In a decision with significant implications for international data transfers (and those involving US-headquartered technology companies in particular), the Irish Data Protection Commission (DPC) recently imposed a €1.2 billion fine on Meta Platforms Ireland Limited – Meta group’s Irish subsidiary that contracts with Facebook users outside North America – for unlawfully transferring the personal data of 309 million Facebook users in Europe to the US.
The fine is the largest in GDPR’s five-year history. At issue was whether Facebook’s safeguards bridged what the Irish regulator views as a gap between data protection levels on either side of the Atlantic (spoiler: they do not).
Running through the DPC’s 222-page decision is scepticism that personal data originating from Europe can ever receive an equivalent level of protection once it reaches the US.
The Meta group also owns WhatsApp and Instagram, but this decision concerns only Meta’s Facebook operations.
What was the case about?
Under GDPR, transfers of personal data out of the EU are permitted under limited circumstances. Some of these circumstances include (a) transferring to jurisdictions with an adequacy decision;1 (b) transferring subject to appropriate safeguards; and (c) derogations for specific situations (e.g., specific and informed consent, contractual performance, and public interest).
The GDPR provisions relating to international data transfers seek to balance the free flow of personal data with personal data protection. Organisations with global operations that service customers in the EU, and process data outside it, have a particularly complex task in complying with GDPR.
Among the jurisdictions that do not have “adequate” data protection laws, the US is of particular concern to Europe given its surveillance programmes, where laws such as s 702 of the Foreign Intelligence Surveillance Act 1978 (FISA) authorise the collection of electronic communications of non-US persons stored by US internet service providers.
Previous US-EU frameworks designed to facilitate trans-Atlantic data transfers have been invalidated by the Court of Justice of the European Union (CJEU): the Safe Harbor Framework by the “Schrems I” judgment in 2015 and the Privacy Shield by the “Schrems II” judgment in 2020.
Without an overarching framework such as Safe Harbor or Privacy Shield, the overwhelming majority of organisations rely on standard contractual clauses (SCCs) to provide the safeguards needed for data transfers to the US (or to any jurisdiction without an adequacy decision).2 SCCs are “pre-approved” contractual clauses parties can include in their contracts to ensure appropriate data protection safeguards, and are officially endorsed by the European Commission.
Meta Ireland relied on both the 2010 SCCs and 2021 SCCs in its contracts with European users. It also put in place:
• organisational measures (e.g., a Disclosure Policy, a Disproportionate Request Policy, a Data Access Policy, and Law Enforcement Guidelines); and
• technical measures (e.g., a Comprehensive Information Security Program and industry standard encryption algorithms and protocols),
as safeguards.
The DPC inquiry
In August 2020, the DPC commenced an “own-volition inquiry” to consider whether Meta Ireland was acting lawfully and, in particular, compatibly with GDPR, in making data transfers to the US. The DPC’s “volition” appears to have been the result of lobby group pressure, which had been mounting since 2013.
On 22 May 2023, the DPC announced the conclusion of its inquiry into Meta Ireland and unveiled findings that have far-reaching consequences beyond Facebook:
• US law does not provide a level of data protection that is essentially equivalent to that provided by EU law.
• Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law because the SCCs do not change the fact that Meta Ireland’s parent is an Electronic Communications Services Provider (ECSP) with corresponding s 702 FISA obligations and subject to programmes such as PRISM.3
• Meta Ireland does not have in place supplemental measures that compensate for the inadequate protection provided by US law.
• It is not open to Meta Ireland to rely on the derogations provided for under GDPR when making the data transfers.
The crux of the DPC’s decision is that Meta’s 309 million European users still do not have a level of protection “essentially equivalent” to that of GDPR once their personal data crosses the Atlantic because of the US government’s surveillance rights.
In its decision, the DPC imposed:
• A suspension order Meta must suspend further personal data transfers to the US within five months from the date of being notified of the DPC’s decision (which was 12 May 2023, with a grace period to allow for appeal).
• An administrative fine in the amount of €1.2 billion One of the aggravating factors leading to the large fine for Meta Ireland was its ongoing breach after the previous frameworks had been struck down by the CJEU which, in the eyes of the regulators, amounted to the “highest degree of negligence”.
• A compliance order Meta Ireland must bring its processing operations into compliance with GDPR by ceasing the unlawful processing in the US (including storage) of the personal data of EU/EEA users transferred in violation of GDPR, within six months following the date of notification of the DPC’s decision. The DPC did not specify, however, how the data previously transferred to the US (in a manner now ruled unlawful) is to be deleted, returned, or otherwise brought into compliance.
Interestingly, the DPC’s initial draft decision only sought to impose a suspension order. It was only after regulators in other EU countries objected to the lack of a fine that the European Data Protection Board intervened (which it can do as part of the EU’s consistency mechanism), issuing a binding decision that instructed the DPC to also impose an administrative fine and compliance order.
Meta Ireland is expected to appeal the decision, possibly all the way to the CJEU, which may serve to stay its implementation.
What now?
The DPC did not specify what measures Meta Ireland could have taken to bridge the different levels of data protection, and one is justified in drawing the conclusion now that if an importer is an ECSP in the US there is little the exporter can do by way of SCCs or other supplemental measures to bring about an “essentially equivalent” level of data protection.
The key to a means of lawfully transferring personal data from Europe to the US now ultimately lies with the EU-US Data Protection Framework (DPF) – the latest attempt at a trans-Atlantic framework after the demise of Safe Harbor and Privacy Shield.
With “Electronic Communications Service Providers” under US laws defined broadly to include providers of remote computing services or companies providing users with “the ability to send or receive wire or electronic communications” (among other categories), European regulators are clearly concerned about the extent of US surveillance programmes.4
And until the European Commission adopts the DPF, organisations (and their customers) are rightly jittery that the safeguards they rely on could meet the same fate as those of Meta Ireland’s. We expect organisations will want to assure their customers and other stakeholders that they are either not ECSPs or are otherwise unlikely to fall within the remit of US government surveillance for other reasons.
What does this mean for New Zealand?
Many New Zealand organisations have global operations – sharing and receiving data across international borders is a big part of those operations.
Because New Zealand enjoys adequacy status, personal data can be transferred out of the EU to New Zealand on that basis. However, New Zealand organisations that are subject to GDPR under its territorial scope provisions (due to either targeting or monitoring the behaviour of EU data subjects) will also have to comply with international data transfer obligations if they send or process EU data outside New Zealand.
This could be problematic now that the officially endorsed and widely used SCCs mechanism appears less than bulletproof.
While Meta is expected to appeal the DPC’s decision, the questions organisations should be asking themselves include:
• Am I transferring data from the EU/EEA to countries that do not have an adequacy decision (in particular, the US)?
• If yes, does my organisation have a risk profile different from Meta’s? What is the likelihood of qualifying as an ECSP under US laws, bringing it within the scope of surveillance programmes authorised by FISA and other legal frameworks? The fact that Facebook had actually received a s 702 order was a significant factor in the DPC’s consideration.
• How do my supplemental measures compare to those of Meta Ireland’s? Do I have sufficient organisational, technical, and legal measures to not only mitigate the “deficiencies” in the US laws, but compensate for the perceived gap?
• Absent an adequacy decision or appropriate safeguards, am I justified in relying on derogations (knowing that derogations are interpreted restrictively) to continue with my data transfer? Other than particular situations (specific and informed consent, contractual performance, public interest etc), transfers based on a derogation must not be repetitive, should concern only a limited number of data subjects, and need to be necessary for a controller’s compelling legitimate interests.
• Even if both controller and processor meet their GDPR obligations, would any onward transfer (e.g., to data subprocessors) lead to the data subjects having less-than-adequate protection?
Looking ahead
There is a view in certain quarters that muscular data protection regimes and tight regulation of cross-border data flows could lead to the onset of a “splinternet”, exacerbating a broader de-globalisation trend set in motion by the pandemic (and as we have seen in trade).
For example, after the DPC’s decision was announced, Meta aired its view that at a time where the internet is fracturing under pressure from authoritarian regimes, like-minded democracies should work together to promote and defend the idea of the open internet.
Indeed, the issue of cross-border data flows featured high on G7’s agenda at the latest summit in May. Where the balance between free flow and protection should be struck may become as much of a priority for elected governments as it has been for regulators. What is certain is that the tension between strict personal data protection and free data flows (which underpins much of the digital economy) will continue to rise as the stakes get higher.
Increasingly, individual regulatory frameworks relating to international data transfers are proving to be a source of much complexity and not enough certainty for data subjects and corporates alike – could a multi-lateral political solution be the next step?
1 Only 14 countries are determined by the European Commission to provide an adequate level of data protection. Among them are New Zealand, Japan, South Korea, the UK, Switzerland and Argentina.
2 The 2021 IAPP-EY Governance Report shows as many as 94% of those transferring personal data out of EU rely on SCCs.
3 The code name of a programme under which the US National Security Agency collects internet communications from US internet companies.
4 Other than Facebook, internet service providers and tech companies reportedly subject to s 702 FISA orders include Yahoo, Google, Skype and Youtube – 2.11 of the Decision.