Record-breaking decision puts US personal data transfers at risk

In a hotly-anticipated decision, on Monday the Irish Data Protection Commission (DPC) announced the conclusion of its investigation into transfers of Facebook users’ personal data by Meta Platforms Ireland Limited (Meta Ireland) to the US. The decision could have far-reaching consequences for any organisation relying on standard contractual clauses (SCCs) to transfer personal data to third countries.

The story so far

The conclusion of the investigation is the latest instalment in the series of developments following the Schrems II ruling in July 2020. In that ruling, the Court of Justice of the European Union (CJEU) held that:

• the EU-US Privacy Shield was no longer a valid mechanism to transfer personal data from the EU to the US. This was on the basis that US laws did not provide adequate protection for personal data, primarily due to rules on government access to personal data for surveillance purposes; and
• in order to rely on SCCs, organisations transferring personal data to third countries must: a) assess the level of protection of personal data provided by the third country’s laws; and b) put in place “supplementary measures” to ensure an appropriate level of protection, if the laws themselves do not do so.

Subsequent recommendations (Recommendations) produced by the European Data Protection Board (EDPB) set out examples of “supplementary measures” that could be used where the third country’s laws alone are not sufficient to protect personal data, including encryption, organisational measures and contractual protections.

Since Schrems II, Meta Ireland (like many others) has been relying on SCCs to legitimise its transfers of personal data to Meta in the US, alongside various technical, organisational and legal supplementary measures. The DPC’s investigation, which it began in August 2020, focussed on whether Meta Ireland’s reliance on SCCs complied with the EU General Data Protection Regulation (GDPR).

What did the DPC decide?

After engaging with other EU supervisory authorities and the European Data Protection Board (EDPB) through the GDPR’s co-operation procedure, the DPC ultimately decided that Meta Ireland’s transfers to the US in reliance on the SCCs were not compliant with the GDPR. This is despite the fact that Meta Ireland followed many of the steps set out in the EDPB’s Recommendations on lawfully transferring personal data to third countries using the SCCs, such as encrypting data in transit and implementing strong security measures.

As a result of the infringement, the DPC issued:

• an order requiring Meta Ireland to suspend transfers to the US, within 12 weeks from the end of the periods allowed for appeal;
• a record-breaking fine in the sum of €1.2 billion; and
• an order requiring Meta Ireland to bring existing transfers to the US into compliance, by either deleting data already transferred to the US, or moving it back to the EU, within 6 months from the date that DPC notified Meta Ireland of the order.

So what does this all mean?

The potential implications of the decision are significant. Many organisations, particularly large tech platforms, rely heavily on US infrastructure to provide their services, and global data flows are crucial to many business models. The decision makes it abundantly clear not only that SCCs alone will not suffice to legitimise US transfers, but that there is very little (if anything) that organisations can put in place by way of “supplementary measures” to reduce the risk of US transfers to an acceptable level in order to rely on SCCs.

There may be light at the end of the tunnel, though. The European Commission and the US are in the process of negotiating a new Trans-Atlantic Data Privacy Framework (TADPF), to replace the old Privacy Shield arrangement. In the wake of the DPC’s decision, the European Commission released a statement that the TADPF is on track to be finalised by the summer. This may be ambitious (the EDPB and the European Parliament have both raised concerns about the TADPF), but the DPC’s decision certainly provides an added incentive to finalise the TADPT sooner rather than later. Meta Ireland will also, no doubt, appeal the decision, which could put the implementation of the decision on hold pending the appeal outcome. Even if an appeal does not lead to a change in the outcome, it could buy more time for the TADPF to be formally agreed, and for Meta Ireland (and others) to find alternative solutions to their US transfer challenges.

What should we be doing now?

Although there is a hint of “watch this space” whilst we see what happens with the TADPF and the anticipated appeal, organisations should not be complacent. The decision gives a clear indication of the direction of travel of the regulatory landscape when it comes to international data transfers, and it is important to ensure that you are on top of your own data transfers.

If they have not already done so, organisations would be well-advised to:

• ensure they have a clear map of their data transfers and have thoroughly risk-assessed them, focussing particularly on transfers to the US;
• review all transfer risk assessments conducted (and finalise any that are outstanding), especially for US transfers, to make sure they are complete, thorough and up-to-date;
• consider whether further supplementary measures can be put in place for any US transfers to mitigate the risks as far as possible; and
• keep a close eye on further developments in this case, which is far from over.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2023. Specific advice should be sought for specific cases. For more information see our terms & conditions.