Meta’s Irish subsidiary has received the largest fine ever issued under the EU General Data Protection Regulation (GDPR): €1.2 billion.
The company has also been ordered to stop transferring Facebook users’ data to its US parent, Meta Platforms Inc., and to delete or return all data transferred to the US since July 2020.
These two orders could be highly problematic for Meta, given its legal status as a US “electronic communications service provider” and the strict implications of the GDPR’s international data transfer rules.
This article will explain where Meta went wrong and consider whether the company can meet the Irish Data Protection Commission (DPC)’s requirements.
What did Meta do wrong?
Meta’s fine relates to the GDPR’s rules on transferring personal data to countries outside of the European Economic Area (EEA) (“international data transfers”).
The Irish DPC found that Meta had violated Article 46 (1) of the GDPR. This provision states that a controller or processor can rely on one of the GDPR’s transfer safeguards “…on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
One such transfer safeguard is “standard contractual clauses” (SCCs)—contractual terms drafted by the European Commission that can be inserted into a contract covering data transfers.
Meta uses SCCs to facilitate transfers between Meta Platforms Ireland and Meta Platforms Inc. in the US.
What’s wrong with SCCs?
Since the Court of Justice of the European Union (CJEU)’s “Schrems II” judgment, organisations must assess the effectiveness of any data transfer safeguard before proceeding with a transfer, considering the law and practice of government entities in the relevant third country.
As a contractual instrument, SCCs do not override national law. Meta could not legally refuse a law enforcement request to provide access to data solely because the company is under a contract that forbids it from doing so.
Because US national security law has been deemed incompatible with EU fundamental rights, any risk of access to personal data by law enforcement must be effectively eliminated before a transfer can proceed.
In some cases, “supplementary measures” such as encryption can effectively safeguard personal data transferred out of the EEA.
However, according to the EDPB’s recommendations on supplementary measures (and several DPA enforcement cases, including against Google Analytics users), encryption is not effective unless the importer of the data cannot access the key.
Meta’s operations require the company to have access to personal data in plain text. This means law enforcement agencies can also access the data, putting EEA data subjects at risk of surveillance.
Was there any other option?
Were Meta to continue transferring personal data from Meta Platforms Ireland to Meta Platforms Inc. (its US parent), there might not have been any option other than SCCs.
While there are other safeguards listed in Article 46, the only other relevant option might have been for Meta to adopt “binding corporate rules” (BCRs).
However, BCRs must be approved by a data protection authority. The process is slow, seldom successfully completed, and like SCCs, BCRs do not solve the fundamental issue—a contract does not override national law.
Article 49 of the GDPR lists a set of derogations which permit a transfer to proceed even where no safeguards are in place, including where the transfer is necessary to perform contractual obligations, the transfer is in the public interest, or the individual has provided explicit consent.
Meta attempted to argue that it could rely on one of the above derogations if SCCs were no longer available. This argument failed.
The Irish DPC stated that the derogations were for exceptional use only and could not justify the large-scale, repetitive transfers in question. The Article 49 derogations would not be suitable for transfer on this scale or of this nature.
What did the Irish DPC order?
After a long period of dispute with fellow regulators on the European Data Protection Board (EDPB) (who directed Ireland to impose tougher sanctions on Meta), the Irish DPC ordered Meta to:
- Suspend its transfers to the US within five months.
- Stop any unlawful processing (“including storage”) of transferred data within six months.
- Pay a €1.2 billion fine.
The €1.2 billion fine is the largest in GDPR history, but it is likely the least problematic of the DPC’s three orders.
Suspending Data Transfers
Suspending data transfers could require Meta to ensure its Irish entity can take full control of all EEA users’ data, and to ensure all such data is stored on servers located within an EEA country.
However, given the far-reaching powers of US intelligence services—which extend to data stored overseas by any US entity that has “possession, custody, or control” of that data—it is not clear whether this solution would satisfy the GDPR’s strict data transfer rules.
On a technical level, Meta would need to find a way to enable EEA users to interact with US users without data being “transferred” to the US. Given the nature of the platform, this could be very difficult.
The issue is further complicated by the fact that businesses administering Facebook pages or selling products on Facebook are considered “joint controllers” that receive personal data from Meta and jointly liable for GDPR compliance.
Stopping storage of data
A similar challenge exists regarding the order on Meta to stop storing data unlawfully transferred to the US.
There are two options for Meta with regard to this order: “return” the data to its Irish subsidiary, or delete it.
If Meta cannot find a way to grant Meta Platforms Ireland exclusive ownership of EEA users’ data, all EEA users’ data transferred to the US since July 2020 will need to be deleted.
A new Data Transfer Framework
The European Commission is in the process of adopting a new way for US companies to legally import personal data from the EEA, known as the EU-US Data Privacy Framework (EU-US DPF).
The EU-US DPF is the third attempt by Brusells and Washington to negotiate a data transfer framework that satisfies both the US government and the CJEU. The previous two such frameworks were invalidated by the CJEU in the Schrems I and Schrems II cases.
If the new framework is adopted before Meta’s five-month compliance deadline arrives, Meta might be relieved of complying with at least some of the DPC’s requirements.
However, given the chequered history of international data transfer agreements between the EU and the US, such relief might only be temporary.