Irish Data Protection Commission decision muddies the water for Meta’s EU-US data transfers
The question
What are the implications of the Irish Data Protection Commission’s (IDPC) ruling against Meta for data transfers from the EU/EEA to the US in breach of the EU GDPR?
The key takeaway
Companies transferring data from the EU to countries which do not have an EU adequacy decision in place must ensure transfers (and the safeguards implemented around those transfers) comply with the EU GDPR. Reliance on the standard contractual clauses (SCCs) is not a simple fix – companies must be able to demonstrate that appropriate supplementary measures are in place that will “compensate” for any deficiencies in the non-adequate country’s laws.
The background
Meta’s data protection measures were first called into question in 2015 when Max Schrems, the privacy activist, brought a complaint about Facebook to the IDPC. Schrems successfully argued to the CJEU that the EU-US Safe Harbour Framework relied on by Facebook, which governed EU to US data transfers at the time, did not adequately protect data transferred to the US due to the US government’s surveillance practices. Schrems I, as the case became known, led to the development of the EU-US Privacy Shield which companies could sign up to, to certify that they followed higher privacy standards which facilitated the lawful transfer of data to the US.
As Facebook then sought to rely on the SCCs to transfer data to the US, Schrems re-issued his complaint to the IDPC (Schrems II). Whilst the decision in Schrems II deemed the SCCs could provide the level of protection required by EU GDPR, it invalidated the Privacy Shield on the basis it failed to adequately protect against US government surveillance. Following Schrems II, two new sets of SCCs governing personal data transfers outside of the EU were published by the European Commission.
Schrems II therefore established two options for the lawful transfer of personal data from the EU:
- reliance on a European Commission adequacy decision, or
- the use of SCCs, supplemented by additional safeguarding measures and transfer risk assessments.
Without an EU-US adequacy decision in place, Meta implemented the SCCs and additional safeguarding measures to demonstrate compliance with EU GDPR.
The development
In August 2020 the IDPC commenced an “own volition” investigation into Meta’s data transfers to the US. The IDPC’s draft decision found that the SCCs and additional safeguarding measures implemented by Meta did not provide “appropriate safeguards” for the transfer of EU personal data as the risks to the rights and freedoms of EU data subjects were not adequately addressed. Notably the IDPC found that where the law of a non-adequate country (for example the US) is contrary to the terms of the SCCs and is capable of impinging on the contractual guarantee of an adequate level of protection for data subjects, the SCCs themselves will not be effective.
The draft decision was reviewed by other data protection authorities in the EU/EEA and following some disagreement, it was sent to the European Data Protection Board (EDPB) for final decision.
On 12 May 2023, following input from the EDPB’s, the IDPC ordered Meta to:
- pay a fine of €1.2bn
- suspend all transfers of personal data from the EU to the US within five months, and
- make the processing of personal data compliant with the EU GDPR within six months, namely by stopping the unlawful processing and storage of personal data in the US.
Why is this important?
Whilst the ruling is binding only on Meta, the decision raises some red flags for companies that rely on the SCCs to transfer personal data from the EU/EEA. To be clear, the SCCs remain valid but the IDPC’s decision notes that any supplementary measures used in support of the SCCs must “compensate” for the discrepancies between EU and the destination country’s law, not just “address” or “mitigate” them.
This decision comes as the EU and US continue to define a Trans-Atlantic Data Privacy Framework, a mechanism for compliant data transfers, which companies will be able to sign up to. For now, companies transferring data to the US remain reliant on the SCCs
Any practical tips?
Companies exporting personal data from the EU/EEA to countries without an adequacy decision should review the SCCs and any supplementary measures they currently rely on. Companies should ensure they conduct a transfer risk assessment to identify any deficiencies in the non-adequate country’s laws and implement appropriate supplementary measures that will “compensate” for those discrepancies.
Summer 2023
Stay connected and subscribe to our latest insights and views
Subscribe Here