Ireland's Data Protection Commission handed down a long-awaited enforcement action against Meta Platforms Ireland early Monday morning with a record fine of 1.2 billion euros.
The fine, which is the highest to date under the nearly five-year-old EU General Data Protection Regulation, was accompanied by an order requiring Meta Ireland-owned Facebook to suspend future transfers of personal data to the U.S. within five months of the DPC's decision and to bring its processing operations into compliance "by ceasing the unlawful processing, including storage, in the U.S. of personal data" of EU and European Economic Area users within six months of the DPC's notification to Meta.
Though the case commenced nearly three years ago in the wake of the Court of Justice of the European Union decision that invalidated the EU-U.S. Privacy Shield arrangement, it faced a series of challenges, both in the High Court of Ireland and among the data protection authorities in the EU under the umbrella of the European Data Protection Board.
The issue involves the data transfer mechanism used by Meta's Facebook, after the Privacy Shield was invalidated. Since the 16 July 2020 CJEU decision, the company has used standard contractual clauses, including the SCCs updated by the European Commission in 2021.
On 13 April, the EDPB completed its binding dispute resolution decision, after some concerned supervisory authorities disagreed with the DPC's original draft decision.
In a news release, EDPB Chair Andrea Jelinek said, "The EDPB found that (Meta's) infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences."
In a response to Monday's finding, Meta Global Affairs President Nick Clegg and Chief Legal Officer Jennifer Newstead said the fine is "unjustified and unnecessary" and that the company will appeal.
"This is not about one company's privacy practices — there is a fundamental conflict of law between the U.S. government's rules on access to data and European privacy rights, which policymakers are expected to resolve this summer."
In March 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced they reached a political agreement on a new EU-U.S. Data Privacy Framework. The new arrangement has yet to be finalized, and earlier this month, the European Parliament approved a resolution calling on the European Commission to continue negotiations with the U.S. out of concern that the DPF could once again become invalidated by the CJEU as currently constructed.
In response to the decision, NOYB Chairman Max Schrems, who has successfully challenged two trans-Atlantic data transfer regimes in the last decade, said, "We are happy to see this decision after 10 years of litigation. ... Unless U.S. surveillance laws get fixed, Meta will have to fundamentally restructure its systems."
"This enforcement action puts international data transfers at the top of the list of regulatory priorities by European data protection authorities," Hogan Lovells Partner Eduardo Ustaran, CIPP/E, told The Privacy Advisor. "However, by focusing entirely on the potential for government access to data rather than on the protections deployed to protect that data from interference, this distorts the aim of data protection law.
Wide-ranging implications?
Though Meta has long been in the EU regulatory spotlight, Monday's decision could have implications for other businesses, as well.
"The impact of this decision is very broad, going vastly beyond Meta and being of concern for all businesses, universities, clinical trials and whomever is transferring personal data from the EU to the U.S. on the basis of SCCs in the absence of an adequacy decision," said Future of Privacy Forum's Gabriela Zanfir-Fortuna.
"This is because technically the Irish DPC, in rare agreement with the EDPB, is saying that the many and substantial supplemental measures that Meta put in place on top of SCCs do not compensate, nor could they compensate, for the deficiencies in U.S. law identified by the CJEU in the Schrems II judgment," she said. "If the vast array of supplemental measures implemented by Meta — ranging from numerous organizational policies, to encryption of data in transit, to challenging government requests — are not sufficient, it is unlikely that any other organization would be able to put effective measures in place when it comes to data transfers to the U.S."
Digiphile Managing Director Phil Lee, CIPP/E, CIPM, FIP, also points to the decision's broad implications, telling The Privacy Advisor, "At the back of the decision, the DPC says very explicitly that 'the analysis in this decision exposes a situation whereby any internet platforms falling within the definition of an electronic communications service provider subject to the U.S. Foreign Intelligence Surveillance Act 702 PRISM program may equally fall foul' of the GDPR's requirements on data transfers. This makes clear, if it wasn't already, that the DPC's decision — although directed to Meta — effectively implicates all EU transfers of data to U.S. tech companies."
For those using the newly updated SCCs and hoping those would remain "unscathed," Lee said Monday's decision demonstrates that it "extends to transfers to the U.S. made under both the old and the new SCCs."
In addition to transfers between the EU and U.S., Monday's decision involving supplemental measures could also carry implications for U.K. adequacy, according to Lee.
"The decision reinforces the idea that data exporters who make extra-EEA transfers must implement measures that ensure essential equivalence of EU data protection standards in the recipient country. Taking measures to 'address' or 'mitigate' data protection risks are not enough — seemingly casting doubt on the feasibility of a risk-based approach to data transfers.
"Given the UK's proposed 'data protection test' in the Data Protection and Digital Information (No. 2) Bill, which assesses adequacy on the basis of whether data will be protected to a standard that is 'not materially lower' than in the UK, will the EU maintain UK adequacy if this means EU data could be routed through the UK to countries where the local standard of protection is not 'essentially equivalent' but, instead, 'not materially lower?'"
Beyond legal challenges: Finding a political solution
As stakeholders await a finalized EU-U.S. Data Privacy Framework, there is little doubt it will not be challenged in court like its predecessors. With U.S. surveillance law ultimately at the center of trans-Atlantic data flows, a political solution will likely be necessary.
In their response Monday, Meta's Clegg and Newstead said, "At a time where the internet is fracturing under pressure from authoritarian regimes, like-minded democracies should work together to promote and defend the idea of the open internet."
At the IAPP Global Privacy Summit 2023, the EDPB's Jelinek, NOYB's Schrems, former U.K. Information Commissioner Elizabeth Denham and IAPP Research & Insights Director Joe Jones discussed the need for a multilateral treaty among democratic nations.
"Democracies, especially the G7, should be able to get together and come to an agreement around standards for government access to private sector data," Denham said at the time.
In his comments to The Privacy Advisor Monday, Hogan Lovell's Ustaran said, "Everybody understands that the ultimate solution to this particular conflict is political, and it would unfair to disregard the efforts that organizations make in the meantime to contribute to resolve that conflict.
"The issue of transfers to the U.S. will ultimately be resolved because there is a clear political will to resolve it, but the worrying aspect of this decision is that if we adopt such a strict approach to data protection at a global scale, it does not account for the geopolitical situation in the world and the efforts that are actually being made to achieve compliance."
Though Meta said it will appeal the ruling, timing will be tight. Will the European Commission finalize the DPF adequacy in time? There was an indication Monday that it will be finalized soon.
According to a European Commission spokesperson, "We expect this data protection framework between the EU and the U.S. to be fully functionable by summer. This will guarantee stability and legal certainty."
Until then, stakeholders will anxiously await a new framework.
"For now, all eyes will be on whether the European Commission can finalize arrangements and adopt the DPF before the grace period for compliance comes into effect," Lee said.
"There will be huge political pressure to achieve this."