Today, the Irish Data Protection Commission (Irish DPC) has made public its long-awaited decision on Meta’s EU-US data transfers for its Facebook service. The decision follows the landmark Schrems II CJEU case (which we discussed in this blog at the time) and focuses on Meta’s data transfers to the US following that case.
We do not yet have the full decision from the Irish DPC or from the EDPB who issued a ‘binding decision’ on the enforcement action which the Irish DPC was compelled to follow (after some of the other concerned EU data protection authorities failed to reach an agreement on the terms of the decision with the Irish DPC). However, from the Irish DPC’s press statement, the enforcement against Meta has three prongs:
1. Meta has been ordered to suspend any future transfer of personal data to the US. It has been given a five month ‘grace period’ to comply (starting from 12 May, the date of notification of the Irish DPC’s decision to Meta);
2. Meta has received an administrative fine of €1.2 billion (reflecting the EDPB’s determination that a fine should be imposed); and
3. Meta has been ordered to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR and has been given a six month ‘grace period’ to do so.
Importantly for business, the Irish DPC’s decision holds that Meta infringed GDPR Article 46(1) (the rules requiring appropriate safeguards for international data transfers in absence of an adequacy decision) by continuing to transfer personal data to the US following the Schrems II judgement, even though it used the latest 2021 EU SCCs for the transfers and put in place additional supplementary measures, “the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment”. This is despite the EU having updated the SCCs in 2021 in part to take into account the Schrems II judgement (see the EU Commission’s 2021 press release accompanying the 2021 EU SCCs).
Meta has confirmed that it is appealing against the Irish DPC’s decision and has applied to the Irish High Court to stay the decision, which would pause the implementation deadlines above, likely with the hope being that the new EU-US Data Privacy Framework (DPF) (discussed in our blog here) will be finalised and in place to facilitate the Facebook transfers before this judgement actually takes effect.
The DPF may solve the problem for Meta but it is currently less clear what the prognosis will be for organisations that need to make EU-US transfers outside the scope of the DPF (which will only apply to organisations certified under the arrangement, as discussed in this blog) using the 2021 EU SCCs. Much will depend on the detail of the Irish DPC and EDPB decisions that we don’t have yet and, as such, organisations making EU-US transfers are advised to keep a close watching brief on developments - as should the many UK organisations who have continued to align their UK transfers with the EU approach. Further updates from us to follow.
Update: Since the time of writing, the Irish DPC’s decision and the EDPB’s binding decision have been published. We will be reading and analysing their full impact over the coming days.