For a decade or more, Meta has been sending Facebook data from European users – in the form of photos, chat, posts, and more – over to its parent company in the US for storage.
Since the Snowden revelations, Europe has been aware that this data has been open to US intelligence services on a large scale, without – it says – the protections and accountability afforded to people in Europe. This has left data protection rule-makers, and companies sending data to the US, on a collision course, and on Monday we had news of a very large crash.
As Meta’s home regulator in Europe, the Data Protection Commission (DPC) in Ireland announced the conclusion of its long inquiry into Meta. The decision fines Meta a record €1.2 billion and orders it to suspend the transfer of user data from the EU to the US. It must also delete or return anything sent since mid-2020.
A pan-European decision
Facebook is used by people in all the member states of Europe, and opinions have differed about the severity of punishment for Meta. The DPC has been directed in part by its own referee, the European Data Protection Board (EDPB), who became involved under the ‘Article 65’ dispute resolution mechanism, and took into account the views of other data protection regulators. The EDPB adopted its ruling on 13 April 2023 which informed the basis of the DPC’s 12 May decision. Both were made public this week.
What does the DPC want?
The decision concludes that, despite using prescribed transfer mechanisms, Meta Ireland has been infringing Art 46(1) GDPR, by transferring personal data of its EU-based subscribers to the US. In addition to the €1.2 billion administrative fine, the decision also orders Meta Ireland to suspend any future transfer of personal data to the US within six months of the decision’s appeal expiry; and cease unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months of the decision being notified.
What did Meta do wrong?
On the face of it, Meta was doing the right thing. It has been transferring data on reliance on the EU’s own data transfer mechanisms: namely, standard contractual clauses (SCCs) and transfer impact assessments (TIAs, often called TRAs). The DPC, however, deemed that these were insufficient to provide essentially equivalent protection to the GDPR for EU Facebook users whose data was transferred by Meta Ireland to its US parent.
The essential reason why was out of Meta’s hands: the fact that it is compelled under US law to disclose data to US authorities in certain circumstances.
Meta is an ‘internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme’ which allows for non-court supervised access to a user’s data without their knowing. In such circumstances where the importer is subject to this law, US law doesn’t provide ‘essentially equivalent protection’. The decision clarifies that Meta Ireland cannot rectify these risks to the fundamental rights and freedoms of EU citizens with SCCs.
What about supplementary measures?
‘Supplementary measures’ are the practical measures which data exporters have to consider and put in place on top of contracts to protect data transfers. The DPC found that Meta’s extensive supplementary measures do not compensate for the requirements of s. 702 of FISA, because data subjects in Europe do not have the possibility of bringing a legal action in the US before an independent and impartial court, and there is no remedy for an EU person who is not informed that they have been the subject of a FISA search. The technical and organisational measures relied on by Meta ‘do not compensate (nor could they) for the deficiencies in US law’.
Meta had argued that it clearly warns users about government requests for user data, but the DPC was unequivocal that transparency about the fact that data rights are infringed does not actually remedy anything and is not sufficient to legitimise the data transfers to the US.
Is this the end for US transfer?
The decision is significant for other personal data transfers caught by the EU GDPR where the data importer is subject to the same FISA provisions which apply to electronic communications service providers. This will be of particular concern to organisations providing similar services as Meta, and by extension to businesses who have contracted with those organisations.
So does this leave companies hoping to store personal data in the US in a hopeless position? Not necessarily. It’s all about risk management while other factors play out.
There is certainly breathing space while Meta appeals against the decision and seeks a stay on the data transfer order. This is clear from their response:
“This is not about one company’s privacy practices – there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights’, and they ‘are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe”.
Don’t be negligent
The ruling said that Meta showed ‘the highest degree of negligence’. Surprising, given that Meta was judged incapable of rectifying the structural problems of US transfer. But the negligence finding was based in part on the sheer amount, and the sensitivity, of the data being sent over.
Many businesses who are keen to reduce their risk profile are likely to look again at their current vendor supply chain, and (if they have not already done so) undertake a data mapping exercise to understand exactly what data is going to the US, and whether this can be easily reduced - or eliminated – for example by means of redaction or anonymisation. Any reduction in data flows, starting with sensitive or “special category” data, will be a good start.
Encryption and other privacy enhancing techniques
The ruling explains that encryption techniques are the likeliest ‘supplementary measure’ to succeed in rendering transfers lawful. We can expect a race to provide accessible encryption, and anyone looking at possible routes should start with the UK Information Commissioner’s own guidance which explains some of the basic techniques.
Ducks in a row
Given this is clearly an area of focus for data protection Supervisory Authorities, all businesses, whether acting as data processors or controllers, should be vigilant as to whether any international data transfers they are carrying out are caught by the FISA provisions at the centre of this decision. Where they are, it should be ensured that all steps towards compliance with GDPR international data transfer provisions (including TRAs) are documented and readily available to produce to a Supervisory Authority on request.
Is the cavalry on the horizon?
Possibly, though they may not stay long. The ruling is quite clear that an EU-US adequacy decision would solve the US transfer dilemma at a stroke, and we will also have to wait and see whether the expected EU-US Data Privacy Framework will provide such a solution. However, if past trends are indicative, this Framework, once it comes into effect, is very likely to be subject to legal challenge in a similar manner to its predecessors, the ‘Privacy Shield’ and ‘Safe Harbor’ regimes.
Given the uncertainty, it may be that we see more fundamental change to business practice when it comes to US data storage: but adequacy (which is likely to come with compliance strings attached) will at least give comfort in the medium term.
In the UK
Finally, it is important to remember that this is a decision about the EU, not the UK. Guidance from the UK’s Information Commissioner, and recent white papers and bills, clearly indicate that the UK government is trying to make US transfer easier, not more difficult. For the moment, the UK is bound by the Schrems II principles – and companies will certainly be expected to carry on taking proper care of international transfer by means of SCCs, TRAs, or other appropriate mechanisms such as Binding Corporate Rules – but it seems unlikely that we will have a finding of this type affecting UK-US transfers in the current political climate.
What to do now:
- Data mapping: what is your business doing with personal data, and why?
- Identify your transfers of European personal data to the US
- Check what’s happening to data in your supply chain
- Prioritise strategically or financially important transfers, and those with the largest or most sensitive data flows
- Start thinking about reduction or encryption techniques
- Make sure your current compliance tools are in order
- Keep calm – orderly action in the next weeks and months will put you in the best possible position to defend challenges