Last month I suspect Meta, the owner of Facebook, wished it lived in the ‘Metaverse’ as it was the subject of the largest ever GDPR fine of €1.2bn (£1bn) issued by Ireland’s Data Protection Commission (DPC). 

Ibrahim Hasan

Ibrahim Hasan

Personal data transfers between the EU and US is an ongoing legal and political saga. The DPC ruled that Meta infringed Article 46 of the EU GDPR in the way it transferred personal data of its users from Europe to the US. The decision has far-reaching implications for all companies, big and small, as none can avoid transferring personal data abroad especially to the US. Whether using an online meeting app, cloud storage solution or a simple text messaging service, all often involve a transfer of personal data to the US.

Chapter 5 of the EU GDPR mirrors the international transfer arrangements of the UK GDPR. There is a general prohibition on organisations transferring personal data to a country outside the EU, unless they ensure that data subjects’ rights are protected. This means that, if there is no adequacy decision in respect of the receiving country, one of the safeguards set out in Article 46 must be built into the arrangement. The most commonly used safeguard is the use of standard contractual clauses (SCCs) included in a contract between the parties (data exporter and importer) which impose certain data protection obligations on both.

A 2020 European Court of Justice (ECJ) case commonly known as Schrems II concluded that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal mechanism to ensure GDPR compliance. They must consider using the Article 49 derogations or SCCs. If using the latter, whether for transfers to the US or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection and surveillance legislation, and to put in place ‘additional supplementary measures’ to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems II). Therefore any additional measures must address this possibility and build in safeguards to protect data subjects. This could include additional security as well as legal measures to safeguard the data and the rights of the data subjects.

In the light of the above, the new EU SCCs were published in June 2021. The European Data Protection Board (EDPB) has also published guidance on the aforementioned required assessment, entitled ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’. Meta’s use of the new EU SCCs and its ‘additional supplementary measures’ were the focus of the DPC’s attention when issuing its decision.

The DPC ruled that Meta infringed Article 46(1) when it continued to transfer personal data from the EU/EEA to the US following the ECJ’s ruling in Schrems II. It found that the measures used by Meta did not address the risks to the fundamental rights and freedoms of data subjects that were identified in Schrems II; namely the risk of access to the data by US law enforcement.

The DPC ruled that Meta should:

1. Suspend any future transfer of personal data to the US within five months of the date of the DPC’s decision;

2. Pay an administrative fine of €1.2bn; and

3. Bring its processing operations in line with the requirements of GDPR, within five months of the date of the DPC’s decision, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of GDPR.

In reaching its decision, the DPC reviewed Meta’s Transfer Impact Assessment and supplementary measures which were, to be fair, quite comprehensive. They included organisational measures (such as Disclosure Policy, Disproportionate Requests Policy and a People Security Policy); technical measures (such as an Information Security Program, industry standard encryption and the deployment of cryptographic protection of passwords); and legal measures (such as enforceable third-party rights for data subjects, processes for challenging requests received for disclosure of personal data and transparency reporting). However, according to the DPC, these are not enough as ‘ultimately, if the US government makes a request which falls within the scope of Section 702 FISA [Foreign Intelligence Surveillance Act, 1978], Meta US is required to disclose its users’ personal data’.

The worry for most companies now is: if Meta, with all the technical and legal resources at its disposal, cannot satisfy the DPC and other EU regulatory bodies (this decision was reached after consultation with EU regulators and the EDPB) about Article 46 compliance, what chance do they have?

Meta will appeal the decision and seek a stay of the ruling before the Irish courts.

The wider legal ramifications on data transfers from the UK to the US cannot be ignored. A new UK international data transfer agreement came into force on 21 March but it also requires a Transfer Risk Assessment as well as supplementary measures where privacy risks are identified. No doubt the Meta decision, though not legally binding in the UK, will influence how the supplementary measures of UK companies are assessed by the ICO.

All this begs a political solution; indeed one could be round the corner. On 25 March, the European Commission and the US announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. The final agreement is expected to be in place this summer and will replace the Privacy Shield Framework. It is expected that the UK government will strike a similar deal once the EU/US one is finalised. However, both are likely to be challenged in the courts by privacy advocates and consumer groups.

The Meta fine is one of this year’s major GDPR developments. All organisations, whether in the UK or EU, need to consider their data transfers mechanisms and ensure that they comply with Chapter 5 of the GDPR in the light of the DPC’s ruling.

 

Ibrahim Hasan is a solicitor and director of Act Now Training