Overview
On 22nd May 2023, the Irish Data Protection Commission ("DPC") published its long awaited decision in the Meta data transfers case, providing the next instalment in the privacy world's longest running battle. The decision has major ramifications for the company and transatlantic data transfers generally.
The DPC:
- imposed the largest ever GDPR fine in the amount of EUR1.2 billion;
- ordered Meta Ireland Limited, the European base of Meta, to suspend EU to US transfers of personal data relating to Facebook users within five months (the "Suspension Order"); and
- ordered Meta Ireland Limited to cease unlawfully processing and storing the personal data of EU/EEA citizens in the United States, transferred in contravention of the GDPR, within six months (the "Cessation Order").
The decision of the DPC, integrating the decision of the European Data Protection Board ("EDPB") carries significant consequences. Meta Ireland itself may have to fundamentally alter the structure by which it operates, and could call a halt to its operations within the EU/EEA. As expected, Meta has already confirmed that the decision will be appealed.
Whilst the DPC has made it clear that it is not possible for it to make an order generally suspending or prohibiting data transfers to the United States by other companies within its remit, those companies could now also find themselves subject to regulatory scrutiny, resulting in similar sanctions. Organisations who are in the process of amending their Standard Contractual Clauses ("SCCs") (standardised, pre-approved contractual clauses that allow exporters to transfer data to non-EU countries) and undertaking Transfer Impact Assessments will need to consider the DPC's decision carefully and identify how (if at all) they can differentiate their transfers.
Decision of the DPC
We have written extensively on the issues that have led to the DPC's pivotal decision. The DPC commenced an inquiry in September 2020 in relation to whether Meta Ireland (known as Facebook Ireland Limited at that time) was in breach of the GDPR as regards its EU-US data transfers. Meta has, to date, relied on SCCs as the basis to allow these transfers.
In 2022, the DPC issued a draft decision on the legality of this mechanism, finding that the SCCs relied on by Meta did not provide sufficient protection for EU data subjects and indicating it would require Meta Ireland to suspend its EU-US data flows.
However, consensus on the DPC’s draft decision could not be reached with the other concerned EU supervisory authorities. The EPDB subsequently delivered a binding decision following the triggering of the Article 65 GDPR dispute resolution process. The decision issued yesterday by the DPC incorporates the findings of the EDPB.
In its decision, the DPC confirmed that the SCCs relied on by Meta Ireland do not ensure "essential equivalence", despite the addition of supplementary measures including organisational policies and procedures, encryption in transit and additional contractual protections, due to the access permitted to surveillance authorities under US law. This is the case despite recent amendments including via Executive Order 14086, partly because these amendments are not yet fully implemented. The DPC also concluded that no derogations were available to Meta.
Ultimately, the decision clearly emphasises that it is not intended for the Orders to be permanent if possible, but the Suspension and Cessation Orders will remain effective until those issues which gave rise to the infringement of Article 46 GDPR have been resolved. The decision accepts there may be "new measures, not currently in operation, may yet be capable of being developed and implemented by Meta Ireland and/or Meta US to compensate for the deficiencies" (para 9.46).
In relation to the fine and calculation of turnover, it is important to note that in this case, the "undertaking" concerned was deemed to be Meta Platforms, Inc (i.e. the entire group of Meta companies, not just Meta Ireland Limited).
EU-US Data Privacy Framework
The decision has been issued against the backdrop of ongoing discussions in respect of the proposed EU-US Data Privacy Framework. The adequacy process in relation to that Framework is well underway but has not been without its own controversy. The European Parliament recently adopted a non-binding opinion on the proposed Framework, setting out its criticism of the proposed mechanisms, despite acknowledging the efforts to create principles of equivalence with EU law. The prospect of judicial intervention by the Court of Justice would "lead continuing lack of legal certainty, further costs and disruption for European citizens and businesses."
This climate of concern around a new adequacy decision will now be impacted by the decision of the DPC. Specific concerns around the level of protection offered by US law were clearly set out in the decision. Given the timescales for Meta Ireland to comply, the next few weeks will be crucial in making clear the direction of EU-US data transfers going forward.
