Without doubt, the publication on Monday of the Irish Data Protection Commission’s (DPC) decision on Meta Ireland’s (formerly Facebook) international data transfers is hugely consequential. Although the amount of the fine (1.2 billion Euros) is headline grabbing, the ruling also included an order requiring Meta to suspend future transfers and to bring its processing operations into compliance by ceasing unlawful processing of EU/EEA user data. While on the face of it Monday’s decision is only binding on Meta, the ruling has implications beyond Meta and beyond transfers of data to the US.
A number of our European team below provide their initial thoughts on the implications of the decision.
Giving the German perspective, Paul Voigt writes:
The German regulators have been a key driver in arguing for amendments to the initial decision of the Irish DPC. They have also been pushing strongly for a very high fine on Meta. According to the German authorities, it would have set a bad precedent if Meta had not been fined: this is because Meta knew about the issues relating to their data transfers to the US but chose to continue with them. German regulators were critical of Meta’s position since,rather than taking action, Meta preferred to wait until the upcoming Data Privacy Framework (DPF) between the EU and the US (which will permit cross-border data transfers from the EU to the US in future) has been passed. Besides the fine, the German regulators also advocated for an obligation on Meta to delete data that had already been unlawfully transferred to the US. The obligation to delete data may continue to be an issue for Meta even after the Data Privacy Framework is law and an available data transfer solution for EEA-US data transfers.
This means that, while the German regulators have not themselves actively enforced the Schrems II requirements, and no relevant fines for such non-compliance have been issued by German regulators so far, the issue of cross-border data transfers remains a key priority for the German data protection regulators.
Teresa Pereyra from ECIJA writes from the Spanish perspective:
At the time of writing, the Spanish DPA (Agencia Española de Protección de Datos) has not issued any pronouncement or opinion on the DPC’s decision on Meta, nor is it expected to do so (beyond a press release or similar announcing the publication of the decision) in the near future. In fact, the Spanish DPA has so far not issued any opinion, decision or assessment of the Schrems II ruling. However, it should be noted that the Spanish DPA is the most active supervisory authority in the European Union (issuing 40.2% of the total sanctions imposed in 2022 in the European Economic Area), even though it would be unlikely to issue sanctions as significant as the one imposed on Meta. Significantly, the Spanish DPA was the first authority to sanction Facebook in Europe, although it has not assessed or sanctioned Facebook’s international data transfers in its latest resolutions.
Even though the Spanish DPA has not so far initiated regulatory action concerning the legality of international data transfers, this does not mean it will not sanction entities in this area of compliance in the future. In our experience and from observing the sanctioning practice of the Spanish DPA, we consider that, when taking its decisions, the DPA focuses especially on the due diligence practices of the entities being investigated. Our recommendation is therefore for businesses to focus on maintaining measures to demonstrate compliance with the principle of accountability under GDPR and to keep associated records.
Marc Schuler writes from France:
Within the framework of the dispute submitted to EDPB, the French DPA (Commission Nationale de l’Informatique et des Libertés) strongly objected to the draft decision issued by the Irish DPC. It advocated for an administrative fine to be imposed on Meta in addition to the suspension of data transfers, considering that such a fine should have punitive effects and act as an incentive for compliance for other controllers transferring personal data under similar conditions. The French DPA further insisted on the fact that the infringement was a particularly serious breach in view of the impact of Meta’s practices on the privacy of data subjects, exposing a massive volume of personal data to US Government surveillance programs, and also that such an infringement should be considered as deliberate.
The French DPA has demonstrated in past decisions its capacity to impose heavy fines and orders in cases of GDPR infringement. It has also issued cease and desist notifications to website publishers in relation to the use of Google Analytics to the extent it resulted in the transfer of personal data to the United States without proper safeguards. Although data transfers are not one of the announced priority topics for the French DPA in 2023, any data transfer outside the EU should be carefully assessed for compliance to remain on the safe side.
Giving the Dutch perspective, Otto Sleeking writes:
As the Irish DPC’s decision to fine Meta was based on the EDPB’s binding dispute resolution decision of 13 April 2023, it holds relevance for all EU Member States. Having said that, it is hard to imagine the Dutch DPA (Autoriteit Persoonsgegevens) handing out fines like these in the near future. For one, the Dutch DPA typically does not hand out fines quickly, and when fines are applied they are usually quite low in comparison to fines in other EU Member States (particularly France and Germany). We therefore do not expect that this ‘superfine’ will immediately trigger a different approach for The Netherlands. In addition, the Dutch DPA has not been very vocal on the subject of international data transfers since the Schrems II decision, and has not yet made a decision on the use of Google Analytics, for instance. Also a suspension of data transfers seems unlikely, although this does seem like a logical consequence of not complying with the law on data transfers.
We expect that, irrespective of the Irish DPC’s decision, the Dutch DPA will continue to assess data transfers on a case by case basis. Companies should therefore still be able to transfer data outside of the EU, as long as they follow all the necessary steps such as applying transfer risk assessments, and using appropriate safeguards in addition to the appropriate SCC’s where needed.
Victoria Hordern writes from the UK:
It is unlikely that the UK will take the same approach as the DPC in dealing with international data transfers. Since the UK is no longer a member of the EU, the DPC’s decision does not bind the UK regulator, the Information Commissioner’s Office (ICO). We know that the ICO has yet to take regulatory enforcement action against a business for failure to comply with the rules on international data transfers. The mood music from ICO guidance and the direction of the UK Government’s reform of data protection law also suggests that the regulator will not prioritise investigations or enforcement in the area of international data transfers unless significant harm exists. In other words, technical non-compliance with the rules (absent any evident harm) is unlikely in and of itself to attract the scrutiny of the ICO. Therefore, although UK businesses transferring data to the US should still follow the law in putting in place appropriate safeguards (like a recognised contractual transfer mechanism) and carry out transfer risk assessments, it is unlikely that any equivalent complaint made to the ICO about transfers to the US would result in such detailed scrutiny and enforcement.
So what does this mean?
This decision has been a long time coming although the final ruling was not unexpected given the EDPB’s position, the Schrems II decision from the Court of Justice of the EU and the current state of US law. This regulatory action catapults international data transfers to the top of the list for EU data protection authorities and makes compliance more of a minefield.
It’s important to remember that this ruling does not in itself ban data transfers to the US. But it does signal that there are multiple challenges for (i) a transfer of data to the US where the recipient is an electronic communications service provider under s. 702 FISA, or (ii) a data transfer to any other non-EEA and non-adequate country with equivalent law or practice.
Yet, as the survey of a number of experts from European countries above demonstrates, the DPC decision is unlikely to lead to a rash of equivalent enforcement actions breaking out across Europe. The decision confirms that European businesses transferring personal data to the US can still rely on the EU Standard Contractual Clauses providing they carry out transfer impact assessments and, where required, implement appropriate supplementary measures. In doing so, they will want to distinguish their circumstances as far as possible from Meta’s. In time, data transfers from the EU to the US should become smoother once the Data Privacy Framework is available although the DPF itself is, of course, open to challenge.
Taylor Wessing’s team of data protection experts are available to assist with any questions.