Today, Facebook’s parent company, Meta Platforms, was fined €1.2 billion – the highest fine under GDPR to date – along with being ordered to suspend EU-US data transfers. But this case isn’t just about a big fine – there are potential shock waves for any business transferring data from the EU to the US.
What are the legal substance and process issues?
The Irish regulator, the Data Protection Commission (the DPC), has ruled that Meta Ireland infringed GDPR Article 46(1) when it continued to transfer personal data from the EU/EEA to the USA following the European Court of Justice’s (ECJ) July 2020 Schrems judgment (which we wrote about here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/).
According to the DPC, Meta Ireland made those transfers on the basis of the updated EU Standard Contractual Clauses (EU SCCs) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland. But, the DPC has found that those measures did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the ECJ in its judgment. We’ve written about the 2021 EU SCCs here: https://www.corderycompliance.com/eu-new-sccs-for-idts/ and about the EU FAQs about them here https://www.corderycompliance.com/eu-faqs-sc/.
What did the DPC decide?
Under an EU GDPR cooperation procedure, the DPC’s draft decision was submitted for review by the other EU data protection regulators. Whilst these regulators agreed about the EU GDPR non-compliance finding and the proposal to order suspension of the data transfers, there were different views and objections raised about some issues, and, because the DPC disagreed with these, under EU GDPR procedures the European Data Protection Board (“the EDPB”) had to broker a solution using a EU GDPR dispute resolution mechanism.
Following the EDPB’s decision, the DPC ruled that Meta Ireland:
- Has to suspend any future transfer of personal data to the US within five months of the date of notification of the DPC’s decision to Meta Ireland;
- Is subject to an administrative fine of €1.2 billion; and,
- It must bring its processing operations into compliance with EU GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of EU GDPR, within six months following the date of notification of the DPC’s decision to Meta Ireland.
As the orders stand Meta will have to change its data protection processes and delete a whole tranche of data it sent from the EU to the US after the collapse of Privacy Shield in 2020 or transfer it all back to servers in the EU. This could be hard to do. It may also cause issues with some of Meta’s advertisers if they are still using this data to target their ads.
Meta has said that it will appeal this matter, and also seek a stay of the ruling, before the Irish courts. Meta’s President of Global Affairs Sir Nick Clegg and Chief Legal Officer Jennifer Newstead described the fine as “unjustified and unnecessary… This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US”
We can expect more complaints against other organisations too – if Meta was not entitled to use SCCs did any organization do much better? If not similar orders may be made against them.
What was the reaction of Max Schrems?
Max Schrems and his pressure group NOYB have said that the ruling is the culmination of 10 years of work and 3 court procedures. He said:
“For ten years Meta has not taken any material precaution, but simply ignored the European Court of Justice and the European Data Protection Board. Now Meta does not only have to pay a record fine, but also return all personal data to its EU data centers.”
Schrems also has said that he feels that Meta’s prospects on appeal are low:
“Meta will appeal this decision, but there is no real chance to have this decision materially overturned. Past violations cannot be overcome by a new EU-US deal. Meta can at best delay the payment of the fine for a bit.”
What are the takeaways?
This is undoubtedly one of this year’s major decisions, not just for the level of the fine but also for its potential impact on data transfers for all organisations. What are the immediate takeaways?
- The proposed EU-US Data Privacy Framework (“DPF”) is expected to be in place sometime this summer 2023. The question is, will this be the solution for future EU-US data transfers, i.e. for all organisations, including Meta? Apparently, according to the European Commission, this may be the case. But as we’ve said before we’re not convinced. Bear in mind that organisations will have to sign up to the DPF in order to be covered by it, and, it is very likely that the DPF will be subject to a legal challenge.
- As for reliance on the EU SCCs, organisations should not be complacent. It is important to remember that the DPC found that the way in which the SCCs were implemented by Meta Ireland, referring notably to the “additional supplementary measures”, lead the DPC to conclude “that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [European Court]”. As it will be recalled, in order to be able to rely on the EU SCCs, organisations must undertake a data transfer risk assessment, and, if any concerns arise from this exercise, these must be addressed by supplemental measures, i.e. on top of the EU SCCs. If an organization relies on EU SCCs organisations may wish to make sure that they are doing their homework when undertaking their data transfer risk assessments and any supplemental measures that they may seek to adopt. Documenting this exercise will also be important in case a regulator or pressure group knocks on the door.
- Civil actions could follow. By way of pure speculation at this stage, one issue that may arise is whether disaffected individuals chose to bring legal action against Meta seeking compensation; we have written in general about compensation and data protection claims here: https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/. Some actions are already in the pipeline. More may follow. Pressure groups are closely following a change to class action rules which may help with these claims in the future. We have written about these changes here: https://www.corderycompliance.com/eu-class-action-faqs/.
- Whilst this ruling concerns the EU and, post-Brexit, not the UK as such, wider legal ramifications on data transfers from the UK to the US can’t be excluded; we’ve written here about UK data transfer risk assessment here: https://www.corderycompliance.com/ico-dtragt-01/.
- The days of EU harmony between data protection regulators are over. In our alert in January about another Meta fine (here https://www.corderycompliance.com/ireland-fines-meta-fb-insta-3/) we talked about a brewing storm between the EDPB, the DPC and some other data protection regulators. It is clear that that storm is now upon us. This might also have serious ramifications for any organization relying on the so-called GDPR one-stop-shop.
- Fines of this level attract attention. Expect board members and investors to ask more questions. We’re also seeing auditors more engaged in looking at data protection issues too. As the level of fines keeps rising public companies especially will need to be able to evidence their compliance.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
See our article about EU Data Protection Regulator Report on Data Transfers here: https://www.corderycompliance.com/eu-dpa-rr-0423-04-5/
The Irish regulator’s decision can be found here: https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-decisions_en, and the European Data Protection Board’s decision can be found here: https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-12023-dispute-submitted_en.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|