On May 22, Ireland's Data Protection Commission published its anxiously anticipated decision in the Meta data transfers case, which includes a record-breaking 1.2 billion euro fine, a stop-transfer order with a carefully delineated timeline and an order to cease unlawful processing of EU data in the U.S. within six months.
Those who have watched the trans-Atlantic data transfer's title fight closely enough to require sweat towels themselves might be asking — should we mark today's decision as a pragmatic punch or knockout blow? Either way, it is one that sends the boxer sprawling over the ropes into the laps of those ringside and sets the clock ticking.
Scoring the fight, though, depends on whose punch we are contemplating, who takes the hit and how soon those ringside step up to quell the pandemonium that could ensue. Understanding this decision fully requires considering not only what the order says and means, but also the case’s intractable and political history.
The intractable and political bits
This decision traces back nearly ten years to the Snowden disclosures, as many readers will recall. Those disclosures led Max Schrems, then an Austrian law student, to challenge the legality of Facebook's data transfers to the U.S. under the EU Data Protection Regulation due to concerns regarding U.S. surveillance overreach. His complaint was lodged in Ireland, where Meta now has its main EU establishment.
Over ten years and after many rounds, frameworks and flows were built and banjaxed, with the DPC, the Court of Justice of the EU, the European Commission, the U.S. government, Max Schrems and Meta entering the fray at intervals.
These years featured the consecutive invalidation of two diplomatically negotiated cross-border data protection frameworks, which facilitated commercial transfers of personal data to the U.S. — the U.S.-EU Safe Harbor Framework, which fell after the CJEU's 2015 "Schrems I'" ruling, and the EU-U.S. Privacy Shield, invalidated by the CJEU's 2020 "Schrems II" ruling.
No surprise that international transfers ranked first as a top priority issue for EU organizations responding to the IAPP 2022 Governance Report.
The CJEU's Schrems II decision, with which the current order is concerned, invalidated the Privacy Shield due to EU concerns regarding the necessity, proportionality and redress associated with U.S. government surveillance authorities. This kicked off multiyear negotiations between the U.S. government and the European Commission to address the CJEU's concerns and develop a third such arrangement — the EU-U.S. Data Privacy Framework. The DPF still awaits final "adequacy" approval from the EU — more on that below.
In the meantime, Meta switched from the Privacy Shield to the EU standard contractual clauses and supplementary measures to govern its U.S. data transfers, placing SCCs at the heart of the DPC's investigation in the current case.
This final DPC decision indicates EU DPAs do not believe Meta's use of SCCs and additional safeguards can fill the legal void left by the Schrems II decision, on account of U.S. rules and practices related to government access to data for the purposes of law enforcement and national security. The fact that Meta bears the bruise of such a decision demonstrates, once again, that this is a challenge companies alone cannot fully resolve.
There are two separate decisions in this case: the DPC's final decision which now binds Meta and the EDPB's decision, which resulted from GDPR's dispute resolution mechanism and bound the DPC, dictating how it must rule on two specific issues where disagreements arose between DPAs in this cross-border case. All EU/European Economic Area DPAs were involved in the case as "concerned supervisory authorities."' This means the final decision was not the DPC's alone. Explore more on the EU's "One Stop Shop" mechanism.
The DPC's decision includes three orders, one which stems from the DPC's own investigation and draft decision, and two which resulted from other DPAs' objections and the EDPB's decision on how to resolve them.
- The stop transfer order: The DPC proposed the stop transfer order, explained in detail below, and no DPAs objected. In fact, the EDPB makes clear there was a consensus on this core component.
- The compliance order: DPAs in France and Germany argued data previously transferred to the U.S. in a manner now deemed illegal should be deleted, returned or otherwise brought into compliance. The EDPB agreed and instructed the DPC to require Meta "to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the IE SA's final decision to Meta IE." The DPC mirrored the EDPB's language in its decision.
- The fine: DPAs in France, Germany, Austria and Spain objected to the lack of a fine in the DPC's proposed order. Ultimately, the EDPB instructed the DPC to impose a fine within a prescribed range (20%-100% of the GDPR's maximum), but left the final amount to the DPC's discretion. The DPC incorporated this mandate with a 1.2 billion euro penalty.
The stop transfers order
The DPC press release states that Meta must suspend personal data transfers to the U.S. within five months from the date Meta was notified of the decision (which took place 12 May). This suggests a compliance deadline of 12 October. However, the order itself is a bit more granular, stating that the suspension order will take effect 12 weeks from the end of the periods allowed to appeal the DPC decision and/or annul the EDPB decision.
In reaching its conclusion to order an end to transfers, the DPC makes the following four findings with significance well beyond Meta.
- "U.S. law does not provide a level of protection that is essentially equivalent to that provided by EU law;
- Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by U.S. law;
- Those of the measures set out in the Record of Safeguards that forms part of the TIA that are presented or characterized as supplemental to the measures for which provision is made in the 2010 SCCs and/or 2021 SCCs, do not compensate for the inadequate protection provided by U.S. law; and
- It is not open to Meta Ireland to rely on the derogations provided for at Article 49(1) GDPR (or any of them) when making the data transfers."
Points two and four are noteworthy, and less anticipated than the others, because, collectively, they close the door on Meta relying on other GDPR transfer mechanisms to make its transfers to the U.S. legal, substantiating the need for a suspension order as the last remaining option.
The DPC found neither the old nor the new SCCs, paired with additional safeguards Meta deployed following the CJEU's Schrems II decision, met the GDPR standard of essential equivalence. Given that Meta transitioned from the 2010 to the 2021 SCCs during the inquiry, it was previously unknown whether the decision would speak to both.
Still, this is no major surprise, as the European Commission and U.S. government have been negotiating for more than two years to finalize the new EU-US Data Protection Framework to precisely fill the gaps in U.S. laws and practices identified by the CJEU in Schrems II.
The first point regarding U.S. law, and the reasoning that underpinned it, is most critical in terms of next steps. A big open question was whether, and how, the DPC would consider the changes to U.S. law made via Executive Order 14086 and Department of Justice Regulations in December 2022 to effectuate the EU-U.S. DPF.
The DPC took careful consideration of these new legal authorities, but found the protections and redress contemplated were not yet operational for EU citizens, as the DPC reasoned, because the EU has not yet been deemed a "qualifying state," and intelligence agencies have yet to finish translating the Executive Order's requirements into new policies and procedures.
The DPC further reasoned that the new safeguards do not appear to apply retrospectively, an observation which merits attention moving forward. Ultimately, though, the DPC reserved judgement on whether the EU-U.S. DPF will meet the CJEU's essential equivalence tests, once fully operational.
The DPC's recognition that these are legal challenges governments must resolve undoubtedly informed the five-month transition period. That timetable puts both the European Commission and U.S. government on notice. It provides those who can solve the challenge one last chance to do so before their businesses and economies take the hit.
Of course, the significance of commercial changes needed to stop transfers (or EU business) were a major factor in the timetable as well. The DPC referenced Meta's statements that a stop transfer order would require them to stop providing Facebook services in the EU, where 10% of their global ad revenue is generated. That hit would significantly surpass the GDPR's upper limit of 4% of worldwide revenue, but importantly it is not a hit to Facebook alone.
It has precedential impact for all such data transfers from EU businesses to their U.S. counterparts.
The DPC decision acknowledges the broader impact of its decision, notwithstanding the fact that the DPC is only empowered to bind Meta's Irish entity. The DPC notes how "the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA."
One critical question, discussed below, is whether some of that broader impact will be felt immediately. Dozens of U.S. and European headquartered companies have warned, in public financial disclosures, of the negative impact to their operations and revenues if there is continued — or exacerbated — uncertainty and disruption to transatlantic data transfers.
The meaning of "bring its processing operations into compliance"
Having ruled Meta's transfers were not in compliance with the GDPR, it follows that Meta was ordered "to bring its processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR."
What that means exactly, and what it requires of Meta, has not been made explicit. We can see two DPAs suggested deletion of that data as one avenue, but deletion was not explicitly ordered.
Logically, it may follow, if the data should not have been transferred on account of the transfer being unlawful, then the data should not be in the country to which it was transferred. Deletion is a relatively small word that belies the complexity of putting that word into action. Deleting EU data from its U.S. services is one, albeit quite brutal, way to ensure there is compliance.
Other, less brutal, options may be available and attainable. Indeed, measures such as anonymization and encryption may be explored and have historically been explicitly called out by the EDPB as possible supplementary measures. Deletion may also not be a panacea in cases like Meta’s.
Arguably, it does not make sense to think of data previously transferred to the U.S. Some companies continuously refresh and replenish their data stocks, resulting in a continuous transfer of data. With each refresh, it becomes harder, if not impossible, to treat that data as previously transferred.
Those holiday photos you uploaded in 2008? They may be transferring right now.
The fine itself
At 1.2 billion euros, this fine is the largest GDPR penalty to date. Yes, Meta paid a larger fine for privacy infringements when it was ordered by the U.S. Federal Trade Commission to pay USD5 billion in 2019. Incidentally, that USD5 billion fine still eclipses all GDPR fines combined.
But, perhaps the record-breaking size of this GDPR fine signals the ushering in of a new era for GDPR enforcement. National regulators are seemingly not only more equipped but also more willing to issue larger fines. On cross-border cases, where there is disagreement among national regulators, the EDPB is establishing a track record in favor of ratcheting up the amount being fined. In this case, the EDPB's intervention via the dispute-resolution process resulted in a fine, when following its own investigation the DPC would not have ordered one.
The fine is also the first issued for unlawful transfers. The breaking of ground here, and the rationale for issuing such a significant fine, will be of interest to many more companies than Meta and for transfers of data to many more countries than just the U.S. (14 jurisdictions currently have EU adequacy status).
In mandating a fine, the EDPB reasoned "taking into account the scope of the processing, as well as the very high number of data subjects affected, Meta IE committed an infringement of significant nature, gravity and duration." The EDPB pointed more specifically to the breach of fundamental rights, that "Meta IE has '309 million daily active users in Europe'" and that the breach has been ongoing since July 16, 2020. The EDPB found "Meta IE committed the infringement at least with the highest degree of negligence" by proceeding with transfers, and the special categories of data and existence of previous violations are compounding factors to consider.
The EDPB made it clear the amount of the fine should be sufficient to punish and dissuade illegal actions, considering the financial situation of the company in question. The EDPB suggested the starting point for fine calculation should be 20-100% of the legal maximum stipulated by the GDPR and be based on annual worldwide turnover of Meta Platforms. However, it ultimately left the calculation to the DPC's discretion, so long as requirements in GDPR Article 81(1) and 81(2) were met.
The DPC noted, in making its own calculation, it considered as mitigating factors, the "severe consequences" of the suspension order for Meta's business as well as the "Financial Consequences" Meta outlined.
Since the fine takes effect immediately, irrespective of whether adequacy comes online, it sends another important signal — that time is up. Meta will bear some of the pain of U.S. and EU delays in finalizing the EU-U.S. DPF.
But how should the broader market interpret this signal?
Thousands of companies rely on SCCs. According to the 2021 IAPP-EY Governance Report, 94% of those transferring personal data out of Europe use them. While precedential lessons of this decision may not apply to all, as the DPC itself noted, they certainly apply to many.
How much immediate risk do they now bear? Should they look to the immediacy and size of the fine or the transition period associated with the other orders when assessing their own risk and response? Do DPAs expect companies to localize data now, switch to local alternatives, exit the market or wait for the EU-US DPF to come online? What other choices do they have? Are all DPAs on the same page?
There has not been certainty in this arena for a decade, but now the lack of it attaches to a much higher price tag. DPA guidance in the days and weeks to come could be helpful in addressing these questions.
What can we expect from those ringside?
We can expect Meta to appeal the DPC's decision in Ireland's High Courts. In doing so, Meta may also seek injunctive relief by way of a stay of execution on the DPC's order. To the extent that any appeal pertains to matters of EU law, we can also expect this to make its way back to the CJEU.
As the rounds lengthen and seem to never end, could it be that the adequacy bell will ring, calling an end to the fight?
The European Commission assessed the EU-U.S. DPF and — importantly — relevant and current U.S. laws and practices as adequate. The European Commission's draft adequacy assessment is working its way through the final stages of the EU process before it can take legal effect under the GDPR.
This enforcement, and the ensuing uncertainty, will serve as the latest salutary reminder for diplomats on both sides of the Atlantic to conclude the process. The European Commission issued a statement, following the DPC enforcement, to say it expects adequacy and the EU-U.S. DPF to be "fully functional by the summer."
Once that draft decision by the European Commission becomes law, there will not only be a valid data transfer mechanism for those organizations certified to the EU-U.S. DPF, but also a favorable and binding EU legal assessment of those U.S. laws and practices. The effect of such an assessment extends beyond the organizations relying on the EU-U.S. DPF itself.
EU organizations transferring data to the U.S. via the SCCs, or indeed any of the alternative transfer mechanisms, can do so knowing one significant part of the uncertainty and complexity has been addressed. Practically speaking, organizations completing transfer impact assessments and pausing over whether, and how, to complete sections on government access to data will be able to rely on the assessment made higher up and turned into law.
Pragmatic punch or knockout blow? That remains to be seen.
As has long been the case, these are ultimately challenges only governments can resolve. Adequacy between the EU and U.S. is one important piece of an increasingly global and complex puzzle for global data flows.
No surprise that governments, including at head-of-state level, have been doubling down on the need to secure, sustain and scale data transfers in a safe way. Efforts at the Organisation for Economic Co-operation and Development, the World Economic Forum, Global Cross-Border Privacy Rules Forum and most recently the G7, to name a few, show that fist fights may make way for handshakes.
If you want to comment on this post, you need to login.