legal measures) nonetheless did not address US surveillance laws to provide an adequate level of protection to transfers of personal data of EEA/EU data subjects and therefore, such data transfers were unlawful. Further, Meta could not rely on any derogation under Article 49(1) of the GDPR to justify such data transfers in the usual course.
Analysis and Implications
The €1.2 billion fine is the largest fine imposed under the GDPR by any supervisory authority to date. Although the level of fine falls short of the maximum 4% of annual worldwide turnover available under the GDPR, it also goes to highlight the disagreement and lack of consensus between the Irish DPC, the CSAs and the EDPB. The Irish DPC did not originally propose any fine, considering the corrective measures it had proposed (i.e. an order to suspend transfers) to be sufficient. However, four of the CSAs disagreed and, in its own decision, the EDPB directed that a fine should be imposed and should be set at a level representing 20% to 100% of the applicable legal maximum. An (admittedly rough) calculation suggests that the €1.2 billion fine issued by the DPC was towards the lower end of this scale, perhaps demonstrating a desire on the part of the DPC to only comply with the EDPB’s direction to the minimum extent permissible.
Can we rely on Standard Contractual Clauses now?
The decision is fundamental in that it casts a doubt on the adequacy of the European Commission-approved standard contractual clauses that are widely used by a large number of organisations, small and big for cross-border data transfers.
The standard contractual clauses are a legal mechanism provided for under the GDPR to give protection to personal data being transferred outside of the EEA. The 2020 Schrems II decision cast doubt upon this mechanism but a ‘new’ set of standard contractual clauses was published by the European Commission in 2021 (the “2021 SCCs“) and contained provisions intended to address some of the shortcomings identified in the Schrems II case.
However, the Meta decision seems to put everyone back to square one by confirming that not even the 2021 SCCs can be relied upon in all circumstances. And if reliance on the standard contractual clauses is not an option, the Irish DPC’s decision also makes it clear that reliance on the derogations set out in the GDPR (e.g. the transfer is necessary for a contract) must be relied upon on an exceptions only basis. As of now, it remains unclear what organisations who wish to send personal data to companies in the US (particularly tech companies subject to FISA) are supposed to do.
Can we put in place supplementary measures?
It is clear from the DPC decision that it considered that Meta had put in place a variety of “supplementary measures” over and above reliance on the standard contractual clauses in order to try and ensure adequate protection for data subjects. These included both technical and organisational measures. However, although these measures could be said to mitigate risks, the DPC was of the view that they could not compensate for the deficiencies in US law highlighted in the Schrems II case. Put bluntly, it appears that there are no supplementary measures that could be put in place where the data importer is subject to FISA legislation and has access in the clear to the personal data transferred.
Does this mean all EU-US transfers need to stop?
For Meta, in the short term it seems clear from its response to the decision that it will be appealing and seeking a stay of the order to suspend data transfers. For everyone else, this will hopefully provide some much needed breathing space to (once again) map their data transfers; understand the extent to which personal data is being transferred to the US (both directly and through their vendor supply chain); and consider the ways in which it may be possible to reduce or mitigate risks associated with any such US transfers.
Is there going to be an EU-US adequacy decision to solve this?
In the medium term, the solution for international data transfers to the US seems likely to be the adoption of a new US adequacy decision. The DPC commented in its decision on EO 14086, the executive order adopted by US President Joe Biden that introduces the framework for additional controls and protections under US law. However, the protections under EO 14086 are not yet operational and the jury is out on whether, once available, these protections could provide further comfort for data transfers to the US. Even if there is a new EU-US adequacy decision, it seems likely that this would be challenged and may well end up being invalidated like the Safe Harbor and Privacy Shield before it. However, any such challenge takes time and so, in theory at least, a new adequacy decision would provide organisations with a few years of greater certainty.
Crucially, US data transfers are only a small subset of data transfers taking place every day and the decision highlights the urgent need for a stable and long-term solution to the issue of international data transfers. The DPC’s decision will not affect Meta’s operations in the UK but the challenge of transferring data lawfully from the UK to US (and elsewhere) remains and it will be interesting to see how the ICO responds.
Finally, the decision provides yet another example of the functioning and the efficacy of the one-stop shop solution. Recent examples have shown that it is challenging for supervisory authorities to reach consensus on the application of the GDPR requiring referrals to the EDPB. Perhaps it is timely that the EDPB published a statement ahead of the 5th anniversary of the GDPR indicating its intention to introduce legislation to harmonise the procedures of cooperation between data protection authorities on cross-border data protection cases.