The decade-long case on Meta’s transfer of EU personal data to the United States ended on May 22, 2023, with a € 1.2 billion (US $1.3 billion) GDPR fine against Meta. In addition, the Irish Data Protection Commission (DPC) exercised the following corrective powers against Meta:
- An order, pursuant to Article 58(2)(j) of the GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within five months.
- An order, pursuant to Article 58(2)(d) of the GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within six months.
The fine and corrective orders came after the Irish DPC found that Meta violated the GDPR by failing to protect EU Facebook users’ data from US surveillance practices and spy agencies.
“We are happy to see this decision after ten years of litigation,” said the Austrian privacy activist Max Schrems. “The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.”
The US Surveillance Problem
In its decision, the Irish DPC recognized that US intelligence authorities have seemingly unrestricted access to EU data flowing into the US, including data from Meta’s data transfers. This access is based on Section 702 FISA and on Executive Order 12333.
Section 702 FISA permits, following FISC approval, the surveillance of individuals who are not US citizens located outside of the US to obtain “foreign intelligence information.” Executive Order 12333 allows the NSA to access data “in transit” to the US, by accessing underwater cables on the Atlantic floor.
When Meta transferred EU personal information to the US for processing, Section 702 FISA and Executive Order 12333 allowed US intelligence authorities to access that data for broad surveillance activities. This access threatens the fundamental rights and freedoms of EU data subjects.
To protect EU data subjects from this threat, Meta relied on the Standard Contractual Clauses (SCCs) to provide a level of protection to EU data subjects that is essentially equivalent to that provided by EU law.
However, as this decision demonstrates, the SCCs fail to provide Meta’s EU users with an equivalent level of protection as provided by EU law.
The SCCs & the Ongoing EU-US Data Transfer Issues
The Irish DPC’s decision continues the decade-long struggle for the EU and US to establish a valid data transfer mechanism.
In 2000, the US and EU developed the International Safe Harbor Privacy Principles to prevent private organizations within either country from accidentally losing or disclosing personal information. The European Commission decided that these principles complied with the EU Data Protection Directive, thereby allowing the flow of data between countries. However, the European Court of Justice declared in October 2015 that the Safe Harbor decision was invalid.
Subsequently, in 2016, the US and EU developed the EU-US Privacy Shield, a legal framework for regulating and enabling transatlantic exchanges of personal data between the countries. Yet, as with Safe Harbor, the European Court of Justice declared Privacy Shield invalid in July 2020.
This left companies to rely on contractual mechanisms, known as the SCCs, to transfer data between the countries without violating the GDPR. However, as the Irish DPC decision demonstrates, even though Meta relied on the SCCs, the SCCs failed to provide the protection necessary to ensure the transfer protected EU data subjects in accordance with the GDPR.
Leaders within the US and EU announced in 2022 that a new data transfer framework called the Trans-Atlantic Data Privacy Framework (TADPF) had been agreed upon, but it is uncertain whether this framework will survive scrutiny from the European Court of Justice. The TADPF attempts to address the US surveillance problem by, in part, restricting access to EU personal information by US intelligence agencies to that which is “necessary and proportionate to protect national security.” However, prominent privacy activists have expressed skepticism over how US surveillance can be “necessary and proportionate” under EU law.
In the meantime, without an international data transfer framework and with the sufficiency of the SCCs in question, companies will need to be cautious in how and when they transfer EU personal information from the EEA to the US.
Meta to Appeal
In response to the decision, Meta announced that it will appeal the ruling and the “unjustified and unnecessary fine.” However, given the breadth of the decision, it seems unlikely that Meta will win on appeal.
In the meantime, Meta announced that there would be “no immediate disruption” to Facebook in Europe, as the decision provides Meta with an implementation period. If that implementation periods runs out and Meta still lacks a valid legal mechanism by which to transfer data from the EEA to the US, then Meta may have to fragment their organization to ensure that EEA personal information largely remains stored in EEA databases.