What happened?

On 12 May 2023, the Irish Data Protection Commission (the "Irish DPC") imposed a EUR 1.2 billion record fine on Meta Platforms Ireland ("Meta IE") and ordered compliance measures to be taken by the latter as a result of infringements of the GDPR1 . The Irish DPC, based on the EDPB's binding dispute resolution decision of 13 April 20232 , imposed sanctions on Meta IE because of the massive transfers of personal data from the EEA to the United States ("U.S.") related to the management of its Facebook platform, such transfers being considered as infringing the GDPR.

Beyond the record fine (highest fine to date under the GDPR), this decision has brought the issue of data transfers from the EEA to the U.S. back into the spotlight.

What are the key takeaways?

Meta IE was arguing that the transfers of the Facebook EU users' personal data to servers located in the U.S. relied upon (i) the EU Standard Contractual Clauses (the "SCCs") adopted by the European Commission and (ii) supplementary measures.

Since the Schrems II ruling of the Court of Justice of the European Union ("CJEU")3 and the invalidation of the EU-US Privacy Shield Framework, the transfer of personal data from the EEA to the U.S. has become a sensitive issue. Even if the CJEU reaffirmed the validity of the SCCs, data exporters are, however, responsible for assessing whether the legal standards in the country of the data importer allow meeting a level of data protection equivalent to that existing in the EU.

Where those standards are not met, data exporters must either provide additional safeguards ensuring that data subjects receive essentially equivalent protection to EU law or suspend the transfer of personal data.

The Irish DPC first found that U.S. law does not provide an essentially equivalent level of protection to that provided in the EU and that the SCCs relied upon by Meta IE cannot compensate for the inadequate protection.

The Irish DPC then decided that Meta IE failed to implement supplementary measurescompensating the inadequate protection provided byU.S. law (the supplemental measures must not merely "mitigate" the deficiencies in U.S. law). The Irish DPC in particular criticisesMeta IE for failing in its duty of care and for acting at least with the highest degree of negligence.

The fine was accompanied by an order requiring Meta IE to suspend any future data transfers to the U.S. within five months from the date of notification of the Irish DPC's decision (i.e. until October 2023) and cease, within six months of such date of notification (i.e. until November 2023), the unlawful processing, including storage in the U.S. of personal data of EEA users transferred in violation of the GDPR.

What's next?

On 22 May 2023, Meta IE has already stated on Facebook that it would appeal the decision and underlined that the decision from the Irish DPC "sets a dangerous precedent for the countless other companies transferring data between the EU and US."

It is true that for the purpose of legal certainty, it is crucial now that the transfers of personal data from EEA to the U.S rely on a stable transfer mechanism.

As indicated in a previous publication, on 13 December 2022, the European Commission issued a first draft adequacy decision on a potential upcoming EU-US Data Privacy Framework.

On 28 February 2023, the EDPB rendered a mixed opinion on this draft adequacy decision4. The EDPB has noted the substantial improvements the new EU-US Data Privacy Framework offers compared to the previous legal framework, in particular with respect to the introduction of the principles of necessity and proportionality and the individual redress mechanism for EU data subjects. However, the EDPB considers that certain topics such as the "temporary bulk data collection" requires further clarifications and invites the European Commission to amend the draft adequacy decision based on its Opinion.

Let's hope that the coming months will see the adoption of an amended, solid and durable adequacy decision with respect to the EU-US Data Privacy Framework so that the transfer of personal data from the EEA to the U.S is no longer synonymous with risks for data controllers and data subjects!

Indeed legal certainty in transfers of personal data presupposes that neither the EU-US Data Privacy Framework nor the adequacy decision mentioned above would be challenged.

Footnotes

1. GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679).

2. Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR). EDPB stands for European Data Protection Board.

3. Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems ("Schrems II") - Case C-311/18, 16 July 2020.