Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined the Irish subsidiary of Meta, Meta Platforms Ireland Limited (Meta Ireland), €1.2 billion (US$1.3 billion), the highest GDPR fine levied since 2018.
Further to the DPC decision (Decision), and in addition to paying the record fine, Meta will need to:
- Suspend any future transfers of personal data to the United States within five months from the date of notification of the decision to Meta Ireland; and
- Ensure the compliance of its data processing operations by ceasing the unlawful processing, including storage, in the United States of personal data of its users in the European Economic Area (EEA), transferred without sufficient safeguards, within six months from the date of notification of the DPC’s decision to Meta Ireland.
The core of the grievances relates to a decade-long (and ongoing) crusade initiated by privacy and data rights activist Maximilian Schrems and the data protection association he founded, None of Your Business (NOYB). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor Framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 case of Schrems I (see our alert). That was followed by action against the Safe Harbor’s successor, the Privacy Shield Framework, leading to the same result in 2020 in the case of Schrems II (see our alerts here, here, and here).
The European Commission is currently assessing a potential successor to the Safe Harbor and the Privacy Shield. As such, all eyes turned to the DPC, and in particular its analysis of Meta’s internal framework for the transfer of personal data from its European users to its headquarters and services providers in the United States.
In the absence of a catch-all framework such as the Safe Harbor or the Privacy Shield, Meta instead relied on a specific contractual framework, the Standard Contractual Clauses (SCC) published by the European Commission. This framework, which pre-dates GDPR, has recently been revised further to Schrems II (see above and our alert—the deadline to transition from the revised framework was set to 27 December 2022).
These new SCC generally addressed the concerns raised under Schrems II pertaining to potential access by US intelligence agencies to personal data transferred to the United States, and the absence of a similar level of data protection as the one which must be guaranteed end-to-end under GDPR surrounding such access.
The key takeaways from the decision:
Additional Technical and Organizational Measures (TOMs) May Not Reach the Standards Expected Under GDPR
Further to Schrems II, TOMs have become the cornerstone for international data transfers under GDPR. The TOMs form a mandatory part of the SCC in their Annex II, whether they are exporting personal data outside of the EEA or importing personal data from the EEA. They must detail all facets of the measures they are implementing to safeguard, at all times, the confidentiality, integrity, of the transferred personal data. Such TOMs must be tailored to the risks presented in the importing jurisdiction, especially by surveillance agencies. In that regard, it has become customary for exporting companies to document any transfer with a Transfer Impact Assessment (TIA). The greater the risk of compelled production under the importer’s applicable law, the more thorough the TOMs are expected to be. In its decision, the DPC reviewed both Meta’s TIA and TOMs, and concluded that they did not provide “essential equivalence” with GDPR and were insufficient, considering that “Ultimately, if the US Government makes a request which falls within the scope of Section 702 FISA, Meta US is required to disclose its users’ personal data.” (Decision, Section 7.193, p. 98). The insufficient TOMs notably included:
Technical Measures
A comprehensive information security program, industry-standard encryption algorithms and protocols (such as transport layer security (TLS) and advanced encryption standard (AEQ)), shared infrastructure between Meta US and Meta Ireland, asset management controls, arrangements for the management of Facebook employee mobile devices, implementation of encryption on all company laptops, deployment of cryptographic protection of passwords, and third party security policies, among many other technical measures;
Organisational Measures
Disclosure Policy, Disproportionate Requests Policy, Notification Policy, Data Access Policy, Law Enforcement Guidelines, biannual Facebook Transparency Reports, Data Sharing Policies, and a People Security Policy;
Legal Measures
Enforceable third-party rights for data subjects under the SCC, processes for challenging requests received for disclosure of personal data that Meta US believes to be unlawful, lobbying to change laws and advocating for its users’ rights, and transparency reporting.
Considering that Meta has been in the eye of the storm for over a decade and the close scrutiny it has been subject to, one may wonder whether any TOMs and TIA could have ever been sufficient to permit it to transfer personal data to the United States. The only apparent possibilities would be to only transfer anonymized data (which would no longer be subject to GDPR) or, according to the recent EU decision (General Court of the European Union, Case T-557/20, SRB v EDPS, 26 April 2023), transferring pseudonymized or encrypted data, provided that such encryption is performed prior to the transfer and the importer has no possibility to access, legally or otherwise, the encryption key.
Meta quickly announced its intention to appeal the DPC decision and to seek a stay of the order, noting that the transfer of data across borders is “fundamental” to a global Internet.
The Equivalence of Protection of Personal Data in the Importer’s Country is Held to a Performance Undertaking Standard
Meta considered that its TOMs, in view of their TIA, were sufficient to “address, compensate for, or mitigate any inadequacies in the protection afforded by US law and practice” in respect of the considered data transfers (Decision, Section 7.25 et seq., p. 62). For the DPC, the addition of the two highlighted standards to those required under Recital 108 GDPR was not acceptable, as it would necessarily lead to a lesser standard of assessment. It is therefore incumbent upon the data exporters subject to GDPR to compensate for any and all shortcomings of the data importer’s regulatory framework and surveillance practices.
Derogations for Specific Situations Under Art. 49 GDPR May Remain a Viable Option, Albeit a Fairly Limited One
As a subsidiary defence, Meta considered that, in case the new SCC and their TOMs were to be considered inadequate, they had a backup in their reliance on the few exceptions to adequacy or appropriate safeguard requirements. Much to the relief of several entities that rely on such derogations (in a legitimate and limited way), the DPC did not invalidate them. However, it restated the long-standing approach of the EEA regulators (see EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25 May 2018): as all exceptions, the derogations under Art. 49 GDPR must remain sporadic and cannot be relied upon to justify regular and systematic transfers as part of the conduct of business (Decision, Section 8.47 et seq., p. 111). Such sporadic reliance on the derogation effectively minimizes the exposure of data subjects protected under GDPR to surveillance measures, while routine transfers would not.
Counterbalance to 702 FISA and PRISM is Still Needed
In the face of all the measures taken by Meta, recognized even by the DPC as “bona fide attempts to mitigate the deficiencies identified in US law,” it still was not enough. Ultimately, because those measure still do not provide “essentially equivalent protection” to personal data as that which is available under EU law against the US government access via Section 702 FISA DOWNSTREAM (PRISM) requests. The reality remains that a US company cannot fully escape its obligations to the US government, and change will need to come through the government itself. Fortunately, there is the possibility of progress in that regard.
There is Still Hope for Data Transfers to the United States
In October 2022, US President Biden signed Executive Order 14086 which sets forth additional safeguards for US signals intelligence activities. The safeguards are designed to protect the privacy of individuals and more specifically to address the concerns raised by Schrems II. These safeguards include a required determination that an intelligence activity would further an intelligence priority, any activity is conducted with one of twelve legitimate objectives and done in a manner proportionate to the priority as compared with the risk to privacy rights. EO 14086 sets forth detailed restrictions on intelligence activities as well as mechanisms for checks and balances, including a means for individuals to claim that their personal data has been collected unlawfully. The European Commission is taking EO 14086 under consideration as part of its analysis of the adequacy of data transfer to the United States under the potential new EU-US Data Privacy Framework.