On May 22, 2023, the Irish Data Protection Commission (the “DPC”) published its decision on Meta Platforms Ireland Limited (“Meta”).[1] The decision has wider implications for any company that routinely transfers personal data from the EEA to third countries, in particular, to the US.
The decision focuses on companies’ ability to rely on the ‘standard contractual clauses’ (“SCCs”) when exporting EU personal data and the type of measures they must put in place to make those data exports lawful under the GDPR. The decision resulted in the imposition of a €1.2 billion fine on Meta, which is also the largest GDPR fine to date.
The DPC’s decision follows the European Data Protection Board’s (“EDPB”) binding decision of April 13, 2023. The EDPB’s binding decision required the DPC to rule that Meta’s transfers of personal data, carried out since July 16, 2020, breached the data transfer rules of the GDPR as they were interpreted by the Schrems II judgment of the Court of Justice of the European Union (“CJEU”).[2] This is despite the fact that Meta had taken a number of steps to comply with such rules in light of that judgment. For example, Meta had entered into the SCCs with the relevant US entities, and had updated the SCCs with the new SCCs adopted by the European Commission (“Commission”) in 2021. Meta also carried out a transfer impact assessment relating to its transfers as required by Schrems II and adopted a host of additional supplementary measures to seek to bring the protection afforded to the personal data it transferred to the US up to the level required by EU law. However, the DPC, on the basis of the EDPB’s binding decision, determined that these measures failed short of addressing the risks identified by the CJEU in Schrems II.
What is the Background?
The DPC started its investigation in August 2020, after which the DPC issued a draft decision that concluded that Meta’s data transfers from the EU to the US did not comply with the GDPR and the data transfers should therefore be suspended. The DPC, however, did not issue any administrative fine to Meta under its draft decision and took the view that “an administrative fine would be disproportionate … as the data transfers were being effected, in good faith, under and by reference to transfer mechanism provided for at law”. Meta, at that time, also argued that a fine would “breach the general principle of equal treatment or non-discrimination and the principle of legal certainty”.
Under a procedure mandated by the GDPR, the DPC, as the lead supervisory authority for Meta, subsequently submitted its draft decision to the other concerned EU data protection authorities for their consideration. Some of these national authorities (namely, those in Austria, France, Germany and Spain) raised objections to the DPC’s draft decision, in particular on the basis that Meta should be: (i) subject to an administrative fine for the infringement; and (ii) ordered to take action regarding the personal data which had already been transferred to the US.
The consultation between the DPC and those authorities did not resolve the disagreement and the DPC referred the issue to the EDPB as per the GDPR.
Upon reviewing the case, the EDPB, through its binding decision, required the DPC to: (i) impose an administrative fine on Meta, determining the starting amount for the calculation of the fine at a point between 20 and 100% of the applicable legal maximum; and (ii) make a further order imposing Meta to bring its processing operations into compliance with the GDPR by ceasing the processing, including storage, in the US of personal data of EEA users.[3]
The EDPB adopted its final decision on April 13, 2023, which was binding on the DPC. Subsequently, the DPC announced its final decision on May 12, 2023, which reflected the EDPB’s determinations, including:
- an order requiring Meta to suspend any future transfer of personal data to the US;[4]
- an administrative fine in the amount of €1.2 billion; and
- an order requiring Meta to bring its processing operations into compliance with the data transfer rules of the GDPR within six months following the date of notification of the DPC’s decision to Meta.[5]
Key takeaways
Overall, the decision represents arguably the most significant enforcement under the GDPR to date. It is a major development that has the potential to have wider ramifications for other companies that routinely transfer personal data out of the EEA. In consideration of the (then) anticipated EU-U.S. Data Privacy Framework, Meta was granted a stay of execution by the Irish Commercial Court until the end of July.[6]
The EDPB’s binding decision is also significant in that it confirms that the EDPB is not willing to depart from its view[7] that data transfers would not be lawful where:
- the data importer is subject to laws that grant powers to public authorities to access the transferred data in a way that goes beyond “what is necessary and proportionate in a democratic society” (which, according to the Schrems II judgment, particularly includes the powers granted under Section 702 of the US Foreign Intelligence Surveillance Act (“FISA”) for transfers that are made to the US);[8] and
- the SCCs are not supplemented with appropriate (technical, organizational and contractual) measures to ensure that the transferred data can be protected in the destination country in a manner that is essentially equivalent to the protections afforded to personal data under the GDPR.
However, it appears that the DPC is of the view that companies can still follow a ‘risk-based approach’ in assessing the lawfulness of their transfers. This means that companies may argue that their transfers are lawful where they can demonstrate that the problematic legislation (e.g. FISA) will not be interpreted in practice so as to apply to their transfers.
The DPC, however, specified that it is not possible to rely on the derogations set out in Article 49 (e.g., performance of contract) to legitimize routine transfers that are made on an ongoing basis.
Companies will also now have to take into account the DPC’s findings in their transfer impact assessments.
The EU – U.S. Data Privacy Framework
The adoption of the new EU-U.S. Data Privacy Framework by the European Commission on July 10, 2023 may seek to address some of the uncertainty regarding the transfers of personal data from the EU to the US.[9]
However, it will be interesting to see whether EU data protection authorities might take other actions regarding EU-U.S. data transfers that took place prior to the adoption of the EU-U.S. Data Privacy Framework. As Meta noted, such transfer of personal data from the EEA to the US is not unique to Meta, and Meta feels like they have been “singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe”.
[1] The DPC’s decision is available here.
[2] See our blog post on the Schrems II judgment here.
[3] See EDPB’s determinations here.
[4] Order is issued pursuant to Article 58(2)(j) GDPR.
[5] Order is issued pursuant to Article 58(2)(d) GDPR.
[6] See Meta’s official announcement in response to the decision here.
[7] The views of the EDPB are primarily set out in the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (see full text here).
[8] In Schrems II, the CJEU held that Section 702 of the US FISA does not respect the minimum safeguards resulting from the principle of proportionality under EU law and cannot be regarded as limited to what is strictly necessary. According to the EDPB, this means that the level of protection of the programs authorized by Section 702 FISA is not essentially equivalent to the safeguards required under EU law.