Closing in on the fifth anniversary of the entry into force of the EU General Data Protection Regulation (GDPR), the Irish Data Protection Commission (DPC) announced on 22 May 2023 that it had fined Meta for EUR 1,2b (USD 1.3b), the highest GDPR fine levied since 2018.
Further to the DPC decision (Decision), and in addition to the record fine, Meta will need to:
- suspend any future transfers of personal data to the United States within five months from the date of notification of the decision to Meta Ireland;
- ensure the compliance of its data processing operations by ceasing the unlawful processing, including storage, in the United States of personal data of its users in the European Economic Area, transferred without sufficient safeguards, within six months from the date of notification of the DPC’s decision to Meta Ireland.
The core of the grievances relates to a decade-long (and going) crusade initiated by datactivist Maximilien Schrems and its data protection association, None of Your Business (noyb). The crusade started in 2013, with a first step resulting in a resounding cancelation of the Safe Harbor framework, which allowed personal data to be freely transferred from the European Union to the United States, in the 2015 Schrems I case (see our Alert). It was subsequently followed by a same action against Safe Habor’s successor, the Privacy Shield Framework, leading to the same result in the Schrems II case (see our Alerts here, here and here).
As the European Commission is assessing a potential successor to the Safe Harbor and the Privacy Shield, all the looks turned to the DPC, in its analysis of Meta’s internal framework for the transfer of personal data from its European users to its headquarters and services providers in the US.
In the absence of a catch-all framework such as the Safe Harbor or the Privacy Shield, Meta instead relied on a specific contractual framework, the Standard Contractual Clauses (SCC) published by the EU Commission. This framework, which pre-dates GDPR, has recently been revised further to Schrems II (see above and our Alert – the deadline to transition from the revised framework was set to 27 December 2022).
These new SCC addressed generally the concerns raised under Schrems II, pertaining to potential access to personal data transferred to the U.S.by U.S. intelligence agencies, in a way that would not allow the same level of data protection as the one which must be guaranteed end-to-end under GDPR.
The key takeaways from the decision:
- Additional Technical and Organisational Measures (TOMs) may not reach the standards expected under GDPR – Further to Schrems II, TOMs have become the cornerstone for international data transfers under GDPR. Companies, whether they are exporting personal data outside of the EEA or importing them from the EEA must detail all facets of the measures they are implementing to safeguard the confidentiality, integrity and availability at all times. Such TOMs must be tailored to the risks presented in the importing jurisdiction, especially by surveillance agencies. In that regard, it has become customary for exporting companies to document any transfer with a Transfer Impact Assessment (TIA). The greater the risk of compelled production under the importer’s applicable law, the more thorough the TOMs. In its decision, the DPC reviewed both Meta’s TIA and TOMs, only to conclude they did not provide “essential equivalence” with GDPR and were insufficient, considering that “Ultimately, if the US Government makes a request which falls within the scope of Section 702 FISA, Meta US is required to disclose its users’ personal data.” (Decision, Section 7.193, p. 98). The insufficient TOMs notably included:
- Technical Measures: a comprehensive Information Security Program, industry standard encryption algorithms and protocols (such as TLS and AES), shared infrastructure between Meta U.S.and Meta Ireland, asset management controls, arrangements for the management of Facebook employee mobile devices, implementation of encryption on all company laptops, deployment of cryptographic protection of passwords and third party security policies, among many other technical measures;
- Organisational Measures: Disclosure Policy, Disproportionate Requests Policy, Notification Policy, Data Access Policy, Law Enforcement Guidelines, bi-annual Facebook Transparency Reports, Data Sharing Policies, and a People Security Policy;
Considering how Meta has been in the eye of the storm for that decade of crusade and the close scrutiny they were under, one may wonder whether any TOMs and TIA could ever be sufficient when it comes to transferring personal data to the US. The only apparent possibilities would to only transfer anonymized data (which would no longer be subject to GDPR) or, according to the recent EU decision (General Court of the European, Case T-557/20, SRB v EDPS, April 26, 2023), transferring pseudonymized/encrypted data, provided that such encryption is performed prior to the transfer and the importer has no possibility to access, legally or otherwise, to the encryption key.
- The equivalence of protection of personal data in the importer’s country is held to a performance undertaking standard – Meta considered that its TOMs, in view of their TIA, were sufficient to “address, compensate for or mitigate any inadequacies in the protection afforded by US law and practice” in respect of the considered data transfers (Decision, Section 7.25 et seq., p. 62). For the DPC, the addition of the two highlighted standards to those required under Recital 108 GDPR was not acceptable, as it would necessarily lead to a lesser standard of assessment. It is therefore incumbent upon the data exporters subject to GDPR to compensate for any and all shortcoming of the data importer’s regulatory framework and surveillance practices.
- Derogations for specific situations under Art. 49 GDPR may remain a viable option, albeit a fairly limited one – As a subsidiary defense, Meta considered that, in case the new SCC and their TOMs were to be considered inadequate, they had a backup in their reliance on the few exceptions to adequacy or appropriate safeguard requirements. Much to the relief of several entities punctually and legitimately relying on such derogations, the DPC did not invalidate them. However, it reassessed the constant approach of the EEA regulators (see EDPB, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25 May 2018): as all exceptions, the derogations under Art. 49 GDPR must remain sporadic and cannot be relied upon to justify regular and systematic transfers as part of the conduct of business (Decision, Section 8.47 et seq., p. 111). Such sporadic reliance on the derogation effectively minimizes the exposure of data subjects protected under GDPR to surveillance measures, while routine transfers would not.
- Counterbalance to 702 FISA and PRISM is still needed – In the face of all the measures taken by Meta, recognized even by the DPC as “bona fide attempts to mitigate the deficiencies identified in US law,” it still was not enough. Ultimately, because those measure still do not provide “essentially equivalent protection” to personal data as that which is available under EU law against the U.S. government access via Section 702 FISA DOWNSTREAM (PRISM) requests. The reality remains that a U.S. company cannot fully escape its obligations to the U.S. government, and change will need to come through the government itself. Fortunately, there’s hopeful progress in that regard.
- There’s still hope for data transfers to the U.S. – In October, 2022 U.S. President Biden signed Executive Order 14086 which sets forth additional safeguards for U.S. signals intelligence activities. The safeguards are designed to protect the privacy of individuals and more specifically to address the concerns raised by Shrems II. These safeguards include a required determination that an intelligence activity would further an intelligence priority, any activity is conducted with one of twelve legitimate objectives and done in a manner proportionate to the priority as compared with the risk to privacy rights. EO 14086 sets forth detailed restrictions on intelligence activities as well as mechanisms for check and balances, including a means for individuals to claim that their personal data has been collected unlawfully. The EU Commission is taking EO 14086 under consideration as part of its analysis of the adequacy of data transfer to the U.S. under the potential new EU-U.S. Data Privacy Framework.
First publication on K&L Gates Hub with Whitney McCollum