Irish Data Protection Commissioner imposes a €1.2 billion fine on Meta Ireland
Irish Data Protection Commissioner imposes a €1.2 billion fine on Meta Ireland
On 22 May 2023, a record GDPR fine of €1.2 billion was issued against Meta Ireland (Meta), surpassing the previous record held by Amazon (who were issued with a €746 million penalty). The fine, which was much anticipated and imposed by the Irish Data Protection Commissioner (DPC), followed a binding decision issued by the European Data Protection Board (EDPB) earlier in April of this year. The recent decision is a cautionary example for many organisations, and almost strangely coincidental in that it came to light only a few days before GDPR, a privacy regulation that continues to set the global standard, celebrated its 5-year anniversary.
As you might recall, a decisive rupture in EU-US data flows appeared at the time of the Snowden revelations, which brought to light US intelligence activities. This inspired Max Schrems (who was a law student at the time) to challenge the lawfulness of Facebook’s personal data transfers to the US. In the ten years that followed the disclosures, we saw the two EU-US data-flow frameworks invalidated by the Court of Justice of the European Union (CJEU) — the Safe Harbour in 2015 and the Privacy Shield in 2020 (these court decisions are more commonly known as Schrems I and Schrems II respectively). However, after multi-year negotiations, we now have a new EU-US Data Privacy Framework in place, enabling a free flow of data between the two jurisdictions.
Before Schrems II, in the absence of an adequacy decision, organisations would typically rely on Article 46 safeguards to justify their international data transfers (e.g., ‘SCCs’), noting that previously, organisations relied on the 2010 SCCs, which were updated in 2021 (the deadline for transitioning to the updated SCCs expired on 27 December 2022). The recent decision touched on both sets of tools and found that neither the 2010 nor the 2021 SCCs can compensate for the deficiencies in the protections provided by US law.
The above finding echoes Schrems II where the court stated that, while valid tools, reliance solely on SCCs is insufficient to safeguard personal data and case-by-case assessments are necessary. This brings us to the point of transfer impact assessments (‘TIAs’) or transfer risk assessments (‘TRAs’) as they are referred to across the English Channel. The TIAs are additional tools that, in the CJEU’s view, must accompany safeguards set out in Article 46 of GDPR, which include SCCs. In essence, the TIAs require organisations to carry out case-by-case assessments of transfer scenarios thoroughly to understand the associated risks and, where necessary, to implement supplementary measures. These can take many forms, from contractual to organisational and technical measures (e.g., encryption). Depending on the facts, the use of transfer tools e.g., SCCs together with a TIA and, where found necessary, supplementary measures could together compensate for the inadequate protections of the target jurisdiction. However, the DPC found that the measures implemented by Meta as part of its TIA fell short and failed to ‘compensate for the inadequate protection provided by US law’. In other words, Meta could not rely on the combination of SCCs and a TIA lawfully to transfer data to the US.
Where Article 46 fails, organisations sometimes look to Article 49 of GDPR, which provides derogations to international data transfer rules. However, these are, as the name suggests, derogations and should be relied upon in strictly exceptional cases as set out in the article. Indeed, the DPC stated in its order that Meta is not entitled to rely on the derogations in Article 49(1) for its data transfers. It has been established that ‘the derogations cannot be relied upon for systematic and massive transfers and have to be strictly construed.’
In essence, the decision left Meta without any fall-back option to validate its international data transfers. The only logical next step, invariably, was for the DPC to order Meta to suspend all of its transfers, which it did. Interestingly, in the binding decision, EDPB considered that ‘a suspension order alone would not be enough to produce the specific deterrence effect necessary to discourage Meta Ireland from continuing or committing again the same infringement.’
In light of the above, the DPC made three orders:
For certain organisations, the Meta decision may mean immediate action to avoid being the next one to be in the crosshairs of their supervisory authorities. Whether this will have wider effects on the data flows from the EU to non-adequate jurisdictions, remains to be seen.
1. Are you carrying out an international data transfer?
If you’re unsure about whether you’re carrying out an international data transfer, consider asking yourself the following questions:
2. If you’re carrying out an international data transfer, are you sure you are complying with the transfer rules under UK GDPR?
Personal data can be transferred to third countries through one of the routes available under the UK GDPR. Consider asking yourself the following questions:
SUBSCRIBE: DATA PRIVACY INSIGHTS
Context
‘We are happy to see this decision after ten years of litigation,’ Max Schrems notes in the article on NOYB reporting on the fine. Here, in a sentence, is implied the political history that preceded, and arguably led to, the current decision.As you might recall, a decisive rupture in EU-US data flows appeared at the time of the Snowden revelations, which brought to light US intelligence activities. This inspired Max Schrems (who was a law student at the time) to challenge the lawfulness of Facebook’s personal data transfers to the US. In the ten years that followed the disclosures, we saw the two EU-US data-flow frameworks invalidated by the Court of Justice of the European Union (CJEU) — the Safe Harbour in 2015 and the Privacy Shield in 2020 (these court decisions are more commonly known as Schrems I and Schrems II respectively). However, after multi-year negotiations, we now have a new EU-US Data Privacy Framework in place, enabling a free flow of data between the two jurisdictions.
Overview
The binding decision made four key findings:- US law does not provide a level of protection that is essentially equivalent to that provided by EU law;
- Neither the 2010 EU Standard Contractual Clauses (SCCs) nor the 2021 SCCs can compensate for the inadequate protection provided by US law;
- Meta Ireland does not have in place supplemental measures which compensate for the inadequate protection provided by US law; and,
- It is not open to Meta Ireland to rely on the derogations provided for in GDPR Article 49(1) when making the data transfers.
Before Schrems II, in the absence of an adequacy decision, organisations would typically rely on Article 46 safeguards to justify their international data transfers (e.g., ‘SCCs’), noting that previously, organisations relied on the 2010 SCCs, which were updated in 2021 (the deadline for transitioning to the updated SCCs expired on 27 December 2022). The recent decision touched on both sets of tools and found that neither the 2010 nor the 2021 SCCs can compensate for the deficiencies in the protections provided by US law.
The above finding echoes Schrems II where the court stated that, while valid tools, reliance solely on SCCs is insufficient to safeguard personal data and case-by-case assessments are necessary. This brings us to the point of transfer impact assessments (‘TIAs’) or transfer risk assessments (‘TRAs’) as they are referred to across the English Channel. The TIAs are additional tools that, in the CJEU’s view, must accompany safeguards set out in Article 46 of GDPR, which include SCCs. In essence, the TIAs require organisations to carry out case-by-case assessments of transfer scenarios thoroughly to understand the associated risks and, where necessary, to implement supplementary measures. These can take many forms, from contractual to organisational and technical measures (e.g., encryption). Depending on the facts, the use of transfer tools e.g., SCCs together with a TIA and, where found necessary, supplementary measures could together compensate for the inadequate protections of the target jurisdiction. However, the DPC found that the measures implemented by Meta as part of its TIA fell short and failed to ‘compensate for the inadequate protection provided by US law’. In other words, Meta could not rely on the combination of SCCs and a TIA lawfully to transfer data to the US.
Where Article 46 fails, organisations sometimes look to Article 49 of GDPR, which provides derogations to international data transfer rules. However, these are, as the name suggests, derogations and should be relied upon in strictly exceptional cases as set out in the article. Indeed, the DPC stated in its order that Meta is not entitled to rely on the derogations in Article 49(1) for its data transfers. It has been established that ‘the derogations cannot be relied upon for systematic and massive transfers and have to be strictly construed.’
In essence, the decision left Meta without any fall-back option to validate its international data transfers. The only logical next step, invariably, was for the DPC to order Meta to suspend all of its transfers, which it did. Interestingly, in the binding decision, EDPB considered that ‘a suspension order alone would not be enough to produce the specific deterrence effect necessary to discourage Meta Ireland from continuing or committing again the same infringement.’
In light of the above, the DPC made three orders:
- requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months;
- imposing an administrative fine for the amount of €1.2 billion; and
- requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR within six months.
What’s next?
The broader impact of the DPC’s decision cannot be understated. As with any cautionary tale, there are lessons to be learned by those watching it unfold from afar. Even with the EU-US Data Privacy Framework (‘DPF’) now in place, international transfers will continue to attract close scrutiny by supervisory authorities, especially given that the list of ‘adequate’ jurisdictions where data can flow freely is quite limited. It is also worth noting that, while the DPF provides much-needed relief for some organisations, it is still a framework that requires recipients/importers in the US to self-certify to be able to benefit from it.For certain organisations, the Meta decision may mean immediate action to avoid being the next one to be in the crosshairs of their supervisory authorities. Whether this will have wider effects on the data flows from the EU to non-adequate jurisdictions, remains to be seen.
What should UK organisations do to comply with international data transfer rules?
For most organisations, including those in the UK, the recent decision is a reminder of the importance of compliance with international data transfer rules. Below we have put together questions organisations can ask themselves to check whether they comply with these rules. However, as mentioned above, if you’d like to read more on UK-US data flows, please read this article.1. Are you carrying out an international data transfer?
If you’re unsure about whether you’re carrying out an international data transfer, consider asking yourself the following questions:
- Does the UK GDPR apply to the processing of the personal data being transferred?
- Are you sending personal data, or making it accessible, to a receiver located in a country outside the UK?
- Is the receiver a separate controller or a processor and a legally distinct entity from you (i.e., not a branch)?
2. If you’re carrying out an international data transfer, are you sure you are complying with the transfer rules under UK GDPR?
Personal data can be transferred to third countries through one of the routes available under the UK GDPR. Consider asking yourself the following questions:
- Is the country or territory recognised as an adequate jurisdiction by the UK? If yes, you don’t need to take any further steps and the transfer can go ahead.
- If the country or territory is not recognised as adequate, have you put in place the relevant transfer tool under Article 46 of UK GDPR (e.g., the UK’s International Data Transfer Agreement or a combination of the EU’s Standard Contractual Clauses and the UK Addendum)?
- If you’re relying on a transfer tool under Article 46 of UK GDPR, have you carried out a transfer risk assessment which is a mandatory requirement? Organisations in the UK are required to carry out a transfer risk assessment, which must accompany a transfer tool. This may, in some cases, require you to implement supplementary measures (if you’d like to read more on TRAs, please see this article). Organisations whose transferred data would be exposed to the risk of surveillance or potential access orders from the governments of the importer’s jurisdictions may find that reliance on these tools may be insufficient to compensate for inadequate protections in the destination country.
- If you are not relying on one of the transfer tools under Article 46 of UK GDPR, can you use one of the available exemptions under Article 49? If an Article 49 exemption is applicable, important to note that organisations should remember that the exemptions can only be relied on in very limited circumstances and cannot typically be used for regular transfers.
SUBSCRIBE: DATA PRIVACY INSIGHTS