DPC fines Meta €1.2bn ($1.3bn) over personal data transfers to the US

The impact of this decision by the Irish regulator may be far more widely felt in the future because, despite only Meta being targeted, a large number of companies rely on the standard contractual clauses (SCCs), as set out by the EU Commission Decisions in 2010 and 2021, to transfer data outside of the EU, much of it to the US.

Articles 1 of the 2010 and 2021 Decisions state that “[t]he standard contractual clauses set out in the Annex are considered to provide appropriate safeguards” for the protection of privacy and transfer of data in compliance with GDPR. But the DPC decision in the Meta case in effect suggests that such data transfers can constitute an infringement of GDPR Article 46(1) even where SCCs and additional mitigation measures are used to effect the data transfer.

Reliance on the SCCs in good faith was a defence that was sufficiently persuasive to convince the DPC not to levy an administrative fine against Meta in its initial decision. That draft decision was overruled by the European Data Protection Board (EDPB) following disagreement with the DPC’s approach by four of the 47 concerned supervisory authorities (CSAs) consulted. According to Meta, the EDPB decision is “flawed, unjustified and sets a dangerous precedent” while raising “serious questions about a regulatory process” that does not allow “the company in question to be heard.”

Heart of the matter

At the heart of this matter is a footnote to Clause 5 of the 2010 decision, which, along with Clause 4, requires the data exporter and importer to ensure that compliance with the standard contractual clauses is possible in the destination country for the data. The footnote requires the data exporter and importer, when making a determination on the possibility of compliance, to satisfy itself that the “[m]andatory requirements of the national legislation applicable do not go beyond what is necessary in a democratic society” to safeguard national security, defence and public security, etc. In the Schrems II decision the CJEU held that compliance with a requirement that “goes beyond what is necessary for those purposes must be treated as a breach of those clauses”.

In this instance, fatal to the Meta case was a purported absence of limitations on the powers conferred by the Foreign Intelligence Surveillance Act (FISA) to implement surveillance programmes, inadequate relief from other US laws and orders, and the limitations on the ability of those targeted for surveillance to bring legal action before courts that are considered independent and impartial.

While it is the size of the fine that has produced headlines, the context here is the continuing argument between the EU and US on what constitutes an adequate level of data privacy protection.

Meta has indicated that it will appeal the ruling pointing out that this judgment has less to do with its specific business practices and more with a “fundamental conflict of law between the US government’s rules on access to data and European privacy rights”. And while it is the size of the fine that has produced headlines, the context here is the continuing argument between the EU and US on what constitutes an adequate level of data privacy protection.

Beyza Karakoy, Thematic Intelligence Analyst at Global Data, a data analytics and consulting company, suggests that the fine “will increase the pressure to reach a consensus on a transatlantic data transfer deal that would provide greater certainty for businesses with worldwide operations. Meta has been granted a six-month transition period before the suspension of its data flows. However, its business will likely be significantly disrupted unless a new EU-US data transfer deal is agreed and adopted within this timeframe.”

A wider effect of the DPC decision is that individual companies are now expected to form a judgment on what precisely constitutes a legal framework that suitably protects personal data exported from the EU in any country that is considered democratic. That feels not only like a very tall order, but something that is almost certainly subjective and open to debate in the context of the complex legal and regulatory frameworks involved.

Democratic society

This exercise could be particularly complex given the large number of areas for which safeguards might actually be necessary and acceptable in a democratic society as identified in the Clause 5 footnote. In addition to the areas of national security, defence, and public security already cited these include: “the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others”.

A logical inference might also be made that personal data transfers from the EU to countries not considered democratic are non-compliant with GDPR by default.

Putting aside the legal issues for a moment, this is a record fine for a breach of GDPR which is arguably the foundational regulatory framework for privacy that has been used as a baseline across the globe for other national legislation. However, the US has always had its own approach.

“A considerable number of businesses are using the Facebook cookie on their website, quite often unknowingly and without realising they are complicit in transferring personal data of website visitors to the US through Facebook.”
Emma Green, cybersecurity lawyer

And as a consequence of this all organisations should take note and consider whether mitigating steps might be needed given the decision. “This demonstrates the authorities are not shy in issuing eye-watering fines when it comes to enforcing GDPR. The UK follows the same law and organizations need to take note as quite often they are sending data to the US indirectly without realising it through third party software and apps,” says Emma Green, a cybersecurity lawyer. “A considerable number of businesses are using the Facebook cookie on their website, quite often unknowingly and without realising they are complicit in transferring personal data of website visitors to the US through Facebook.”

Finally, the case goes to the heart of the universal reluctance among non-US corporates to house their data in the US where it can be accessed by the US government and agencies without restriction. It is a conflict between the individual data rights for EU subjects that are enshrined in GDPR and US frameworks aimed at delivering the same protections. The Court implies in this ruling that those rights are not equivalently protected when transferred by Meta, and indeed many other tech businesses, to the US.

This is only the beginning of the journey in rationalizing the significantly conflicting stances of the EU and the US in data protection and sovereignty.

Topics

Latest News

ASIC roundup: Dishonest conduct, false info, and superannuation focus

OPINION: What could the second Trump era mean for audit, risk and compliance teams?

Indian billionaire Gautam Adani and associates indicted for massive bribery scheme

Topics

Latest News

McHenry tells regulators era of post-financial crisis regulation is over

New rules outline CFIUS’s heightened enforcement powers

ECB unsure about publishing details of research into capital requirements for EU lenders

Topics

Latest News

Crypto wrap: A $6m banana, jail terms, and more Trump

FSB report highlights need to minimise AI risk to financial stability

Crypto wrap: Bitcoin value surges, jail for former binance boss, and more

Topics

Latest News

GRIP Extra: Gensler and Lizárraga out at SEC, Hwang gets 18 years

XLOD London 2024: Addressing the proliferation of trade venues

GRIP Extra: Cash app Dave in regulatory cross-hairs, Shell wins appeal