The Irish High Court's May 14 judgment concerning Facebook's EU-U.S. data transfers sheds light on the Irish Data Protection Commission's and the court's initial views on issues with significant global implications.
In the judgment, Justice David Barniville dismissed Facebook Ireland's arguments that the process followed by Ireland's Data Protection Commissioner in its own-volition inquiry into Facebook Ireland's EU-U.S. data transfers was flawed. This allows the inquiry to proceed.
As a procedural judgment, it does not weigh in on the merits of the DPC's preliminary views that the data transfers are not EU General Data Protection Regulation compliant or on their potential suspension. Yet, the 197-page decision makes public the DPC's process, timeline and substantive considerations for that inquiry, quoting at length excerpts from the DPC's preliminary draft decision and correspondence between the parties, all with implications for this case and others to come. It also shows how a well-informed court views DPC jurisdiction and obligations to enforce the GDPR alongside supervisory authorities across the EU and in light of the Court of the Justice of the European Union's "Schrems II" decision.
Process
The judgment provides a window into the DPC's investigative and decision-making process in this case and others to come. A main point of contention in the case was whether the DPC strayed from its "typical" procedures in a way that unfairly breached Facebook's "legitimate expectations." Barniville said the DPC did not. The judgment's lengthy discussion of this issue offers insight into how the DPC thought best to approach this complex case, informed by years of litigation, in an expeditious manner. It also shows how DPC procedures are evolving to meet its weighty caseload alongside demands for speed.
In its 2018 annual report, the DPC laid out an "illustrative" 12-step process for a statutory inquiry, noting its "provisional sequencing," which depended on the "nature, circumstances, scope and subject matter of the inquiry" and was "subject to change."
In light of the present context (in this case, years of high-profile litigation), the DPC's process has evolved. The DPC noted it has informed companies in three other pending cases of new processes, as well. In short, those processes cut to the chase. In the case at hand, the DPC proceeded as follows. First, the DPC examined Facebook Ireland's publicly available policies and notices, including its data policy, transparency report, and statement of rights and responsibilities. Second, it crafted a preliminary draft decision as a means of laying out the basis for the inquiry and soliciting more targeted input on the specific questions the office felt it must address, based on the "Schrems II" decision. Third, the DPC asked and answered each of those questions, based on its interpretation of the "Schrems II" decision and its understanding of Facebook's policies and practices, garnered through its recent review of public policies and years of litigation. Fourth, the DPC sought Facebook's input on both the questions and the office's preliminary views on each to inform the development of a "draft decision" to submit to the Article 60 process.
Effectively, the DPC said, this is what matters and what the CJEU has demanded. If you disagree, prove us wrong.
Timeline
The judgment reveals the DPC's inquiry and decision-making process should take several months from start to finish, given the need to move "expeditiously" as required by the CJEU while considering input from Facebook and other supervisory authorities. In the case of persistent disagreements between authorities, though, the European Data Protection Board's consistency mechanism could add several additional months.
In its preliminary draft decision, the DPC gave Facebook 21 days to respond and stated during the court hearing that it would consider "a reasoned request for further time." The DPC also shared, in correspondence with Max Schrems, an interested party, that it planned to finalize its "draft decision" to submit to the GDPR Article 60 procedure within 21 days of receiving Facebook's submission.
Under the GDPR's cooperation and consistency mechanism, the clock then starts ticking, albeit relatively slowly by comparison to the DPC's own timetable. Once the DPC submits its draft decision to other concerned supervisory authorities, those authorities have four weeks to express a "relevant and reasoned objection." If there are no objections, the decision becomes binding. If there are objections, the DPC must either submit a revised draft to the other concerned authorities that can object within two weeks or, if the DPC does not follow or believe the objection is relevant and reasoned, submit it to the consistency mechanism for a binding decision by the EDPB. GDPR Article 65(2) provides the EDPB would issue a binding decision within one month, or following an extension given "the complexity of the subject matter," an additional month. Two-thirds of EDPB members must approve the decision. If two-thirds do not agree, another two weeks are allotted for a simple majority vote under Article 65(3).
Throughout the EDPB processes, its secretariat may require a relevant party to complete data in the file, potentially extending the proceedings. Once the decision is adopted, the EDPB Chair must notify the concerned authorities “without undue delay” pursuant to Article 65(5). The DPC would then be required to issue its final decision, on the basis of the EDPB’s, "without undue delay" and no later than one month after notification of the EDPB's binding decision (Article 65(6)). Ultimately, cooperation with other authorities could add half a year.
The DPC confirmed during the hearing that the 21-day period for Facebook's response and any reasoned requests for an extension would run from the date the inquiry resumes. The court dismissed objections to the DPC's process. And so, the clock is reset.
Substance
The DPC asked and answered three impactful questions. These were as follows:
- Whether U.S. law provides a level of protection that is essentially equivalent to that provided by the GDPR, read in light of the fundamental rights in the charter.
- If not, whether the standard contractual clauses can compensate for any inadequacies in the protections afforded by U.S. law.
- If not, whether there are any supplemental measures in place which can compensate for any inadequacies in the protections afforded by U.S. law.
The DPC then shared its preliminary views on each, subject to Facebook Ireland's input, as follows:
- U.S. law does not provide a level of protection that is essentially equivalent to that provided by EU law.
- SCCs cannot compensate for the inadequate protection provided by U.S. law.
- Facebook Ireland does not appear to have in place any supplemental measures that would compensate for the inadequate protection provided by U.S. law.
The judgment explains how the DPC reached its preliminary views on each of these questions and the areas in which the DPC felt bound by the "Schrems II" decision to answer the question in a certain way, each by reference to its preliminary draft decision. These explanations are instructive.
Concerning the first question, the DPC stated it is "obviously bound by the detailed analysis and accompanying findings of the CJEU in the judgment … [and] therefore bound to conclude that US law does not provide a level of protection that is essentially equivalent to that provided by the EU law." The judgment notes Facebook disputed this view, pointing to recent changes in law and practice, as well as the U.S. government's September 2020 white paper on the topic. Since the judge did not consider the merits of these views, hashing this out will be left until next time.
With regard to the second issue, the DPC reasons the CJEU "clearly found" that when foreign laws allow government authorities to interfere with data subject rights concerning transferred data, "SCCs will not suffice to guarantee the necessary protection …. Given that the CJEU found that (U.S.) law interferes with the rights of data subjects …, it necessarily follows that SCCs cannot compensate for the inadequacies in the level of protection afforded by (U.S.) law." The DPC added that even if the CJEU had not made that finding, "it is obvious that the SCCs cannot address inadequacies of the protection afforded by (U.S.) law."
On the last question, the judgment is more succinct, noting the DPC stated it is "not aware of any supplemental measures adopted by [Facebook Ireland] which would address the inadequate protection provided by EU law" given that "no such measures are identified in [Facebook Ireland's] Data Policy or (System Requirements Review)." In response to Facebook's critique of this position, the DPC stated that Facebook could correct any inaccuracies in its preliminary views via its submissions.
The preliminary draft decision then states "The DPC is, therefore, considering proposing that the data transfer should be suspended." The DPC proposed suspension rather than a "ban," given that Facebook might later be able to adopt measures to address the deficiencies identified.
And so, the table is set for the inquiry with three significant questions, their final answers, and potential corrective action still to be decided.
Broader implications
Beyond the judgment's insights into DPC thinking, the decision weighs in on two issues that could have broader implications for other companies and consistent application of the GDPR across the EU. These are whether the DPC must initiate investigations into all companies under its jurisdiction similarly transferring data and whether the DPC must defer to future EDPB guidance.
First, the judge considered whether it was disproportionate, discriminatory or would distort competition for the DPC to investigate and potentially suspend Facebook's data transfers if it did not proceed similarly with regard to other entities. While the DPC explained it does have ongoing investigations into other controllers' EU-U.S. data transfers based on complaints, it also contended that it is not required to initiate an inquiry into every company in a similar position. The judge agreed, writing, "The DPC was entitled to commence and proceed with the inquiry in respect of Facebook Ireland's data transfers without having to carry out inquiries into other entities involved in similar transfers." The judge added a regulator like the DPC must be able to prioritize its enforcement actions unless the law provides otherwise, which in this case, it does not. As such, if the DPC issued a final decision to suspend transfers, that would not mean that it must proceed in the same fashion about all companies transferring data from Ireland-based main establishments. That said, the practical effect might not be much different since companies would be wary of transferring data following such a ruling, as many already are.
Second, the judge considered whether the DPC acted unlawfully by proceeding with this inquiry before the EDPB had issued its promised recommendations on supplementary measures. The DPC argued it was "obliged to proceed to give effect to the judgment of the CJEU" and would take into account the EDPB's recommendations, which had since been issued for public comment, along with Facebook's submissions. The DPC also pointed to relevant actions taken by supervisory authorities in France and Finland. Here the judge concluded the GDPR does not oblige supervisory authorities to wait for EDPB guidance and EDPB guidelines are not binding on supervisory authorities. Such an obligation, the judge reasoned, would be inconsistent with the obligations on supervisory authorities to act within a reasonable period of time. Still, the judge noted the DPC's position might have been different if the publication of the EDPB's guidance was imminent when it issued its preliminary draft decision. Looking forward, it will be interesting to see if the need for consistency pushes the EDPB to reach consensus more quickly.
Conclusion
Ultimately, nearly everything in this case, including its implications, is still to be determined. The European Commission's forthcoming standard contracts, the EDPB's final recommendations on supplementary measures, developments in EU-U.S. Privacy Shield talks or even broad agreement in the Organisation for Economic Co-operation and Development on trusted principles for government access to private-sector data could all shift the calculus. Amid that uncertainty, the DPC must proceed expeditiously, and privacy pros must find a path forward.
Photo by Bill Oxford on Unsplash