On 22 May 2023, the Irish Data Protection Commission (DPC) published its highly anticipated decision regarding the transfers of personal data to the U.S. by Meta Platforms Ireland (formerly known as Facebook Ireland). In addition to imposing a record fine of 1.2 billion Euros, the DPC prohibited any further transfers of data of Facebook users to the U.S. This article explores the implications of this decision for European companies.
Background to the decision
Nearly a decade ago, in June 2013, Austrian privacy activist Max Schrems lodged a complaint against Facebook Ireland (now Meta Platforms Ireland) with the DPC. In his complaint, he alleged that Facebook was unlawfully transferring data of its European users to the U.S. The basis for these allegations lay in the extensive powers of US intelligence agencies under U.S. surveillance laws such as FISA 702, which were brought to light through Edward Snowden’s revelations.
Max Schrems had to go through multiple court proceedings during the course of this case, resulting in two preliminary references to the Court of Justice of the European Union (CJEU). The most recent one, known as Schrems II, is pivotal to the current DPC’s decision. In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield, which Meta had previously relied on to justify its data transfers to the U.S. Furthermore, the CJEU established stringent requirements for the use of Standard Contractual Clauses (SCCs) as an appropriate guarantee for data transfers to third countries.
Following the invalidation of the EU-U.S. Privacy Shield, Meta switched to using SCCs for its data transfers. In line with the Schrems II decision, Meta implemented supplemental measures aimed at protecting the data from access by U.S. intelligence agencies. The DPC’s decision primarily addressed the adequacy of these measures.
As Meta’s European headquarters are situated in Ireland, the Irish DPC led the proceedings. Since Meta’s processing operations also affects data subjects from all other member states of the European Economic Area (EEA), all EEA supervisory authorities were entitled to participate in the decision-making process. However, due to a lack of consensus, the European Data Protection Board (EDPB) ultimately issued a binding decision, instructing the DPC, among others, to impose a fine. Initially, the DPC had intended to refrain from imposing a fine.
GDPR fines explained
Do not repeat the mistakes of other companies! Better read our analyses of the GDPR fines from European supervisory authorities.
The DPC’s decision
The DPC’s decision solely concerns the transfers of data of Facebook users to the U.S. Other Meta products like WhatsApp and Instagram are not the subject matter of the decision.
In its decision, the DPC concluded that the supplemental measures adopted by Meta were inadequate in adequately safeguarding the data of European Facebook users against access by U.S. government authorities. The DPC acknowledged that encryption of data in transit could serve as an appropriate additional measure with regard to certain powers of U.S. authorities. However, when it came to intelligence powers under the PRISM program within FISA 702, encryption was deemed insufficient. FISA 702 grants U.S. intelligence agencies the right to demand data be provided to them by companies subject to the law. According to the DPC, none of the technical measures implemented by Meta provide sufficient protection against such requests.
Consequently, the DPC determined that after the transfer to the U.S., the data did not enjoy an equivalent level of data protection as it would in Europe. As a result, Meta was not allowed to rely on SCCs as the legal basis for data transfers. Therefore, the transfers occurred without a valid legal basis and hence violated Article 46 (1) of the General Data Protection Regulation (GDPR). Additionally, the DPC found that Meta could also not rely on the exceptions under Art. 49 GDPR.
Given the absence of appropriate safeguards, the DPC ordered Meta to suspend the transfers of data of Facebook users from the EEA to the US within five months. This order pertains to future data transfers. For transfers that have already taken place, Meta was instructed to cease unlawful data processing, including storage, of data of Facebook users from the EEA in the U.S. within six months. Meta is free to determine how to implement this order. For instance, Meta could delete the data entirely or store it within the EEA, provided access by U.S. authorities is prevented.
Additionally, the DPC imposed a fine of 1.2 billion Euros on Meta, making it the largest fine ever issued under the GDPR. This surpasses the previous record set by the Luxembourg supervisory authority, which fined Amazon 746 million Euros in 2021.
What’s next for Meta?
Meta has already announced its intention to challenge the DPC’s decision through legal means. However, the likelihood of success is limited due to the stringent requirements set by the CJEU concerning third-country transfers, particularly to the U.S.
The ongoing process of granting adequacy status to U.S. companies certified under the EU-U.S. Data Privacy Framework is of greater significance to Meta. The European Commission is expected to issue a corresponding decision before autumn, i.e., prior to the expiration of the deadlines established by the DPC. If an adequacy status is granted, Meta would not need to alter its processing practices and could rely on the adequacy decision instead of SCCs for data transfers. This would ensure GDPR compliance of transfers to the U.S., at least as long as any new EU-U.S. Data Privacy Framework remains in effect.
However, an adequacy decision would only apply to future transfers and would not affect the unlawful processing that occurred in the past. Therefore, it is unlikely that the fine will be overturned through legal proceedings.
Data protection assessment
Although the DPC’s decision only directly applies to Meta, it holds significant implications for other companies as well. It is particularly relevant for companies that maintain a company profile on Facebook and are therefore joint controllers for the data processing with Meta. Such companies may be held liable for the unlawful data transfers since they significantly co-determine the data processing.
While the DPC’s decision is legally binding only for Meta, the DPC emphasised that the same conclusions could apply to any internet platform classified as an electronic communications service provider under FISA 702. Consequently, their data transfers to the U.S. could also violate the provisions of Chapter V of the GDPR and the Charter of Fundamental Rights of the European Union.
Companies are well advised to check which U.S. service providers they use and assess whether transfers associated with their usage are GDPR compliant. This highlights the importance of conducting a thorough Transfer Impact Assessment (TIA) rather than treating it as a mere formality.
The fact that all EEA supervisory authorities agreed on imposing a fine for unlawful data transfers demonstrates their willingness to take action against such transfers. Although the focus is currently on the U.S., similar decisions could potentially impact data transfers to other unsafe third countries. Meta’s substantial fine also indicates that five years after the GDPR came into force, supervisory authorities are now willing to impose significant fines.
The DPC’s decision is a significant milestone, but it does not signify the conclusive resolution of the underlying legal dispute. The decision is likely to undergo judicial review in Irish courts and ultimately reach the CJEU, meaning that a final decision may take several years.
The issues highlighted in the DPC’s landmark decision are complex and cannot be resolved by a single company alone. Achieving a long-term solution will require political action. The adequacy decision for the U.S. could serve as an initial step in this direction. However, it is highly probable that this decision will also be subject to review by the CJEU, and it is uncertain whether it will be upheld by the latter. Ultimately, a modification of U.S. surveillance laws might be necessary to establish a long-term and legally secure solution.
In the meantime, companies should assess their third-country transfers for GDPR compliance. This includes, if not conducted already, carrying out a transfer impact assessment. If a company determines that the data is inadequately protected in the destination country, it must refrain from transferring the data.