The lawfulness of data transfers from the EU/EEA to the US is back in the spotlight following the conclusion of an own-volition inquiry by the Irish Data Protection Commission ("DPC") into Meta Ireland's data transfers to Meta US.
The DPC imposed: (i) a record €1.2 billion fine; (ii) an order requiring Meta Ireland to suspend its data transfers to Meta US within five months of the DPC's decision (i.e. by 12 October 2023), and (ii) a compliance order requiring Meta Ireland to bring its processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including US storage of EEA users' personal data, within six months of the DPC's decision (i.e. by 12 November 2023).
The DPC found that Meta Ireland had infringed Article 46(1) GDPR by continuing to transfer personal data from the EU/EEA to the US following the judgment by the Court of Justice of the European Union ("CJEU") in Schrems II. While Meta Ireland effected those transfers on the basis of the updated 2021 Standard Contractual Clauses ("SCCs"), in conjunction with additional supplementary measures, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.
Although this decision is directed at Meta, it has implications for thousands of EU/EEA companies and organisations transferring data to the US. The DPC concluded its decision by acknowledging that it cannot make an order suspending or prohibiting transfers to the US generally, but that "the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an 'electronic communications service provider' subject to FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the US". A case-by-case assessment of such transfers will be required, taking into account the DPC's analysis in this decision, to verify their legality.
Following publication of the DPC's decision on 22 May 2022, a spokesperson from the European Commission stated that a US adequacy decision, in the form of the new Data Privacy Framework ("DPF") (previously discussed here), is expected to be fully functional by this summer. The DPF should enable Meta Ireland, along with thousands of other companies and organisations, to continue to lawfully transfer data to the US. This will bring some welcome legal certainty in regard to legitimising EU-US data transfers.
The Schrems II Decision
In July 2020, in the Schrems II decision, the CJEU invalidated EU-US Privacy Shield, which was a US adequacy decision, relied on by thousands of companies and organisations to legitimise EU-US data transfers. The EU-US Privacy Shield was found to be invalid due to a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of EU citizens. In particular, the mass surveillance powers and right of access of US intelligence authorities to transferred data, and the lack of judicial redress of EU citizens in regard to such access, was found to be incompatible with EU data protection laws. As Meta noted in its response to the DPC's decision, this is a conflict that neither Meta nor any other business could resolve on its own.
The CJEU upheld the validity of the SCCs, subject to certain conditions. In particular, organisations have to carry out a transfer impact assessment and verify that the laws and practices of the third country of destination would not impinge upon the effectiveness of the SCCs, and where necessary, implement supplementary technical, organisational and/or contractual measures to protect the transferred data. This decision created considerable legal uncertainty for organisations in regard to how to ensure their data transfers to the US were lawful.
DPC Inquiry Into Meta's EU-US Transfers
Following that CJEU decision, in August 2020, the DPC commenced an own-volition inquiry into Meta Ireland. The DPC's inquiry concerned the following two issues:
- Whether Meta Ireland was acting lawfully, and in compliance with Article 46(1) GDPR, in transferring personal data relating to EU individuals to Meta US pursuant to the 2010 SCCs, following the CJEU's judgment in Schrems II.
- Whether and/or which corrective power should be exercised by the DPC pursuant to Article 58(2) GDPR in the event that that Meta Ireland was found to be acting unlawfully and infringing Article 46(1) GDPR.
Subsequent to the commencement of the DPC's inquiry, the European Commission adopted the 2021 SCCs, which repealed and replaced the 2010 SCCs. The DPC’s decision has regard to both the 2010 SCCs and the 2021 SCCs. It also has regard to the 2021 Data Transfer and Processing Agreement ("DTPA"), an agreement entered into between Meta Ireland and Meta US, grounding its data transfers on the 2021 SCCs, in place of the 2010 SCCs, with effect from 31 August 2021.
The DPC's inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of judicial review proceedings concerning the DPC's preliminary draft decision. Those judicial review proceedings were ultimately dismissed, and the an order lifting the stay on the Inquiry was issued on 20 May 2021.
Following a comprehensive investigation, the DPC prepared a revised preliminary draft decision dated 6 July 2022. Notably, it found that:
- the data transfers in question were being carried out in breach of Article 46(1) GDPR; and
- in these circumstances, the data transfers should be suspended.
Consultation With Other CSAs Under One-Stop-Shop Procedure
As the processing under examination in the inquiry constituted "cross-border processing", the DPC, acting as Lead Supervisory Authority ("LSA"), was required to submit its draft decision to concerned supervisory authorities ("CSAs") in the EU/EEA, pursuant to the one-stop-shop procedure set out in Article 60 GDPR. In this case, all EU/EEA Data Protection Authorities ("DPAs") were involved as CSAs. This means the decision reflects the views of all EU/EEA DPAs.
The CSAs agreed with the DPC’s decision to the extent that it found Meta Ireland was in breach of Article 46(1) GDPR, and the DPC's proposal to order the suspension of Meta Ireland's data transfers to Meta US.
However, four of the 47 CSAs (namely, Austria, Germany, France and Spain) objected to the lack of an administrative fine in the DPC's draft decision. Two of those CSAs (namely, France and Germany) also took the view that Meta Ireland should be ordered to take action to address the personal data that had already been unlawfully transferred to the US (i.e. the data transferred from July 2020 to the present).
The DPC disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR.
As a consensus could not be reached, the DPC referred the matter to the European Data Protection Board (“the EDPB”) for its determination, pursuant to the dispute resolution mechanism in Article 65 GDPR.
The EDPB adopted its decision on 13 April 2023 and upheld the objections of the CSAs, finding that, in addition to the suspension order, Meta Ireland should be subject to an administrative fine and an order to address the personal data already unlawfully transferred to the US.
The EDPB directed the DPC to impose a fine of between 20%-100% of the applicable legal maximum under the GDPR. The EDPB took the view that, taking into account the scope of the processing (which included special category data), as well as the very high number of data subjects affected (309 million daily active users), that Meta Ireland had committed an infringement of significant nature, gravity and duration, and with the highest degree of negligence.
Further to Article 65(2) GDPR, the EDPB's decision was binding on the DPC and all CSAs, and the DPC was required to adopt its final decision within one month after notification of the EDPB's decision.
Article 46(1) GDPR Infringement
The DPC found that Meta Ireland had infringed Article 46(1) GDPR by continuing to transfer personal data from the EU/EEA to the US following the Schrems II decision, in circumstances which failed to guarantee a level of protection to data subjects that is essentially equivalent to that provided by EU law, and in particular by the GDPR read in light of the Charter of Fundamental Rights of the European Union ("the Charter").
Reason for Infringement
The DPC came to this conclusion, based on the four reasons set out below, which will clearly be problematic for thousands of companies transferring data between the EU/EEA and the US.
1. US law does not yet provide an essentially equivalent level of protection
The DPC found that despite recent changes to US law, it does not yet provide a level of protection that is essentially equivalent to that provided by EU law. The DPC noted that it could not take into account the remedial scheme contemplated by US Executive Order ("EO") 14086 (previously discussed here), on the basis that the Scheme was not operational at the time of making the draft and final decision. In particular, in the absence of designation of the EU as a "qualifying State", the new scheme is not operational for EU citizens. Nor had the activities and/or practices of UA intelligence agencies changed, immediately upon signing EO 14086, in such a manner that risks to the fundamental rights and freedoms of EU citizens pursuant to Article 47 of the Charter, as identified by the CJEU in Schrems II, had yet been addressed.
2. Neither the 2010 nor 2021 SCCs can compensate for the inadequate protection afforded by US law
The DPC held that neither the 2010 SCCs nor the 2021 SCCs can compensate for the deficiencies in US law identified in the Schrems II judgment. As Meta Ireland transitioned from the 2010 SCCs to the 2021 SCCs during the inquiry, it was unknown if the DPC's decision would consider the lawfulness of Meta Ireland's reliance on the 2021 SCCs for EU-US transfers.
The CJEU held that, despite the provisions dealing with government access, such as at clause 14 and 15, there is nothing in the 2021 SCCs that changes the fact that Meta Ireland and/or Meta US is an electronic communications service provider subject at a minimum to the obligations imposed under the FISA 702 PRISM programme. Under that programme, there could be non-court supervised access to a user's data without their knowing. Meta cannot stop this access with the SCCs, whether it has incorporated the 2010 or the 2021 SCCs, and there is no remedy for an EU data subject who is not informed that they have been the subject of a FISA 702 search.
Accordingly, the DPC's decision impacts organisations relying on the 2021 SCCs too.
3. Supplementary measures taken do not compensate for the inadequate protection provided by US law
The DPC found that the numerous organisational, technical and legal supplementary measures put in place by Meta Ireland do not compensate for the inadequate protection provided by US law. The DPC found that these measures do not provide "essential guarantees" for transferred EU data.
In particular, in regard to the supplementary measures implemented by Meta Ireland, the DPC found that the organisational measures taken by Meta include a Disclosure Policy, a Disproportionate Requests Policy, a Notification Policy, a Data Access Policy, Law Enforcement Guidelines, Facebook Transparency Reports, Data Sharing Policies, and a People Security Policy, in addition to various oversight and notification measures in place between Meta US and Meta Ireland.
The technical measures include industry standard encryption algorithms and protocols to secure the confidentiality of user data in transit, encryption on Facebook laptops, a comprehensive information security programs, shared infrastructure between Meta Ireland and Meta US, asset management controls, arrangements for the management of Facebook employee mobile devices, the deployment of cryptographic protection of passwords and third party security policies.
Legal measures implemented by Meta Ireland include enforceable third party contractual rights for data subjects under the SCCs, processes for challenging requests received for disclosure of personal data which Meta US believes to be unlawful, lobbying to change laws and advocates for its users' rights, and transparency reporting.
However, according to the DPC, none of these measures are sufficient to "compensate for [the] deficiencies" of the U.S. legal framework or to provide "protection to EU law against the wide discretion the US Government has to access Meta US users’ personal data via Section 702 FISA DOWNSTREAM (PRISM) requests".
Meta Ireland's implementation of encryption in transit was potentially capable of providing "appropriate safeguards in the context of Section 702 FISA UPSTREAM or EO 12333", but not for the PRISM programme. However, the DPC reserved its position on this issue, noting that it had identified a lack of essential equivalence due to PRISM.
The DPC found that data exporters must implement supplementary measures that ensure "essentially equivalent protection" for transferred data by "compensating" for any lack of data protection in the third country of destination (in line with Recital 108 GDPR). Meta Ireland had noted that its supplementary measures "addressed" and "mitigated" the deficiencies in US law, but the DPC rejected this as not being enough, casting doubt on the feasibility of a risk-based approach to data transfers.
The DPC went on to note that "the EDPB Supplemental Measures Recommendations do not exclude a so-called risk-based approach (this was deliberately inserted after point 3 of the Executive Summary)", but that Meta Ireland could not demonstrate that, notwithstanding the deficiencies in US law, no interference with EU rights occurred.
The decision sets an extremely high bar when it comes to appropriate supplementary measures, irrespective of the actual risk of access to such data by US surveillance authorities. The DPC's decision arguably indicates that if an EU/EEA organisation is transferring data to the US, and the US importer is subject to FISA 702, nothing short of encrypting the data in the EU/EEA and ensuring that the importer has no access to the encryption key will be sufficient.
4. Reliance on Article 49 GDPR Derogations not possible
The DPC further held that Meta Ireland was not entitled to rely on the contractual necessity, public interest, explicit consent derogations, or any other derogation under Article 49(1) GDPR to legitimise its EU-US data transfers to Meta US.
The DPC noted that while it is possible to rely on derogations to legitimise data transfers, derogations must not be used for routine transfers of data, and must be interpreted in accordance with Article 52(1) of the Charter. This means the derogations must respect the "essence" of the right to data protection. The DPC stated that as there is no effective means of judicial redress for EU citizens subject to US surveillance laws, as required by Article 47 of the Charter, it followed that EU-US data transfers, even when made in reliance on derogations, would not respect the "essence" of the right to data protection and could therefore not be relied upon.
However, the DPC acknowledged that reliance on data subjects' explicit consent (pursuant to Article 49(1)(a) GDPR) may be possible, in circumstances where he or she is informed that: "(i) the data will not be subject to equivalent protection to that afforded by Article 7 and Article 8 of the Charter; (ii) that identified laws in the United States interfere with the essence of Article 47 Charter rights with respect to that data, and (iii) of the possible risks of the proposed transfer to the data subject". In those circumstances, the DPC accepts that such transfer cannot be said to interfere with the "essence" of that data subject's right of redress under Article 47 of the Charter. However, the DPC noted that the requirement that consent be "explicit" and that it relate to "the proposed transfer" precludes a single consent being obtained for ongoing data transfers and/or different sets of transfers.
Accordingly, it appears that Article 49 GDPR derogations are not necessarily a solution to legitimising EU-US data transfers as US law currently stands, particularly not for routine, repetitive transfers.
Corrective Powers Exercised
Taking into account the determination of the EDPB, the DPC exercised the following three corrective powers:
- an order, pursuant to Article 58(2)(j) GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland (i.e. by 12 October 2023);
- an administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed). The EDPB directed the DPC that the starting point for the calculation of the fine should be between 20%-100% of the applicable legal maximum; and
- an order, made pursuant to Article 58(2)(d) GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta Ireland (i.e. by 12 November 2023).
Impact of DPC Decision
Although this decision is directed at Meta, it evidently has implications for thousands of EU/EEA companies and organisations transferring personal data to the US, in particular to US service providers subject to FISA. By making it almost nigh impossible to lawfully rely on the SCCs (or in fact the BCRs) and supplementary measures, or the Article 49 derogations, in order to legitimise such transfers, the decision leaves few choices for such companies other than to localise data in Europe, or hope a US adequacy decision, in the form of the DPF, is adopted in summer 2023, as expected.
There will be no immediate disruption to Meta's services or data transfers to the US, as the decision includes five and six month implementation periods respectively, for suspension of EU-US data transfers, and deletion or return of EU personal data stored in the US to Ireland (i.e. by 12 October and 12 November 2023 respectively). Meta have also confirmed that they will be appealing the decision and seeking a stay through the courts to pause the implementation deadlines.
In addition, the DPC has confirmed that there will be no suspension of the transfers or other action required of Meta Ireland, once the underlying conflict of law has been resolved. This will mean that if the DPF comes into effect before the implementation deadlines expire, Meta Ireland's services can continue as they do today without any disruption or impact on users.
Whilst the DPF will bring some welcome legal certainty in regard to legitimising EU-US data transfers, it is worth noting that such legal certainty may be short-lived, as it appears likely that it will, like its predecessors, be subject to legal challenge by privacy advocates, such as NOYB. The question is whether it will survive such challenge. Only time will tell.