Update 10.7.2023: The legal challenges related to U.S. services will be overcome by a new decision of the European Commission.
There have been legal problems with the use of U.S. cloud computing, SaaS solutions, and social media services. A key challenge has been the transfer of personal data to U.S. companies and the theoretical access to personal data by U.S. intelligence agencies.
On July 10, 2023, the European Commission adopted a new adequacy decision for safe and trusted EU-US data flows (EU-U.S. Data Privacy Framework), which allows for the transfer of personal data to U.S. companies.
The Irish Data Protection Authority (IE DPA) has imposed an administrative fine of €1.2 billion on Facebook parent company Meta for breaching the General Data Protection Regulation (GDPR) after Meta transferred European Facebook users’ data to the US. Technically, the fine was imposed on Meta Platforms Inc.’s Irish subsidiary Meta Platforms Ireland Limited, but as the fine was based on Meta’s total global turnover, it is appropriate to refer to Meta in general for the purposes of this article.
The administrative fine was imposed under Article 84 of the GDPR after the authorities found Meta in breach of Article 44 of the GDPR when transferring Facebook users’ data from Europe to the United States. The fine is the largest administrative sanction imposed by EU authorities for a GDPR violation to date. The severity of the fine was influenced, among other things, by the fact that the authorities considered Meta to have acted intentionally or at least negligently in accordance with Article 83(2)(b) of the GDPR. Other contributing factors included the large amount of personal data transferred, the large number of data subjects and the duration of the infringement.
In addition to the fine, the IE DPA ordered Meta to suspend the transfer of personal data to the US and to bring its EEA personal data processing activities in the US into compliance with the GDPR.
Previous judgments concerning Meta
The Irish Data Protection Authority’s decision is the latest chapter in a saga that began when Austrian activist Maximilian Schrems claimed his personal data stored on Facebook and launched legal and regulatory actions against Facebook and others, resulting in two EU Court of Justice preliminary rulings bearing his name.
The first Schrems judgement (Schrems I), handed down by the Court of Justice of the EU on October 6, 2015, in case C-362/14, annulled the EU Commission’s Safe Harbour decision, under which personal data had been transferred between the US and the EU since 2000. Following the ruling, Safe Harbour was briefly replaced by the so-called Privacy Shield, which was adopted by the European Commission on July 12, 2016. However, this scheme was also discontinued when the Court of Justice of the European Union also ruled it invalid in the Schrems II judgement of July 16, 2020 (C-311/18).
Recommendations of the European Data Protection Board (EDPB)
Since the Schrems II judgement, there has been a situation where those transferring personal data from Europe to the US have not been able to rely on an adequacy decision under Article 45 of the GDPR and have had to apply other means of data transfer under Chapter V. However, these means of data transfer are not at all as clear-cut as the adequacy decision. To help in this situation, the European Data Protection Board issued Recommendations 1/2020 on measures to complement data portability instruments in order to meet the level of protection guaranteed for personal data in the EU, which included guidance on the risk assessment to be carried out at the time of data portability and on additional safeguards.
The EDPB Recommendation stated that the data exporter must properly document its risk assessment and the additional measures selected and implemented and make this documentation available to the competent supervisory authority upon request.
The risk assessment under the recommendation is divided into six steps:
- understanding the transfers
- identifying the data transfer medium to be used
- assessing the effectiveness of the data transfer medium to be used
- adopting additional measures
- taking procedural steps following the identification of additional measures
Regarding the assessment of the effectiveness of the data transfer instrument, the Board has referred to the Schrems II judgment when stating that “the data transfer instrument chosen, which complies with Article 46 of the GDPR, must ensure that the level of protection guaranteed by the GDPR is not compromised in practice by the transfer.” In the Schrems II judgement, the Court of Justice expressly held that, given the state of the law and practice in a third country, the provisions contained in standard data protection clauses cannot always be a sufficient means of ensuring in practice the effective protection of personal data transferred to the third country concerned.
US legislation does not Provide an Adequate Level of Protection
In its decision, the IE DPA reiterated the CJEU’s view that US law does not provide the same level of protection as the GDPR for EEA personal data transferred to the US. The most important reason is the broad legal (and extra-legal) powers granted to US intelligence agencies to collect and process personal data of foreign individuals without adequate restrictions and without even informing the data subject of such processing. This does not correspond to the level of data protection provided by the GDPR.
Safeguards implemented by Meta
According to Article 46(1) of the GDPR, a processor may transfer personal data to a third country or an international organisation only if the processor has implemented appropriate safeguards and if enforceable remedies and effective judicial remedies are available to data subjects.
When transferring personal data of Facebook users between Meta Ireland and Meta US, Meta has, as a general rule, used the standard data protection clauses under Article 46(2)(c) of the GDPR as the data transfer instrument, in addition to the Data Transfer and Processing Agreement between the two companies. Meta has also carried out a Transfers Impact Assessment, which it has also submitted to the EU authorities.
In 2021, Meta implemented a set of measures aimed at providing adequate swamp measures for data subjects. These measures are divided into organisational, technical, and legal.
The IE DPA commented on the safeguards implemented by Meta, stating that the safeguards implemented by Meta are not sufficient to compensate for the gap in the protection of personal data left by US legislation. The IE DPA explicitly stated that EU rights are actively violated, and that Meta has no right to do so.
The decision also addressed the specific situation exceptions invoked by Meta under Article 49 of the GDPR, where the IE DPA found that Meta could not rely on the contractual exception under Article 49(1)(b) of the GDPR, the public interest exception under Article 49(1)(d) of the GDPR, and the express consent exception under Article 49(1)(a) of the GDPR.
How will the decision affect the transfer of personal data outside the EU in the future?
The decision reflects the rather strict position of the EU authorities regarding transfers of personal data to third countries. This severity is somewhat understandable when you are dealing with one of the largest companies in the world. However, it is not clear that the same criteria cannot be applied to the transfer of personal data by much smaller companies. The conditions set by the GDPR do not encourage good business, but in fact require that data subjects in a third country can be guaranteed the same safeguards as in the EU. If this cannot be achieved by a company the size of Meta, it is difficult to see how it could be achieved by a much smaller company.
The decision does not explicitly address what safeguards Meta should have put in place to meet the requirements of Article 46(1) GDPR, but it would seem from the European Data Protection Board’s safeguards that only additional technical measures would be sufficient in a situation where the infringement of the data subject’s rights is based on a law or a decision of a public authority. The personal data transferred to the US should therefore be pseudonymized, or at least encrypted, so that US intelligence authorities would not have access to it.
Given the large proportion of cloud services, SaaS solutions, and social media services that come from the US, it is likely that this decision will affect a very large number of companies in Finland and Europe.