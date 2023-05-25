On May 22 the Irish Data Protection Commission (DPC), Ireland’s data privacy watchdog, released its conclusion and enforcement DECISION v. Meta regarding Facebook’s export of personal data from Europe to the US from July 2020 (date of the fall of the Privacy Shield framework) to Facebook. The ruling includes a record $1.2 billion fine against Meta and an order directing Meta to suspend data transfers to the US within five months and stop processing other illegal data.

Meta points out that it took exception to the DPC decision, which it says reflects a fundamental legal conflict between the US government’s data access rules and the privacy rights of Europeans. It’s a conflict that neither Meta nor any other business could resolve on its own.

Meta will appeal the decisionand seek a stay of the orders pending his appeal.

Background

The DPC decision reflects the fundamental uncertainties surrounding international data transfers from Europe, following the Court of Justice of the European Union (CJEU) 2020 Schrems II decision repealing the US-EU Privacy Shield Framework. In addition to the repeal of the US-EU Privacy Shield, Schrems II The decision also cast doubt on the validity of relying on standard contractual clauses as a transfer mechanism, with the CJEU highlighting its ongoing concerns about the US government’s access to private sector data, including that of EU individuals. that are subject to the General Data Protection Regulation of the European Union (GDPR). ).

Following Schrems II, Meta, like most companies, adopted updated SCCs and also introduced a number of additional safeguards. What Meta, nor any company, could do, however, was provide review (ie, administrative or judicial review) of complaints by EU individuals that their data was or may have been accessed by the US government under section 702 of the Foreign Intelligence Surveillance Act (FISA). ). The Irish DPC’s decision follows almost a year of negotiations between the Irish DPC and the European Data Protection Board (which played a key role in the process stemming from the cooperation and consultation process that supports Ireland’s role as lead authority watchdog for Meta), who held that the Irish Draft Decision did not go far enough and, as the data exports in question were systematic, repeated and continuous and massive in volume (over 300 million European Facebook users ), essentially directed the Irish DPC to issue a fine against Meta.

In March 2022, President Biden and European Commission President Von der Leyen announced that they reached an agreement on the principles of a new framework to enable the free flow of transatlantic data known as the Data Privacy Framework (DPF). Policymakers have pledged to pass the framework as soon as possible and the Irish DPC’s ruling says suspension orders can be lifted with the approval of the DPF.

Practical implications of the DPC Meta Decision

Although not unexpected, the decision is surprising in a number of ways and deserves close attention for any company that accesses or transfers personal data from Europe.

First, the DPC investigation produced several key findings that are said to be potentially applicable to other Internet platform companies and other companies subject to US foreign intelligence surveillance access laws:

The US does not guarantee the same level of protection as the EU with respect to personal data, there is no substantial equivalence; The model contractual clauses used by Meta to legalize the export of data to the US were not sufficient to compensate for that failure; There were no additional measures to compensate for the above two factors.

Perhaps most troubling from the decision is that the standard contractual clauses (plus the many supplementary measures implemented by Meta) were not a sufficient basis for the transfer or avoidance of liability. DPC’s refusal to credit Meta’s supplementary measures, in particular, calls into question the possibility of compliance with the GDPR and its international data transfer regime, if a company of Meta’s scale and resources cannot achieve compliance. This goes to the core of the underlying conflict noted by Meta in its press release.

In other words, the DPC’s decision appears to undermine the ability of businesses transferring personal data from the EU to the US to rely on the SCC and any supporting transfer impact assessments (TIAs) as a sufficient safeguard to proceed with the transfer. lawful data processing in the US in accordance with Article 46 of the GDPR. The decision suggests that the validity of SCCs and related safeguards will come under increased scrutiny, potentially including by other Supervisory Authorities.

What can your organization do? Drilling your TIAs.

At the end of the day, Meta’s data transfers were of a scale and volume unique to that organization. Additionally, the personal data transferred by Meta was found to be within the scope of FISA Section 702 surveillance, making the data transfers distinguishable from ordinary business operations such as transfer of employee data for remote EU operations.

Helpfully, the DPC decision expressly stated that the EDPB’s Supplementary Measures Recommendations do not preclude a so-called risk-based approach for most organizations (although the decision found that the risk-based approach adopted by Meta did not offset exposure to the laws of US surveillance).

However, as part of an organization’s transfer impact assessment, particular attention should be paid to determining whether the transferred personal data is likely to be subject to FISA Section 702 and the degree to which surveillance under FISA is likely. -s to be performed (or not). Those organizations with a high degree of confidence that their data transfers are not subject to Section 702 may consider their data transfers to be low risk and should be able to continue to rely on the SCC and additional measures for transfer.

Until the DPF is formally approved, which is expected later this summer, high-risk data transfers must be subject to additional scrutiny, including additional measures and safeguards.

