On 22nd May 2023, two decisions relating to Facebook’s transfers of user data to the US were published: the European Data Protection Board binding decision of 13 April 2023 (“EDPB decision”) and the associated decision of the Irish Data Protection Commission decision (“DPC decision”) dated 12th May 2023.
The DPC decision:
Facebook had taken significant steps to comply with EU law. It had “standard contractual clauses” in place between its Irish and US entities. When new standard contractual clauses were adopted by the Commission it put in place new clauses. It had also carried out a transfer impact assessment relating to its transfers and had put in place additional organisational, technical and legal measures to protect transferred personal data. The DPC concluded that these measures were not enough and that the transfers of EU user data were in breach of GDPR, leading to the orders above.
Meta Ireland has already stated that it intends to appeal.
In the DPC’s view, the objective of the enforcement was to ensure compliance – and an order suspending data transfers would achieve this. The DPC acknowledged that the case involved a series of complex issues, linked to litigation at the highest level, and that Meta had attempted to work through the issues in good faith. On this basis, the DPC’s preference had been not to impose on a fine – this was on the basis that this would not be appropriate, necessary or proportionate [DPC 9.48]. Meta in turn argued that to fine it, when others were not being fined, would breach principles of equal treatment/ non-discrimination and of legal certainty [EDPB 179].
The Austrian, French, German and Spanish authorities objected to this. The EDPB upheld their arguments – noting in particular that the likelihood of a fine being imposed is important, so that those who are in breach will fear the imposition of a fine [EDPB 149] and that not fining would send a message that past infringements will not be addressed and would encourage others to infringe [EDPB 155 & 156].
The EDPB also listed detailed factors to be considered when setting the amount of the fine. It considered that this amounted to a serious breach, relating to very large numbers of data subjects, large quantities of data, including sensitive and highly personal data. It discounted Meta’s arguments that the numbers whose data would be released to US public authorities would be extremely limited and instead took the view that the correct question was to look at the number of data subjects whose data could, in theory, be affected [EDPB 91, 94, 95]. EDPB accepted that Meta did not wilfully breach EU law as it had taken steps to comply. However, it concluded that there was negligence by Meta [EDPB 109 – 112]. The EDPB also concluded that, since Meta had argued that it could not provide the Facebook service without transferring data, and since Meta had made large profits, Meta had profited by continuing to transfer personal data to the US.
On quantum, EDPB referred to its own guidelines on administrative fines. It concluded that this was a serious breach, such that the starting point for the DPC should be a fine of between 20 – 100% of the maximum permissible. Given the EDPB’s comments on the level of responsibility and on financial gain, the DPC concluded that it needed to set the level of the fine in the mid-point of this range (at a level of between €1.2 - €1.5billion. The DPC then gave Meta a small reduction for mitigating measures taken in relation to enhanced transparency [DPC 9.75 – 9.76].
The DPC determined to issue an order requiring Facebook to suspend data transfers. As noted above, this would become effective 12 weeks after time for appeal had ended.
The German and French authorities objected to this, on the basis that it did not address concerns over data already transferred to the US. The DPC had consciously not addressed this – on the basis that requiring Facebook to delete data that had already been transferred would cause significant prejudice to users and to businesses; instead, the DPC had suggested that concerned individuals could request erasure of their data [EDPB 208].
The EDPB accepted the objections of the French and German authorities. However, the precise measures to be adopted by the DPC were not specified; instead, the DPC was instructed to order Facebook to “bring its processing into compliance” [EDPB 243]. As the DPC Decision notes, this could be achieved by new developments – including a new adequacy decision relating to the US. [The EU Commission has stated that a decision is expected this Summer]. Such a decision would, therefore, overtake these elements of the EDPB’s and DPC’s decision, although it would not affect the penalty.
The DPC Decision contains lengthy discussion of US law. The majority of this restates comments in the Schrems II decision. The DPC notes that Schrems II talks about the need to look at “law and practice” of the importing country. While the main focus has to be on the legal system of the importing country, the DPC noted that “practice” could still be relevant [DPC 7.125 & 7.126]. In particular, the DPC underlined that the EDPB Recommendations (edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf (europa.eu)) take account of this and that a paragraph on this point was deliberately inserted in the Recommendations – permitting transfers if you “are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data”. The DPC noted that Facebook was not able to show this. However, this may be of help to other organisations who could show this.
GDPR also allows transfers of personal data to take place if one of a number of derogations apply – such as if the transfer is necessary for a contract, or if the data subject has given explicit consent. On these, the DPC re-iterated guidance and case law noting that exceptions must remain exceptions [DPC 8.13]. The DPC also noted that Schrems I had concluded that measures that do not respect the “essence of the right” must be invalid and that laws giving individuals no remedies would fail this test. The DPC concluded that, in light of the findings in Schrems II, US law must be considered to fail I this regard – meaning that derogations – such as contractual necessity – which would permit data transfers to the US must be invalid [DPC 8.55]. This is a far-reaching and troubling finding and would mean that – for example – transfers necessary for legal claims, or transfers necessary to protect the vital interests of the data subject (e.g. for life saving medical treatment) could not go-ahead. The DPC also noted that, irrespective of the DPC’s findings on this point, the derogation for contractual necessity could not be used for transfers which are systematic, bulk or repetitive [DPC 8.57].
The DPC did note that explicit consent could be used to legitimise transfers. However, the consent would need to be informed – meaning that the risks posed by transfers to the US would need to be explained in detail – and specific, meaning that one consent could not be given, in the DPC’s view, to all future transfers [DPC 8.99]. Explicit consent may therefore be an option for specific situations, but may be difficult to deploy for extensive arrangements.
The decision illustrates the continued uncertainty and sensitivity surrounding global transfers. The EU& US have made significant progress negotiating a new Trans-Atlantic Data Privacy Framework (see Trans-Atlantic_Data_Privacy_Framework.pdf) which – if approved by the EU Commission – will alleviate the situation vis a vis transfers from the EU to the US. While the precise timing for approval is unclear, the Framework is expected to be approved in the coming months. It therefore seems likely that the new Framework will be approved before the orders relating to Facebook take effect – especially if the Irish Court hearing Facebook’s appeal grants Facebook a stay of the Order, while the appeal is heard.Organisations transferring personal data to the US will wonder if they could be at risk of a fine for transfers prior to the adoption of the new Framework. There are some helpful factors for companies here. First, organisations should note that the DPC decision makes a point of emphasizing that its Decision does not exclude a risk based approach. Although the DPC concluded that Facebook could not rely on this, other organisations may be able to show this. Second, organisations should note that the majority of supervisory authorities did not object to the DPC’s original draft order, which concluded that a fine would not be appropriate. The supervisory authorities who objected were those in Austria, France, Germany and Spain. The objecting authorities noted that fines are important not just to punish the entity being fined for its own behaviour, but to have a dissuasive effect for others. Facebook has called out, in its statement on the fine, that it is being scapegoated for an issue that affects almost all businesses (Our Response to the Decision on Facebook’s EU-US Data Transfers | Meta (fb.com)). This seems to have significant force.