Press enter to search, esc to close
In a hotly-anticipated decision, on Monday the Irish Data Protection Commission (DPC) announced the conclusion of its investigation into transfers of Facebook users’ personal data by Meta Platforms Ireland Limited (Meta Ireland) to the US. The decision could have far-reaching consequences for any organisation relying on standard contractual clauses (SCCs) to transfer personal data to third countries.
The conclusion of the investigation is the latest instalment in the series of developments following the Schrems II ruling in July 2020. In that ruling, the Court of Justice of the European Union (CJEU) held that:
Subsequent recommendations (Recommendations) produced by the European Data Protection Board (EDPB) set out examples of “supplementary measures” that could be used where the third country’s laws alone are not sufficient to protect personal data, including encryption, organisational measures and contractual protections.
Since Schrems II, Meta Ireland (like many others) has been relying on SCCs to legitimise its transfers of personal data to Meta in the US, alongside various technical, organisational and legal supplementary measures. The DPC’s investigation, which it began in August 2020, focussed on whether Meta Ireland’s reliance on SCCs complied with the EU General Data Protection Regulation (GDPR).
After engaging with other EU supervisory authorities and the European Data Protection Board (EDPB) through the GDPR’s co-operation procedure, the DPC ultimately decided that Meta Ireland’s transfers to the US in reliance on the SCCs were not compliant with the GDPR. This is despite the fact that Meta Ireland followed many of the steps set out in the EDPB’s Recommendations on lawfully transferring personal data to third countries using the SCCs, such as encrypting data in transit and implementing strong security measures.
As a result of the infringement, the DPC issued:
The potential implications of the decision are significant. Many organisations, particularly large tech platforms, rely heavily on US infrastructure to provide their services, and global data flows are crucial to many business models. The decision makes it abundantly clear not only that SCCs alone will not suffice to legitimise US transfers, but that there is very little (if anything) that organisations can put in place by way of “supplementary measures” to reduce the risk of US transfers to an acceptable level in order to rely on SCCs.
There may be light at the end of the tunnel, though. The European Commission and the US are in the process of negotiating a new Trans-Atlantic Data Privacy Framework (TADPF), to replace the old Privacy Shield arrangement. In the wake of the DPC’s decision, the European Commission released a statement that the TADPF is on track to be finalised by the summer. This may be ambitious (the EDPB and the European Parliament have both raised concerns about the TADPF), but the DPC’s decision certainly provides an added incentive to finalise the TADPT sooner rather than later. Meta Ireland will also, no doubt, appeal the decision, which could put the implementation of the decision on hold pending the appeal outcome. Even if an appeal does not lead to a change in the outcome, it could buy more time for the TADPF to be formally agreed, and for Meta Ireland (and others) to find alternative solutions to their US transfer challenges.
Although there is a hint of “watch this space” whilst we see what happens with the TADPF and the anticipated appeal, organisations should not be complacent. The decision gives a clear indication of the direction of travel of the regulatory landscape when it comes to international data transfers, and it is important to ensure that you are on top of your own data transfers.
If they have not already done so, organisations would be well-advised to:
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2023. Specific advice should be sought for specific cases. For more information see our terms & conditions.
23 May 2023