Decision could imperil other companies’ transatlantic transfers as well
By: John Magee, Andrew Dyson, James Sullivan, Andrew Serwin, Claire O’Brien & Rachel De Souza
The Irish Data Protection Commission (DPC) has published a decision that could impact the ability of thousands of companies to move personal data from the European Economic Area (EEA) to the United States.
For Meta, the decision has resulted in a record administrative fine of €1.2bn, an order to suspend further transfers of EEA personal data to the US within five months, and an order to cease all unlawful processing of EEA personal data transferred to the US in violation of GDPR, within six months.
Meta has announced that it will appeal the decision and seek a stay of the orders.
At issue in the inquiry underlying the DPC’s decision was whether Meta’s transfers of EEA personal data to the US, based on Standard Contractual Clauses (SCCs), were legal following the Schrems II judgment by the CJEU nearly three years ago.
That judgment invalidated the EU-US Privacy Shield Framework, but also cast uncertainty on the use of SCCs to transfer personal data to the United States, given the concerns noted by the Court about the US government’s ability to access private sector data.
In the wake of the Schrems II ruling, Meta adopted the modernized SCCs issued by the European Commission in June 2021 and implemented supplementary measures as recommended by the European Data Protection Board (the EDPB) in November 2020 and June 2021.
In July 2022, the DPC first circulated its draft of this decision for review and comment by other European Supervisory Authorities (also known as Concerned Supervisory Authorities (CSAs)). That draft contained the transfer suspension order which forms part of this month’s final decision. After several CSAs lodged objections to perceived inadequacies of the draft decision in relation to the corrective measures proposed, the DPC referred the objections to the EDPB for determination pursuant to the Article 65 GDPR dispute resolution mechanism. The EDPB issued a binding determination to resolve the CSAs’ dispute over whether the DPC also should fine Meta and order it to bring its processing into compliance with the GDPR. The final DPC decision reflects that binding determination by the EDPB.
The DPC decision
The DPC’s decision records the exercise of the following corrective powers:
- an order, made pursuant to Article 58(2)(j) GDPR, requiring Meta to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
- an administrative fine in the amount of €1.2 billion; and
- an order, made pursuant to Article 58(2)(d) GDPR, requiring Meta to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the DPC’s decision to Meta Ireland.
Although the DPC decision is limited to the facts in the Meta matter, and Meta plans to appeal the decision and seek a stay, the announcement sends a decidedly unambiguous message to thousands of companies that the costs and complexities of delivering their products and services in certain markets will increase:
“[T]he analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA.”
More uncertainty and risk around EU-US data transfers
Coming amid the ongoing legal vacuum around EU-US data flows since the 2020 Schrems II judgment, the DPC’s suspension order threatens to disrupt Meta’s Facebook operations in Europe. Although it remains to be seen how the appeal process may play out or how Meta might adapt its practices to comply with the order, the social media giant has already indicated that it will find itself without the tools to lawfully transfer personal data to the United States for its Facebook service if an adequacy decision for the EU-US Data Privacy Framework (DPF) is not formally adopted before the suspension order takes effect in October.
Concerns about further disruption to transatlantic data transfers are by no means limited to Meta. In recent public financial filings with regulators, scores of US and European businesses have reported that, until the DPF is adopted by the EU, the uncertainties around SCCs could also impair their ability to process and transfer EEA personal data, thereby limiting their provision of particular products and services. By making the principal existing mechanism for transatlantic transfers so legally risky, the DPC decision may pressure EU companies to consider localising data (among other things, by shifting from US to European cloud service providers).
In particular, in its decision, the DPC concluded that Meta’s reliance on the ‘new’ 2021 SCCs do not compensate for the deficiencies in US law identified in Schrems II – the DPC held that the US Section 702 Foreign Intelligence Surveillance Act (FISA) downstream programme PRISM allows non-court supervised access to a user’s data without their knowing. Given that Meta cannot stop such access with the SCCs, there is no remedy for an EEA data subject who is not informed that they have been the subject of a FISA 702 search.
In addition, the DPC concluded that Meta did not have in place any supplemental measures which would compensate for the inadequate protection provided by US law. In particular, the supplementary measures do not “provide essentially equivalent protection to EU law against the wide discretion the US Government has to access Meta US users’ personal data via Section 702 FISA (PRISM) requests”.
While the DPC states that “the EDPB Supplemental Measures Recommendations do not exclude a so-called risk-based approach…”, Meta has not compensated for the inadequacies in US law. The DPC’s Meta decision (which reflects the EDPB’s binding determination) offers yet another indicator that European Supervisory Authorities are setting the bar high when it comes to supplementary measures used to protect EEA personal data, irrespective of the actual risk of access to such data by US public authorities.
EU-US adequacy decision
For organisations transferring personal data to US service providers subject to FISA, the DPC decision leaves few alternatives other than to hope the EU-US adequacy decision for the DPF is adopted this summer as currently expected. The six-month grace period before the decision’s transfer suspension order takes effect clearly leaves the door open for the adequacy decision: “Accordingly, and for the sake of clarity and legal certainty, the orders specified in Section 10, below, will remain effective unless and until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by way of new measures, not currently in operation, such as the possible future adoption of a relevant adequacy decision by the European Commission pursuant to Article 45 GDPR.”
Soundings from the negotiation process are indicating a finalized EU-US pact by the end of the summer. However, given that privacy advocates are already planning legal challenges, any EU-US adequacy decision is likely to find its way back to the CJEU sooner rather than later.
Managing risk with ongoing data transfers
Organisations transferring personal data from the EEA to the US will be undoubtedly concerned as to whether the DPC decision undermines the ability to rely on SCCs and any supporting transfer impact assessments (TIAs) as a sufficient safeguard to continue to lawfully transfer data to the US pursuant to GDPR Article 46.
The DPC findings certainly put the validity of those safeguards under increased scrutiny, particularly given the pervasive nature of the concerns raised about US surveillance under FISA. What we don’t know yet though is whether European Supervisory Authorities will take downstream enforcement action that replicates the DPC’s findings narrowly, or if a more risk-based approach will start to emerge. There are certainly inferences in the DPC decision that suggest the door is not closed on a risk-based approach, as previously espoused by the EDPB. The facts and history of this particular case – involving the transfer of large volumes of personal data known to be in scope of the FISA 702 PRISM surveillance programme – were always going to trigger a material risk of regulatory enforcement. What is less clear is whether regulators will be equally inclined to suspend the flow of the more benign data transfers that many organizations make as part of their routine operations (for example when for remote IT support or managing global HR) where it may be possible to determine with a high degree of confidence that surveillance under FISA is unlikely to take place. Unless and until regulators go that far, we expect organisations to continue making transfers with respect to data sets that are considered ‘lower risk’. Pending confirmation of the DPF adequacy decision, transfers of ‘higher risk’ data will certainly be a concern and these should be identified and managed as a potential compliance exposure.
For further information or queries please contact one of the authors or any member of the DLA Piper Data Protection, Privacy and Cybersecurity team.