Meta fined €1.2 billion – Data transfers Q&A

1. What does the Meta fine relate to?

The fine by the Irish Data Protection Commission (Irish DPC) of Meta Platforms Ireland Limited (Meta Ireland) related to Meta Ireland’s transfer of personal data about users of its Facebook service from the EU and EEA to the US. This is the latest development in relation to international transfers of personal data from the EU, an area that has been a recent focus of both regulators and privacy campaigners.

Chapter V of the General Data Protection Regulation (GDPR) sets restrictions on transfers of personal data internationally to outside the EEA. The aim is “to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined” where there are transfers of personal data to outside of the EEA. Organisations are required to ensure that there are “adequate safeguards” in place for such transfers. There are a number of different legal mechanisms that can achieve this, the most commonly used of which are the European Commission approved Standard Contractual Clauses (SCCs).

One of the impacts of the Schrems II decision in 2020 was that it is no longer sufficient for organisations to simply enter into the SCCs. Instead, organisations are required to undertake an assessment of the laws of the destination country to ensure that the personal data transferred would receive essentially equivalent protection as it would have done had that personal data remained in the EU. Organisations have therefore been undertaking data transfer impact assessments (DTIAs) which assess the laws in the importer jurisdiction and the facts of the transfer, to determine whether:

• those laws result in adequate safeguards for the personal data;
• supplementary measures are required (and possible, on which we comment further below) to ensure adequate safeguards for the personal data; or
• the transfer must be amended or suspended altogether.

In relation to Meta Ireland, the Irish DPC found that, although Meta Ireland had entered into the correct version of the SCCs and undertaken a DTIA, the way that the DTIA had been applied in the context of the nature of the personal data that was transferred to the US meant that there was not adequate protection for the transferred personal data. Meta Ireland has therefore been required to pay the fine and to suspend the data transfers. Meta has indicated that it intends to appeal the decision.

The Irish DPC’s decision does not change the law but rather (in light of the severity of the sanctions imposed) emphasises the importance of getting compliance right. We consider further below some key questions for organisations as well as what they should be focusing on.

2. What is the state of play in relation to transfers from the EU to the US?

While the US has never been subject to an adequacy decision by the European Commission (which would mean that no legal mechanism such as the SCCs would be necessary to legitimise transfers of personal data), other EU-US data sharing regimes have previously benefitted from adequacy decisions. These included Safe Harbor (invalidated in 2015 as a result of the so-called Schrems I decision (named after the Austrian privacy activist, Max Schrems)) and the EU-US Privacy Shield (invalidated in 2020 as a result of the Schrems II decision). In the absence of these regimes, organisations must use a valid legal mechanism (such as the SCCs and accompanying DTIA) to ensure there are adequate safeguards for transfers of personal data from the EU to the US.

The EU and US have been working though to address the issues identified in the Schrems II decision so that a replacement data protection framework can be developed that permits, in certain scenarios, transfers of personal data from the EU to the US without additional steps. The Executive Order signed by Joe Biden on 7 October 2022 has paved the way for this by increasing the restrictions on US intelligence agencies accessing personal data. However, the new framework has not yet been approved by the European Commission as being adequate and so, for the time being, organisations transferring personal data to the US must use an additional valid legal mechanism for the transfers (such as the SCCs). A spokesperson for the European Commission confirmed on 22 May 2023 that approval of the new EU-US data transfer pact was expected in the summer of 2023.

3. Are SCCs sufficient to offer adequate protection?

The Irish DPC’s decision does not affect the validity of the SCCs as a transfer mechanism under the EU GDPR.

However, as summarised above, the SCCs are not sufficient on their own to ensure adequate (which, as the decision emphasises, means “essentially equivalent”) protection for transfers outside the EEA to countries which do not benefit from an adequacy decision. Rather, to ensure adequate protection organisations must also carry out DTIAs.

4. What can companies learn about DTIAs?

Beyond the points raised in relation to supplementary measures below (and the seriousness of the sanctions for non-compliance), this decision restates previous guidance from the European Data Protection Board on DTIAs. As such, there are no substantive new requirements for companies to comply with.

To recap, as they have been since the Schrems II decision, DTIAs remain a critical element of organisations’ data protection compliance programmes.

The outcome of DTIAs will vary depending on a range of factors including the “destination” to which the personal data are sent, the nature of the data involved and the security measures in place during and following the transfer.

5. If the DTIA indicates that the transfer would not be subject to adequate safeguards, are supplementary measures an option?

Yes, if they ensure adequate protection for the personal data.

The decision considers in some detail both the range of supplementary measures that Meta has in place and the US laws to which it is subject (including as an electronic communications provider under FISA). It makes clear that measures which mitigate risks but do not result in “essentially equivalent” protection are not sufficient.

It is important to bear in mind that few organisations will be carrying out international data transfers on the same scale, or will be subject to the same regulatory scrutiny, as Meta. Additionally, the facts and circumstances of transfers that are relevant to a risk assessment frequently differ.
For example, whether or not the data importer:

• receives access to large or small volumes of sensitive/non-sensitive data;
• receives access to data in the clear (or whether it is encrypted); or
• (or its industry peers) have been subject to requests for access from public authority,

may vary substantially from one scenario to another.

Nevertheless, it is instructive to consider the sorts of gaps in protection which regulators identify as needing to be addressed by supplementary measures.

6. How does this compare to other fines issued by European data protection authorities?

The fine is the largest that has been issued by EU data protection authorities to date and is indicative of the direction of travel of fines that are increasing in size. For example, in July 2021 Amazon was fined €746 million by the Luxembourg data protection authority. What is of particular note is that previously, the largest fines from EU data protection authorities had been focused on breaches of other aspects of data protection legislation (for example, the mechanisms by which consent for marketing was obtained or how children’s personal data was processed). This latest fine shows that EU data protection authorities are prioritising international transfers of personal data and view breaches of the GDPR’s obligations on these to be significant.

7. What impact does the decision have for overseas transfers of personal data from the UK?

The EU bodies that were involved in the Meta decision against Meta Ireland no longer have jurisdiction over companies that are subject to the UK GDPR. As such, there is no certainty that the approach taken by the EU will be followed in the UK. However, it is important to be aware that:

• to date, the Information Commissioner’s Office in the UK (ICO) has taken a similar approach to international transfers of personal data as that taken in the EU – one of the reasons for this is that any significant deviation could lead to questions being raised about the European Commission’s finding of adequacy for the UK; and
• many international organisations that are based in the UK will also be subject to the EU GDPR (for example, by nature of the extraterritorial effect of the EU GDPR). Therefore, even though an organisation is based in the UK, the EU GDPR and the EU courts’ interpretation of the EU GDPR could still apply to that organisation meaning that these developments will definitely be relevant.

8. What should companies be doing?

If not in place already, companies should prioritise implementing a process for carrying out DTIAs on all intra-group and third-party international data transfers which they carry out. While the level of sanctions faced by most organisations may not be as severe as those imposed on Meta, organisations will be better placed to manage compliance risk if they do so.