Meta transfer enforcement from the Irish DPC – issues and consequences for other companies

The Irish Data Protection Authority ("IDPC") published its decision yesterday in its action against Meta Platforms Ireland Limited regarding its Facebook platform. 

The highlights are, of course, the:

• size of the fine: at €1.2 billion, it is the largest GDPR fine to date; and
• ban on transfers: the IDPC's order requires Facebook to no longer transfer data out of the EU. 

Whilst Facebook has already confirmed that it will appeal, it is the latter point (and its implications for other companies) that will no doubt be the most shocking and concerning issue for the privacy community and to our clients.

As we wrote in our blog following the Court of Justice of the European Union's judgement ("CJEU") in the Schrems II case, which of course is a key event in leading to yesterday's decision, the first thing we would say is: Don't panic!!!

As was the case following that judgement, data flows will continue, and can continue, not least because the decision is addressed only to Meta – as the IDPC themselves emphasise - and even Meta have five months before the order becomes effective. 

We have set out below the key facts and takeaways from yesterday's breaking news.  At the bottom of this blog is a link to our webinar on Thursday 25th May at 4pm BST in which we explain the key practical implications for organisations arising from the order.  

Recap: How did we get here?

At the bottom of this blog is a short summary of the history of this dispute, from Schrems I, to Schrems II, and to the EDPB's Recommendations.

Yesterday's order is the culmination of that story.   It is unlikely however to be the final chapter, even for Meta.

What did the IDPC order say?

Meta has been ordered to:

1. pay an administrative fine of  €1.2 billion;
2. to suspend any future transfer of personal data to the US within five months of the date of notification of the DPC’s decision to Meta Ireland; and
3. to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months of the date of notification of the DPC’s decision to Meta Ireland

What happens next?

As mentioned, Meta has confirmed it will appeal.  This may then result in a further passage through the Irish courts at least, if not to the CJEU.   

One possible emergency step is to have the order suspended pending the exhaustion of the court process – and Meta has confirmed this will be done.

What about the Trans-Atlantic Data Privacy Framework?

In the wake of the Schrems II decision, in particular the part that invalidated Privacy Shield, the EU and the US have been negotiating an alternative mechanism for transfers – the Trans-Atlantic Data Privacy Framework (the "Framework").

The expectation is that the Framework will likely be available for Meta and others at some point during summer 2023 - and perhaps there is even more reason to think this will be the case following added pressure on the European Commission after this decision.

The European Commission has penned a draft adequacy determination on the Framework and the US made changes to its law through an Executive Order issued by President Biden in October 2022 – see our blog.

Both the EDPB and the European Parliament have published non-binding views on this draft adequacy determination. Whilst both these bodies have criticised the Framework, most commentators are optimistic that the concerns raised can be resolved without too much difficulty. 

The political pressure on now getting this adopted will be immense.  

Once approved, many US recipients of data will no doubt sign up to it – as they did to Privacy Shield.   Challenges can of course then be expected.

What does this mean for other companies who rely on Standard Contractual Clauses ("SCCs") to transfer data?

The Schrems II judgement required that each exporter assessed the laws of the destination country to ensure that use of the SCCs properly protected the data transferred in that context. Yesterday's decision does not change this.

It is however fair to say that that the IDPC did find insufficient the "supplementary measures" that Meta had adopted and many of these measures are those also put in place by other exporters.

Although addressed to Meta, the decision is also intended to act as a deterrent to other exporters.

What did the IDPC say about Meta's "supplementary measures"?

Meta did try to put forward an argument that supplementary measures should only need to "address" or "mitigate" the deficiencies in US law. The IDPC disagreed and stated that controller's need to put in place supplementary measures which "compensate" for any deficiencies.

Here, the IDPC found that Meta's supplementary measures (including encryption in transit, transparency regarding requests and various access policies/procedures – see Annex 4 of the decision for a complete list) did not compensate for the deficiencies in US law.  Ultimately, if the US Government makes a request within the scope of Section 702 FISA, Meta US is required to disclose its users’ personal data.

Particularly on the point of transparency, the IDPC noted that whilst Meta are transparent regarding government requests for user data, transparency about the fact that data rights are infringed does not actually remedy the relevant infringements.

These are points that will apply equally to many transfers – especially those which are to US recipients within scope of Section 702 of FISA.  

Although the Meta supplementary measures were found not to be sufficient, the IDPC has not gone so far as to say that no effective supplementary measures would have been possible.

The passages on these measures will require careful reading.

What about the UK?

This is an application of the judgement in Schrems II (which in turn is a ruling on the proper meaning of Article 46 of GDPR) – and Schrems II is binding in the UK as it was handed down during the Brexit transitional period.  Moreover, the UK GDPR is substantively the same to the EU GDPR in this respect but whether this has any consequences for UK exporters of data remains to be seen, so there must be a (theoretical) possibility that the ICO could follow suit in similar situations.  Nonetheless, we have already seen that the ICO's approach to undertaking transfer risk assessments is more "risk-based" than the EU's – see our blog.  So even leaving aside the possibility that the UK will itself adopt a similar arrangement to the Framework (the latter not being relevant to a post-Brexit UK), it is hard to imagine that the ICO would in fact take the same approach as the IDPC has done – and the ICO has no EDPB to be accountable to.

Practical take-aways

As the IDPC points out in the penultimate paragraph of the order: the decision binds Meta only.   It was simply not open to the IDPC to make an order suspending or prohibiting transfers to the United States generally.  That said, the IDPC does point out that

."the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the [transfer rules]."

But the IDPC also points out that the CJEU (in Schrems II)

"upheld the validity of the SCCs as a legal instrument, emphasising the need to undertake a case-by-case assessment to determine whether, in any given case, data transfers to a third country conducted under their terms are lawful or not. "

It will take time for the dust to settle but our initial key takeaways are as follows:

• For all companies other than Meta, we emphasise that nothing really changes for now: this is the outcome of one regulator's investigation into one exporter.  The legal regime was clarified in Schrems II in 2020 and regulatory guidance that followed. This is an application of those clarifications and guidance.  
• Some will say that this is the "canary in the mine" – and that may well be right, but it is the first major enforcement of the Schrems II judgement in almost three years (there have been some relatively minor cases on Google Analytics and similar).
• Exporters which have not yet undertaken a proper "transfer impact assessment" (TIA) (or "transfer risk assessments" (TRA) as the ICO names them) may well be advised to do so as regulators could accelerate their enquiries in the wake of this decision.   
• Other than that, those still concerned, could keep a close eye on the Trans-Atlantic Data Privacy Framework (importers should consider signing up).  Even if not formally adopted yet as "adequate", it is likely to be available soon.  If this is in place, then no TIA nor TRA will be needed.  There is a massive political need to fix the problem and we can expect urgent attention from both the EU and the US in getting the Framework over the line. 

With that in mind, please do join a Fieldfisher webinar on Thursday 25th May at 4pm BST in which we explain the key practical implications for organisations arising from the order. To register, please click here.

Appendix - a (short) recap of the story so far.

As is well known, Max Schrems, in 2013, filed a complaint with the IDPC requesting Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that his personal data was not properly protected there. The IDPC's refusal to do so (on the grounds of Safe Harbor being in place) was challenged in the courts by Mr Schrems.  In October 2015, the Safe Harbor mechanism was declared invalid by the CJEU (Schrems I). 

Meta commenced reliance on SCCs.  Mr Schrems then reformulated a complaint later that year and asked the IDPC to prevent a transfer on the ground that the SCCs did not properly protect the data.

In May 2016, the IDPC published a draft decision summarising the provisional finding that the personal data of EU citizens transferred to the United States were likely to be consulted and processed by the US authorities in a manner incompatible with EU standards and that, indeed, the SCCs did not remedy that defect.  The IDPC therefore started a case before the Irish High Court which was then referred to the CJEU (Schrems II).

In July 2020, the CJEU then declared the Privacy Shield invalid but found that the SCCs could provide protection for data if there was sufficient additional measures and a risk assessment has been undertaken.  (This of course has been a major concern of the privacy professional for the last three years.)

Following the judgment in Schrems II, the IDPC decided to commence an “own volition” inquiry of Meta's transfers of personal and issued a “Preliminary Draft Decision” (“PDD”) to Meta on 28th August, 2020. The DPC prepared a draft decision dated 6 July 2022, which was then submitted to all other EU/EEA supervisory authorities under the Article 60 GDPR cooperation procedure. Four of the 27 other concerned supervisory authorities, raised objections relating to the DPC's planned corrective measures. After consensus could not be reached, the DPC referred the objections to the European Data Protection Board (“EDPB”) for determination. The DPC then issued their final decision on 12 May 2023, adapting it to be consistent with  the EDPB's decision of 13 April 2023.