It has been a long time coming, but the other shoe has finally dropped. Ireland’s Data Protection Commission (DPC) fined Meta Platforms Ireland (parent of Facebook Ireland) €1.2 billion, the highest fine to date under the European Union’s General Data Protection Regulation (GDPR). The DPC also ordered the company to cease transfers of personal data to the United States within five months. The order allows the company an additional month to stop processing personal data already transferred, including personal data stored in the U.S.
While the fine and the ruling mark an important point in the struggle to develop laws and agreements that protect the privacy rights of individuals without needlessly inhibiting the free transfer of personal data, the conflict is far from over. GDPR implements the balance between the protection and free flow of personal data within the EU and maintains those protections by limiting the legal mechanisms for transferring personal data out of the EU. The primary mechanisms include adequacy decisions by the EU Commission, standard contractual clauses (SCCs), and binding corporate rules, with several others allowed in special cases.
A History of Privacy Concerns about Facebook Ireland
Concerns about Facebook Ireland’s transfer of personal data to the US go back at least as far as complaints filed by Max Schrems, an Austrian privacy activist, in 2011. Schrems filed a complaint again in 2013, after mass surveillance activities by the US government were publicly exposed by Edward Snowden, a contractor with the National Security Agency (NSA). This complaint, Schrems I, made its way to the top EU court, the Court of Justice of the European Union (CJEU). In 2015, the CJEU declared the EU-US Safe Harbor data transfer mechanism used by Facebook to be invalid.
The successor to Safe Harbor, the EU-US Privacy Shield, fared no better. Schrems filed another complaint, which also made it to the CJEU. In its July 2020 Schrems II ruling, the CJEU declared Privacy Shield invalid as a data transfer mechanism but upheld the use of SCCs, which Facebook adopted.
Using Standard Contractual Clauses
An essential factor to consider in evaluating SCCs, the CJEU said, is the ability of public authorities in a non-EU country to access transferred personal data under the legal system of the country. If private sector companies could not provide sufficient protection to the personal data of EU residents, including protection from public authorities, then EU Supervisory Authorities such as the Irish DPC are required to suspend or prohibit the transfer of data to the non-EU country.
Since 2020, the EU Commission has issued a new set of SCCs, while the European Data Protection Board (EDPB) has issued a roadmap for assessing the legal systems of non-EU countries and has identified technical and organizational measures companies can use to supplement the SCCs.
The Future of EU-US Data Transfer
In addition, the US and the EU are negotiating a successor to Privacy Shield. These efforts, however, have not resolved the central issue: the US government conducts mass surveillance (within certain limits), the CJEU objects to this activity, and private sector entities are caught in the middle.
The DPC’s actions are another stake in the ground. Facebook implemented and documented a wide range of supplemental controls, but the DPC deemed these measures insufficient based on the CJEU Schrems II ruling. Despite the ruling, there has still not been a mechanism identified that Facebook can use to transfer personal data from the EU to the US. Although Facebook will appeal the DPC’s ruling (see their response here), the likelihood of success is questionable, as the final decision will probably be made by the CJEU.
The Ruling’s Effect on US Companies
So, what does the DPC’s ruling mean for companies in general? Realistically, there has been no change. Large tech companies subject to requests under the Foreign Intelligence Surveillance Act (FISA), including Meta, Google, and Microsoft, were already the biggest targets. Other firms should be implementing SCCs or other appropriate transfer mechanisms and should complete a Transfer Impact Assessment where necessary.
Efforts to minimize collection of personal data should continue, and it would be reasonable to take another look at end-to-end encryption, localizing EU personal data, and other measures to protect personal data. Ultimately, the DPC’s actions have neither resolved the central issue nor identified a clear path forward.
If you have concerns about your data collection and privacy practices, members of our Cybersecurity & Data Privacy team are ready to help.