What's the issue?
For ten years, Max Schrems has argued that Meta Ireland (previously Facebook) does not adequately protect personal data it sends from the EEA to the USA because it is subject to access by US law enforcement. As the ECJ struck down first Safe Harbor and then the Privacy Shield in what became known as the Schrems I and II decisions, Facebook moved to using Standard Contractual Clauses (SCCs) and supplementary measures for its transfers. A decision by the Irish Data Protection Commissioner on whether or not this was lawful, went all the way through an Article 65 procedure, culminating in an EDPB decision which the Irish DPC is required to follow.
What's the development?
The decision of the Irish DPC has now been published. Its findings are that:
- In making the data transfers at issue, Meta infringes Article 46(1) GDPR as the transfers are made in circumstances which fail to guarantee an essentially equivalent level of protection to that under the GDPR. None of the SCCs Meta has used, nor the supplementary measures it has put in place can compensate for this lack of protection and Meta cannot rely on derogations to the prohibition on transfers.
- The data transfers must be suspended.
- Meta must bring its processing operations into compliance with the rules on data transfers by ceasing unlawful processing, including storage in the US of unlawfully transferred EEA personal data.
- Meta must pay a fine of €1.2bn.
What does this mean for you?
The DPC underlines that the decision only binds Meta but it "exposes a situation whereby any internet platform falling within the definition of an electronic communications provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA". However, the DPC notes that the CJEU upheld the validity of SCCs as a legal instrument while emphasising the need to undertake a case-by-case analysis to determine whether or not transfers are lawful. As a result, "it is not open to the DPC to make an order suspending or prohibiting transfers to the United States generally".
In other words, while this decision theoretically has wider application, in practice it only applies to Meta and it took ten years of litigation to reach this stage. Meta and others will now have high hopes that signing up to the imminent EU-US Data Privacy Framework will resolve the problems around data transfers. The Framework is likely to be agreed by the end of July, although NOYB (the organisation set up by Max Schrems) is hinting at further legal action in relation to it.
The DPC's decision does not take immediate effect. Meta has up to 12 October 2023 before it needs to suspend transfers under the SCCs, and until 12 November to delete or return to the EU the personal data unlawfully transferred to the USA. The Irish DPC has reiterated that it does not agree with the decision the EDPB had required it to take and Meta has already confirmed it will appeal, which is likely to delay matters further. Meta has been reported as threatening to suspend its services in the EU altogether in the event of an adverse decision, something it has consistently denied, but, as NOYB notes, it has servers in the EU, and may move to a position where the majority of its EEA data is hosted in the EEA, even if the new Data Privacy Framework is not implemented in time.
The decision does not apply in the UK although the UK rules on data transfers mirror those under the EU GDPR and we wait to see the ICO's response.