Ten years on from the Snowden disclosures, the odyssey to protect EU/EEA subjects’ data from US surveillance continues. On May 22nd Ireland’s Data Protection Commission (‘IDPC’) published its highly anticipated final decision in the Meta Ireland (‘Meta’) data transfers case. The decision sought to examine the basis upon which Meta transfers personal data from the EU/EEA to the US in delivery of its Facebook service. More specifically, it sought to examine Meta’s reliance on the 2021 EU standard contractual clauses (SCCs) and supplementary measures to govern its US data transfers, following invalidation of the Privacy Shield and the continued absence of an adequacy agreement between the US and the EU. The decision comprises three orders that Meta now finds itself bound to: a stop transfer order, a compliance order and a fine order. Meta has announced it will appeal the ruling and seek a stay of the orders through the courts, but when this inevitably ends up back at the Court of Justice of the EU (‘CJEU’), what will this decision ultimately mean for Meta, as well as for other companies in a similar position?
The lead up to this decision
The odyssey – or battle – has been ten years in the making. Edward Snowden blew the whistle in 2013 on how US tech giants give US government access to their user data, fuelling the US National Security Agency’s mass surveillance machine.
Then, in 2015, EU citizen Max Schrems challenged the transfer of his data to the US by Meta (then known as Facebook), incorporated in Ireland. This case, known as Schrems I, led to the invalidation of the US-EU Safe Harbour Framework by the CJEU.
In 2020, a second challenge came in Schrems II which resulted in the invalidation of the EU-US Privacy Shield by the CJEUover doubts regarding the necessity, proportionality and redress associated with US government surveillance authorities. A third arrangement is still being negotiated – the EU-US Data Privacy Framework – that still awaits adequacy approval from the EU.
Ever since Schrems II, Meta has been relying on the 2021 EU SCCs and supplementary measures to govern its US data transfers. IDPC did deliver a draft decision on Meta in August 2022, although this required amendment following objections from EU DPAs. This leads us to the present day, where IDPC has now delivered its final decision on Meta’s use of SCCs and additional safeguards for transferring EU and EEA subjects’ data to the US.
The three orders
The final decision contains three orders that bind Meta: a stop transfer order, a compliance order and a fine order. The decision was a collective one, for all EU/EEA DPAs were involved as ‘concerned supervisory authorities’, pursuant to Article 60 GDPR. While the stop transfer order stems from IDPC’s own investigation and original draft decision from August of last year, the compliance and fine orders result from other DPA’s objections and the EDPB’s recent decision on how to resolve them. Ultimately, the take-home conclusion is that EU DPAs do not believe Meta’s use of SCCs and additional safeguards can fill the legal void left by Schrems II. So what can this mean for Meta, as well as for other companies in the side-lines?
i) The stop transfer order
Firstly, Meta has been ordered to suspend all personal data transfers to the US within five months of the date that it was notified of the decision (May 12th), translating in a deadline of October 12th. In addition to re-enforcing the point that US law does not provide a level of protection that is essentially equivalent to that provided by EU law, the stop transfer order demonstrates the complete rejection of the idea that the 2021 SCCs can compensate for the inadequate protection provided by US law.
The stop transfer order also makes it clear that the additional supplementary safeguards used by Meta to complement the 2021 SCCs do not compensate for the inadequate protection of US law. This is ultimately because none of them would constitute an effective protection in response to a valid request from the US government to access user’s data. Such supplementary measures include the encryption of data in transit and the transparent reporting of requests from US government authorities to access the personal information of European Facebook users.
Moreover, the stop transfer order clarifies that Meta cannot rely on the derogations provided for in Article 49 GDPR when making its data transfers.
Meta’s intention to ‘appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts’ merely kicks the can down the road, as ultimately all matters end up at the CJEU if they concern the interpretation of Union law. Essentially, Meta can run but it cannot hide from the crux of IDPC’s decision.
While there have been rumours that a stop transfer order would force Meta to stop providing its services in the EU, this does not seem likely at all. Meta has shared that 10% of its global ad revenue comes from the EU. Additionally, the tech giant has already built local data centres in the EU. Instead, Max Schrems believes that one potential option for Meta moving forward could be a ‘federated social network’, where ‘data of European users stays in the data centres in Europe, unless, for example, the user chats with a US friend’.
While other companies do not find themselves bound by this stop transfer order or the timeframe attached to it, the potential impacts are impossible to ignore. Indeed, IDPC ends its decision explaining that its analysis ‘exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme [a key provision allowing for US surveillance] may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA’.
ii) The compliance order
Secondly, Meta has been ordered to ‘bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR’. The deadline to do so is within six months of the date Meta was shown the final decision, translating in a deadline of November 12th. This is the most open-ended of all of the orders, as the decision does not instruct Meta on how to carry this out. Yet we can turn to the suggestions of DPAs in Germany and France for Meta to delete the data. So how might Meta, or indeed any other company, carry this out? Deletion is arguably at the more difficult end of the scale of methods, with perhaps anonymisation and encryption representing potentially easier alternatives. Indeed, the EDPB recommends these measures as ensuring compliance with the EU level of protection of personal data. Regardless, Meta does not intend on thinking about this yet.
iii) The fine
Finally, Meta has been ordered to pay a fine of EUR1.2 billion. This comes after DPAs in France, Austria, Germany and Spain objected to the lack of a fine in IDPC’s original draft decision in August, and the EDPB ordered the authority to issue a fine within the range of 20%-100% of the GDPR’s maximum. Ultimately, however, the final amount of the fine was left down to IDPC’s own discretion. Considering the maximum fine under the GDPR is more than 4 billion, IDPC was kind enough to the tech giant, although the fine still stands as a staggering penalty for the company. Interestingly, this is the first fine issued for unlawful transfers under the GDPR, and funnily enough, it is not the toughest part of IDPC’s decision. While Meta seeks to appeal this fine, it still sets a precedent for the amounts of fines companies in similar positions might have to brace for in the future.
IDPC’s decision mandating Meta to stop, comply and pay is one that will be strategically kicked down the road by Meta for a while, by means of appeals and stays of orders, all in the hope that an adequacy approval is reached just in time for the EU-US Data Privacy Framework. And while this deal is expected to be fully functional by the summer, it is not unlikely that the EU-US Data Privacy Framework, if approved, could go on to be invalidated by the CJEU, just as the two previous deals were. The bigger picture here is that time is running out for Meta and any other company that transfers EU subjects’ data to the US, and, most importantly, companies in similar positions can no longer sit back in the side-lines and watch.