On 22 May 2023, the Irish Data Protection Commission (“DPC”) fined Facebook parent Meta EUR 1.2 billion for transferring personal data to the U.S. in violation of GDPR. The DPC also ordered Meta to suspend further transfers unless it can bring such transfers into compliance within 5 months. Meta is appealing the decision.
The DPC alleged that Meta transferred personal data based on European Commission standard contractual clauses (“SCCs”) and had conducted transfer impact assessments (“TIAs”) in line with guidance from EU regulators. If true, Meta’s actions were consistent with the actions of many companies.
The DPC – and the European Data Protection Board (“EDPB”) – found that the alleged transfers to the US were not lawful because U.S. laws permitted US government authorities to compel access to transferred data without sufficient safeguards.
How does this decision affect other companies?
1. The decision applies only to “transfers” of personal data from one entity to another entity outside the EU, not a company’s direct collection of personal data from individuals in the EU. Direct collection of personal data does not amount to a “transfer” under guidance from EU regulators.
2. The decision does not affect transfers that are not subject to FISA Section 702. The DPC focused on U.S. government access pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), which applies only to certain electronic communications services. While the definition of an electronic communications service is broad and encompasses many cloud-hosted service providers, not all transfers to the US are implicated.
3. The decision does not affect companies that are unlikely to receive significant numbers of government requests. The DPC upheld the validity of a “risk-based approach” that would consider the likelihood of government access pursuant to FISA Section 702 – not just the law’s potential application to a transfer. The DPC rejected Meta’s arguments that its transfers were low risk because Meta does, in fact, receive a significant number of such government requests. While the decision did not reach this issue, Companies that do not receive a significant number of government requests likely can continue to apply a risk-based approach. What constitutes an acceptable level of risk remains unclear.
4. Companies that rely on SCCs should check that their TIAs focus on likelihood of government access. Given the DPC’s acknowledgement of a risk-based approach, TIAs should focus on the real-life likelihood of government access to personal data and measures that reduce the likelihood of such access, such as evidence that a company, or the sector in which it operates, receives few government access requests. Where feasible (and with limited cost), companies may also consider more robust measures such as end-to-end encryption and EU data storage, but we are not yet seeing signs of a definitive market shift in this direction.
5. The 5-month delay in the DPC’s suspension of Meta’s transfers gives EU and U.S. authorities an opportunity to finalize “Privacy Shield 2.0”. The DPC delayed the suspension of Meta’s transfers for a period of five months. The proposed “EU-US Data Privacy Framework” – which, once approved, will replace the now-defunct Privacy Shield framework – aims to address the deficiencies that led to this decision. Approval may come in the next few months.
Most companies (outside Big Tech) are unlikely to be in the crosshairs in the meantime. Nearly all companies that operate in the EU use SCCs for at least some transfers of personal data. Unless (or until) there is clear evidence of political will or market practice favoring EU data localization, most companies will continue to rely on SCCs for US transfers.
For more information, please see our FAQs below.
1. What happened?
On 22 May 2023, the DPC announced the conclusion of its nearly three year long inquiry into Meta’s transfer of Facebook data from Meta Platforms Ireland (“Meta Ireland”) to Meta US (the “Decision”). As well as issuing Meta Ireland with a fine of EUR 1.2 billion – the largest fine since the inception of the GDPR five years ago – the DPC has given Meta five months (until 12 October) to suspend any future transfer of EEA and EU personal data to the US, and has ordered Meta to bring its processing operations into compliance “by ceasing the unlawful processing, including storage, in the US of personal data” within six months. Meta intends to appeal the decision.
The case arose out of the Court of Justice of the European Union’s decision in Schrems II that invalidated the EU-US Privacy Shield framework, and introduced the requirement that companies conduct TIAs to supplement standard contractual clauses. See our earlier blog posts on this topic: see Déjà Vu All Over Again: EU High Court Invalidates Privacy Shield For EU–U.S. Data Transfers; Post Schrems II Guidance: EU Regulators Raise Bar For Global Data Transfers; and Navigating EU Data Transfers: Effects of Schrems II Start to Bite.
In short, the DPC found that the SCCs combined with the extensive safeguards implemented by Meta (and documented in its TIA) were insufficient to address the lack of essential equivalency between EU data protection laws and US laws, in particular the susceptibility of US based electronic communication service providers to bulk surveillance under FISA Section 702. The Decision is the result of significant input from the EDPB under the GDPR’s binding dispute resolution procedure, following concerns from a number of other data protection authorities that the DPC’s original decision was too lenient – as such this decision cannot just be seen to apply to transfers within the ambit of the DPC, or to simply be an outlier decision.
2. Can we still use SCCs to transfer personal data to the US?
Companies should continue to use the SCCs, in conjunction with TIAs, for transfers of data to non-adequate countries other than the U.S.. For transfers to the U.S., in the absence of any other transfer mechanism (i.e., binding corporate rules), companies will likely continue to use the New SCCs. In cases where the transfer is to an electronic communication service provider subject to FISA Section 702, however, this is not without risk. Electronic communications service provider is defined broadly, and includes telecommunications carriers (e.g., AT&T and Verizon), providers of electronic communications services (e.g. Facebook), and remote computing services (e.g. cloud providers).
The Decision does not invalidate the SCCs. It does, however, find that, where local laws do not provide a level of protection essentially equivalent to those offered by the GDPR (as is the case with the US): (a) the SCCs do not alone remedy the inadequacy; and (b) no supplemental safeguards are likely to be sufficient to compensate for deficiencies in US law when the company receives significant numbers of requests for EU/EEA personal data pursuant to FISA Section 702.
3. Can we rely on GDPR “derogations” instead?
The Decision reiterated previous guidance from regulators stating that the derogations found in Article 49 GDPR (e.g. relying on data subject consent, or where the transfer is necessary for the performance of a contract with the data subject) cannot be relied upon for systematic, bulk, repetitive, and ongoing transfer of users’ data from EU to US. Moreover, given that such derogations do not compensate for deficiencies in local law that allow for government access in violation of the EU Charter, the Decision questions whether derogations are viable even where transfers are of a limited nature. As such, companies that receive significant numbers of government requests for data are left with few options.
4. Are the TIAs we have done still valid?
Yes, but consider updates that address key aspects of the Decision.
The Decision does not undermine the combination of SCCs and TIAs as a safeguard for data transfers under the GDPR. However, the Decision clarifies that measures that “mitigate” against the risk of access to personal data by government authorities are insufficient. Instead, companies should focus on (1) any objective evidence indicating that the risk of receiving government requests is low; and (2) measures that “compensate” for deficiencies in legal safeguards. For example, technical measures such as end-to-end encryption and robust pseudonymization may prevent government authorities from accessing personal data. In addition, legal and contractual measures, such as commitments to provide individuals with recourse for government access may address the “redress” concerns that led to scrutiny of FISA Section 702.
For transfers that are likely to lead to government access under FISA Section 702, however, no supplemental safeguards, as documented in a TIA, are likely to be sufficient. The Decision focuses on direct transfers to a company subject to FISA Section 702. Given the widespread reliance by companies on cloud service providers subject to FISA Section 702, it is unlikely that onward transfers (i.e. transfers made by service providers or other data recipients down the processing chain) would be the regulators’ immediate priority.
5. Does this only affect transfer to the US or exports to all countries?
While the Decision focuses solely on transfers of personal data to the US that are subject to FISA Section 702, the principles that underlie the Decision are not limited to the U.S. Companies should review their TIAs for transfers to other non-adequate countries in line with the guidance above.
6. Didn’t Biden’s Executive Order 14086 address these concerns?
The Decision did not evaluate Executive Order 14086 because the DPC concluded that the U.S. government had not yet fully implemented the protections described in the Executive Order.
7. Does this decision impact the transfer of UK personal data to the US?
No, this decision is not binding in the UK, although of course the UK regulator (the ICO) may be guided by its content. This is not likely however, given the latest draft of the Data Protection and Digital Information Bill assesses adequacy on the basis of whether data will be protected to a standard that is “not materially lower” than in the UK – a lower bar than the essential equivalency required as a result of both Schrems II and the Decision.
8. Will there be enforcement that is wider than Meta? If so, is there a grace period?
The DPC (para 10.11 Decision) in its summary of findings expressly states that although the Decision will bind Meta Ireland only, the Decision “exposes a situation where any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme [downstream surveillance] may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers to the USA.” All EU/EEA transfers of data to US companies that are subject to FISA 702 PRISM will be implicated.
Meta has five months to comply with the suspension element of the Decision, and six to cease the unlawful processing. While it is not clear if regulators will pursue other companies, given the very large number of companies that rely on SCCs to transfer data to the U.S., the risks to any one company (other than obvious targets such as Big Tech) are likely low. Companies should continue to monitor developments on the new Data Privacy Framework (discussed below) that would address the concerns at the core of the Decision.
9. What is the latest on Privacy Shield?
The EU-US Data Privacy Framework (“Data Privacy Framework”) is expected to be adopted this summer, but will only enter into force once the US has put in place new safeguards. When that will be is unclear, but speaking at the CPDP conference in Brussels on 24 May, European Commissioner for Justice, Didier Reynders, said this work is well advanced. As with Safe Harbor, and the first Privacy Shield, there is no doubt this will be challenged in court.
Once the Data Privacy Framework is adopted, data transfers to the US will become easier. Companies that certify to the Data Privacy Framework will be able to transfer personal data to the US in reliance solely on the framework. But the framework will also benefit companies that transfer personal data to the US based on other mechanisms, such as the SCCs. For transfers based on SCCs, while a TIA will still be necessary, companies will be able to point to the Data Privacy Framework as evidence of the “essential equivalency” of US laws relating to government access.