Meta was fined €1.2 billion on May 22, 2023 by Ireland's Data Protection Commissioner (DPC) for breaching the EU’s General Data Protection Regulation (GDPR). This is the harshest penalty imposed to date under the GDPR.
The case concerns the transfer of personal data from the EU to the US. Specifically, from the perspective of EU law, the US is a “third country” which, by definition, does not protect personal data to the extent required under EU standards.
Transferring personal data to a third country without adequate safeguards carries a penalty of up to 4% of the entity’s total annual worldwide revenue from the preceding financial year. Thus, the maximum penalty facing Meta could have been several times higher than the penalty imposed.
The Irish DPC (with jurisdiction over Meta's headquarters in the EU) had proposed a ban on transfers in the future, but the supervisory authorities in several other EU countries were in favor of a penalty. Ultimately, the European Data Protection Board decided that the Irish DPC (i) imposes a penalty of the amount discussed here, and (ii) orders that the breach be ceased within six months.
The case has greater importance impacting, among others, global cloud service providers (such as Microsoft, Amazon and Google), all of which usually transfer at least some of their data to the US.
Context
This is not the first case in which Meta's operations (Facebook in particular) have come up against European privacy rules.
Two previous cases – both initiated by the Austrian non-profit organization "NOYB – European Center for Digital Rights" (with Max Schrems as a leading individual) – had dramatic consequences for systemic legal solutions for the transfer of personal data from the EU to the US. The cases led to the termination of the international Safe Harbor (2015) and Privacy Shield (2020) agreements.
At the time, the EU and US were trying to conclude another systemic agreement on transatlantic flows of personal data – the Data Privacy Framework. However, the European Parliament in May 2023 suggested that the US had to make more far-reaching efforts to protect personal data.
One of the most common legal bases for the transfer of personal data from the EU to the US in business relations is for an agreement, based on a model drawn up by the European Commission, to be concluded (Standard Contractual Clauses; SCC). However, SCCs cannot be applied blindly – their application particularly requires a Transfer Impact Assessment (TIA).
SCCs are used by global cloud service providers. Meta also uses SCCs, so the penalty imposed on Meta is a clear warning to all those using SCCs.
Practical Takeaways
It is legal to transfer personal data from the EU to third countries (such as the US). However, the requirements under EU law must be met.
First and foremost, the legal basis on which data is to be transferred outside the EU must be established and assessed in each case.
In business relations, SCCs will usually be applied. In such cases, an assessment (TIA) must be made of the additional measures that need to be applied to ensure the security of the data outside the EU.
A TIA procedure must be carried out before data is transferred to a third country. This will enable the type of data to be transferred to a third country, the quantities, and the purpose of the transfer to be established and assessed. A documented and systematically repeated professional TIA will make it possible to identify what kind of measures are required in each case.
These measures can differ in nature and may be:
- purely legal, e.g. in the form of contractual provisions obliging the data recipient in the US to "defend" the data in the event of attempts to access them, e.g. by the US intelligence agencies;
- structural/technical, e.g. by processing data in decentralized structures so that they cannot be accessed in one place outside the EU; and
- IT, e.g. by encrypting or anonymizing data in such a way that, even if the resources transferred to the US are accessed, they cannot be used effectively.
In many cases, the TIA will also establish the need for certain categories of data to be transferred to a specific third country (in accordance with the data minimization principle).
These solutions not only protect data, but also provide a documented defense mechanism in the event of a dispute.
In many cases – despite the case-by-case application of the US Cloud Act – the solutions described can provide data with an adequate level of security.
However, US and EU businesses are waiting impatiently and anxiously for a systemic political solution to the problem. NOYB is already promising to challenge any solutions without drastic regulatory changes in the US. Notably, there are no deliberations on the NOYB website about the standard of data protection in countries such as Russia and China.
Author: Bartosz Marcinkowski, Partner at Domański Zakrzewski Palinka (Meritas Member Firm)
