EU – The billion Euro Irish fine: What does it mean for international transfers?
The decision by the Irish Data Protection Commission to fine Meta €1.2 billion is significant due to the size of the fine but also because of the wider implications for international data transfers.
The decision does not fundamentally alter the rules on international data transfers in the GDPR but contains unfavourable mood music. While there are reasons for optimism – such as the likely adoption of the Transatlantic Data Privacy Framework – the decision is likely to create further uncertainty about transfers of personal data to the US and other jurisdictions.
Background
The decision centres around the transfers of personal data from Meta Platforms Ireland Limited (“Meta Ireland”) to its US processor, Meta Platforms, Inc. (“Meta US”).
Meta Ireland originally made those transfers under the old 2010 controller-processor standard contractual clauses, but replaced them in August 2021 with the new 2021 standard contractual clauses (“2021 SCCs”). The 2021 SCCs were supplemented by both a Transfer Impact Assessment and a Record of Safeguards and Supplemental Measures.
The Irish Data Protection Commission (“IDPC”) based its assessment of the transfer on a strict application of the CJEU’s judgment in Schrems II (C-311/18) (discussed here) and came to the following key conclusions:
- US law does not provide a level of protection that is essentially equivalent to that provided by EU law. Moreover, US law does not respect the “essence” of rights granted under the EU Charter, particularly the right to a judicial remedy for affected data subjects. A measure that undermines the “essence” of the EU Charter is invalid without the need to consider proportionality. The IDPC quotes AG in Saugmandsgaard Øe in Case C-401/19; “‘The essence’ of a fundamental right is an ‘untouchable core’ which must remain free from any interference”.
- Neither the 2021 SCCs nor the supplemental measures used by Meta Ireland can compensate for the inadequate protection provided by US law.
- In particular, Meta Ireland encrypts data in transit. This is likely to protect the data from interception under Section 702 UPSTREAM surveillance programme and EO 12333 cable intercept programme.
- However, encryption in transit does not protect the data from Section 702 FISA “downstream” programme (PRISM), under which there could be non-court supervised access to a user’s data without their knowing. Meta Ireland cannot stop this and there is no remedy for an EU data subject who is not informed that they have been the subject of a FISA 702 search.
- On that basis, these transfers do not guarantee a level of protection essentially equivalent to that provided by EU law (interpreted in light of the EU Charter) and so breach the GDPR.
On the back of this finding, the IDPC made three orders:
- Meta Ireland must suspend the data transfers within 12 weeks of the date on which time to bring an appeal expires.
- Meta Ireland must stop storing personal data about EEA users in the US that was transferred in violation of the GDPR (i.e. delete that data). This must be done within six months.
- Meta Ireland must pay a fine of €1.2 billion.
The IDPC did not originally think the order to delete the data was necessary or that a fine was warranted given Meta Ireland had made the transfers in good faith. However, the EDPB issued a binding decision forcing the IDPC to impose these orders. Meta Ireland have said they will appeal.
A complete ban on US transfers?
The decision by the IDPC does not fundamentally alter our understanding of the rules on international data transfers in the GDPR. However, it is partly based on a binding decision by the EDPB and therefore represents the consensus view of data protection regulators from across the EU. Added to that, the “mood music” in the decision is unfavourable.
For example, there are a number of strongly worded submissions from other supervisory authorities such as the Austrian regulator’s comments that: “transferring data to the US is ‘a widely used practice among numerous controllers’ and that not imposing a fine on Meta [Ireland] would send a message that past infringements of the GDPR would not be properly addressed .. the imposition of an administrative fine also has an awareness-raising function among other controllers who should be given a clear signal that non-compliance with the GDPR has consequences which also cover past behaviour.”
At the end of the decision, the IDPC states its analysis applies to any US recipient subject to FISA 702 PRISM. The IDPC considers if it should make an order generally suspending all transfers to the US but decides it should not as each transfer must be subject to a case-by-case assessment.
If analysis so far suggests challenges for transfer of personal data to the US, there are some aspects of the judgment that might provide reasons for optimism.
Reason for optimism: New US protections not yet in force
The first is the US Government’s proposals to enhance privacy rights for individuals under Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities and Rule 28 CFR 201 establishing a “Data Protection Review Court”.
The IDPC specifically disregarded these reforms as they are not yet operational. For example, the redress mechanism in EO 14086 only applies to individuals in a designated “qualifying state”. However, the US Government has not yet designated the EU as a “qualifying state” so those provisions have no effect. Similarly, the Data Protection Review Court is not currently operational, not least because no judges have been appointed.
Once these reforms take full effect, there will be better arguments that the US law does provide essentially equivalent protection to that provided by EU law. This is an issue the IDPC skirts carefully in its analysis.
Reason for optimism: The Transatlantic Data Privacy Framework
The next potentially helpful development is the EU’s likely adoption of the Transatlantic Data Privacy Framework. While it has faced resistance in the EU, particularly from the EU Parliament, the framework has high level political support from both the EU and the US so still seems likely to pass.
Existing members of the EU-US Privacy Shield can likely roll-over that membership into the new Transatlantic Data Privacy Framework and rely on that to legitimise transfers to the US (pending any further challenge in the CJEU).
Reason for optimism: A risk-based approach?
Finally, the IDPC notes that it may be possible to take a risk-based approach to transfers.
This ability to take a risk-based approach did not apply to Meta Ireland as it accepted it was obliged to comply with US law and had provided data in response to US Government requests. As those requests go to the essence of rights under the EU Charter the transfer is automatically unlawful and Meta Ireland could not rely on any proportionality assessment.
However, many other US recipients may be in a different position. For example, if the US recipient is able to demonstrate that it has not received any requests from the US Government, particularly under FISA 702 PRISM, it may well be possible to rely on a risk-based approach to this issue.
Similarly, it may be possible to rely on additional technical or organisational measures (such as customer managed encryption keys, warrant canaries or synthetic remedies for data subject) to mitigate the risk.
Outside the US
The IDPC’s decision also has wider repercussions for transfers to other jurisdictions. The US is not the only jurisdiction with governmental surveillance powers, nor does the regulation of those powers compare unfavourably to other important jurisdictions such as India and China.
While the finding in the IDPC’s decision focus on transfers to the US, some of the reasoning is problematic for transfers to other jurisdictions, particularly the suggestion that government access to personal data can go to the “essence” of rights under the EU Charter meaning they are automatically invalid without any proportionality assessment.
The UK post-Brexit
The position in the UK is likely to be largely unaffected by the IDPC’s decision (and the EDPB’s binding decision). The UK Information Commissioner is able to form his own views on international transfers post-Brexit free from interference from the EDPB.
That approach is likely to be influenced partly by the UK Government’s long-standing ambition to free up international transfers, which includes identifying the US as a priority jurisdiction for adequacy.
More importantly, the EU Charter has had a foundational effect on EU law but no longer applies to the UK. By way of example, the IDPC’s decision is largely underpinned by its conclusion that the US laws do not respect the “essence” of effective judicial protection and so transfers are automatically unlawful without any proportionality balancing exercise. In contrast, the UK Information Commissioner is likely to approach transfers with an intense focus on the actual data being transferred and the extent to which that transfer creates any actual risks or harms for UK data subjects.
Conclusion
For many businesses, international data transfers are just a fact of life. Multinational companies need to be able to transfer data amongst their group companies to sustain their operations. Even small businesses may well deal with counterparties in many different jurisdictions.
However, the legal framework for the international transfers of personal data has become increasingly complex and expensive to navigate. The IDPC’s decision does not fundamentally alter that framework, but does add to the uncertainty and the risk.
While there are reasons for optimism, most businesses should anticipate further scrutiny of these transfers, refresh their TIAs and otherwise redouble their compliance efforts.