Following Meta, what next for international data transfers?

On 22 May 2023, following the adoption of a binding decision by the EDPB, the Irish Data Protection Commissioner ("DPC") concluded its own-volition inquiry against Meta regarding the legality of international data transfers from Meta Ireland to the US.

The DPC concluded that such transfers infringed the GDPR and directed Meta to suspend its transfers to the US within six months of the decision and bring its transfers into compliance with the GDPR. It also issued a fine of €1.2 billion which, whilst undoubtedly extremely significant, is nonetheless at the lower end of the scale of fines the EDPB recommended after the DPC originally decided not to impose a fine at all.

The decision highlights that not even the 2021 SCCs can be relied upon in all circumstances, and it remains unclear what organisations who wish to send personal data to companies in the US are supposed to do.

See our blog post on the decision and its implications here.

Further doubts over proposed EU-US adequacy decision

Following the European Data Protection Board's ("EDPB") opinion expressing doubts over the European Commission's draft EU-US Data Privacy Framework ("DPF") adequacy decision, the European Parliament adopted a resolution on 11 May 2023 which further endorses the EDPB's concerns.

Members of the European Parliament have challenged the DPF for the following reasons:

  • Bulk data collection: The DPF allows US entities to collect data in bulk without being subject to independent prior authorisation in certain circumstances and provides no clear rules on data retention;
  • The Data Protection Review Court: The DPF creates the Data Protection Review Court and empowers it to make decisions in secret, which members of the European Parliament consider would violate EU citizens' rights of access and rectification; and
  • Right to redress: The DPF does not provide data subjects in the EU equivalent rights to redress and access to information as those afforded to US citizens.

Whilst this is not legally binding, it is expected to influence the European Commission's upcoming decision on whether the DPF will be granted adequacy.

For further background information please refer to "Privacy Shield 2.0" For further background information please refer to "Privacy Shield 2.0" here.

CJEU case considers compensation for GDPR infringement

Following a complaint from a data subject that they had suffered harm suffered which was 'insulting' and 'shameful', caused upset, a loss of confidence and unnecessary public exposure, the CJEU has ruled that infringement of the EU GDPR alone, is insufficient for damages. It further ruled that it would be 'superfluous' if a breach on its own was enough to warrant compensation.

In its judgment in the Austrian Post case (available here), the court confirmed that there are three cumulative requirements to the right to compensation contained under the GDPR: (i) an infringement of the legislation; (ii) material or non-material damage to the individual; and (iii) a causal link between limbs (i) and (ii).

However, the court stopped short of imposing a seriousness threshold in relation to non-material damage, and did not consider the issue of 'loss of control' as a non-material damage that conferred a right to compensation.

The judgment therefore appears to be one of two halves, confirming infringement alone is not enough for compensation, but at the same time refusing to impose any threshold of seriousness and stopping short of commenting on the assessment of potential damages, meaning we have to wait and see how each Member State interprets the rules to assess damages in any particular case.

CJEU also considers limits of DSARs

In another CJEU ruling this month, the court considered the extent of an organisation's obligations in response to a DSAR.

The case concerned CRIF, a consulting business that provides third party credit scores. The claimant asked CRIF to provide them with a copy of the documents containing his personal data. CRIF sent a summary table of his personal data rather than the underlying documents. The subject complained to the Austrian Data Protection Authority who found that CRIF had not infringed his access rights but referred certain questions to the European court.

The CJEU ruled that the data subject must be given a faithful and intelligible reproduction of all its personal data. 'Copy' was interpreted to relate to the personal data itself rather than the underlying document. However, a descriptive summary of the data would not suffice. The obligation might be fulfilled by providing an extract of the document, however in some circumstances the entire document may be required.

The CJEU ruling is available here.

When is pseudonymised data considered personal data?

On 26 April 2023, the CJEU ruled on complaints from data subjects that the Single Resolution Board (an EU agency which acts as the resolution authority for a subset of banks in the euro area) shared their pseudonymised data without informing them.

The Single Resolution Board used electronic forms to gather responses from interested parties which the agency then shared with a consulting firm. Each respondent was assigned a code in an attempt to pseudonymise the information.

The CJEU highlighted that it was important to consider the data recipient's perspective and found that transmitted data can be considered anonymised rather than pseudonymised if the data recipient has no additional information which would allow them to re-identify the data subject, or legal means to access such information.

The CJEU ruling is available here.

EU cloud certification: Tiered approach

On 28 April 2023 the European Commission proposed amending the EU Cybersecurity Act to: (i) increase the remit of the European Cloud Services scheme; and (ii) introduce a new subcategory of cybersecurity certification for cloud service providers ("CSPs").

Under the proposal, cybersecurity certification would become mandatory for managed security services, which include essential or important entities belonging to a sector of high criticality under the Networks and Information Security Directive.

The new subcategory of cybersecurity certification would add 'high+' to the established assurance subcategories. To achieve certification of the 'high+' subcategory, CSPs would be required to fulfil sovereignty criteria in order "to provide some guarantees about the [entity's] independence from non-EU law." These criteria include requirements:

  • for entities with effective control over CSPs to be based in the EU;
  • for technical and organisational measures to ensure the primacy of EU law;
  • to conduct all data processing activities in the EU except for some limited circumstances; and
  • to employ specific internal controls to govern employee access to customer data.

Regulationg AI: Spotlight on the USA

Following the release of the US's blueprint for an AI Bill of Rights in October 2022, the White House announced in May 2023 that it plans to dedicate more funding and policy guidance to developing responsible AI. This comes ahead of the long anticipated public evaluation of top AI industry models, including Google, Microsoft, Nvidia and OpenAI, during this year's DefCon.

The Office of Management and Budget also announced that it will publish draft rules this summer which will dictate how the federal government should use AI technology. These actions are part of the US's wider goal to ensure that the private sector fulfils its ethical, moral and legal responsibilities to ensure that their products are safe.

For further information around other international approaches to regulating AI please refer to "Spotlight on AI Regulation" here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.