This action by the Irish Data Protection Commission (“IDPC”) concerns transfers of personal data by Meta Platforms Ireland Limited (“Meta Ireland”) to Meta Platforms, Inc. (“Meta US”) in the US in connection with the delivery of the Facebook service.
The IDPC found that Meta Ireland’s transfers of personal data from the EU/EEA to Meta US breaches the GDPR rules on international data transfers and:
- Ordered Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the IDPC’s decision to Meta Ireland;
- Fined Meta Ireland €1.2 billion; and
- Ordered Meta Ireland to cease unlawfully processing (including storing) EU/EEAusers’ personal data transferred in breach of the GDPR within 6 months following the date of notification of the IDPC’s decision to Meta Ireland. (See the IDPC press release on the action and the full IDPC Decision for further detail.)
Meta Ireland has confirmed that it will appeal the ruling. (See Meta’s response to the IDPC decision.)
How did Meta Ireland breach the GDPR?
The short answer is that the ‘supplementary measures’ Meta implemented to fill the gaps in protection under the Standard Contractual Clauses (“SCCs”) between Meta Ireland and Meta US weren’t sufficient to compensate for the US Government’s ability to obtain EU/EEA Facebook users’ personal data from Meta US under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”).
The long answer is that this action is part of a long-running EU-US data transfer saga, the subject of a succession of legal proceedings and political wranglings which started in October 2015 with the invalidation of the ‘Safe Harbor’ data transfer framework, and the first major enforcement action based on the sufficiency of supplementary measures.
What does this mean for your business?
The headline is that the IDPC’s decision only binds Meta – it doesn’t stop transfers to the US generally or mean that all transfers to the US are deemed unlawful.
However, it’s possible that data protection regulators may step-up their enquiries into transfers to the US based on SCCs in the wake of this decision. So, if your business:
- Is based in the UK, EU or EEA;
- Transfers personal data to the US – for example by using US-based cloud or SaaS service providers or sharing data with a US-based group company; and
- Uses the SCCs as the basis for transferring the data,
now would be a good time to carry out a “transfer impact assessment/TIA” (using the EU terminology) or “transfer risk assessment/TRA” (using the ICO terminology) in respect of those transfers, or review any existing assessments, looking in particular at the supplementary measures the US company implements, to ensure that those measures are sufficient to address the problem of US government access under FISA.
Also, it is hoped that the EU-U.S. Data Privacy Framework, a data transfer framework that has been agreed in principle between the EU Commission and US government, will be formally adopted this summer, providing participating US companies and their customers and group companies with an alternative transfer mechanism to the SCCs.
Once this framework is in place, it won’t be necessary to carry out TIAs/TRAs or use SCCs in respect of transfers of personal data subject to the EU GDPR to participating US companies – at least unless or until the framework is legally challenged and declared invalid as happened with its predecessors Privacy Shield and Safe Harbor. (See the EU Commission Q&A on the framework for further detail.)
Help may also be at hand for UK businesses in the form of the UK-US Data Bridge, which the US and UK governments have ‘committed in principle to establish’ as a ‘UK Extension to the EU-US Data Privacy Framework’. If/when established, this will allow a free flow of personal data between organisations in the UK and participating organisations in the US, without the need for SCCs or TIAs/TRAs. However, the information is currently a bit light on detail, with an aim to finalise the data bridge in 2023 but no concrete date set for it. (See the joint statement on the UK-US Data Bridge for further detail.)
How can we help?
Please get in contact with us if you’re unsure whether this recent action against Meta highlights a compliance risk for your business regarding transfers of personal data to the US.
We can help you:
- Understand whether and how your business transfers personal data to the US.
- Work out whether those transfers comply with the GDPR rules on international data
- Take steps to ensure your business acts within those rules.
For more on international transfers please take a look at our infographic.
For more information on the relevant areas mentioned in this case study, please click below: