What should in-house counsel should know in the wake of the mega fine - 1.2 billion euros – that the Irish Data Protection Commission (DPC) levied against Meta on May 22, 2023 in connection with the company’s transfer of personal information between Europe and the United States? The DPC also ordered Meta Ireland to stop transfers of personal data to the US within five months, and to cease the unlawful processing in the US of personal data of users from the European Union (EU) or European Economic Area (EEA) that was transferred in violation of the EU General Data Protection Regulation (GDPR). Meta announced it would appeal the decision. Beyond Meta, this decision highlights the regulatory landmine that businesses face when transferring personal data between Europe and the United States.
The Post-Privacy Shield Limbo
This is not the first enforcement action that Meta faced from the DPC in connection with the company’s processing of personal data. In 2022, the DPC imposed more than 600 million euros in fines on Meta under the GDPR, relating to other data processing issues. The fine announced in May 2023 spotlights the lack of reliable frameworks for companies to transfer personal data between Europe and the United States.
In its 2020 “Schrems II” decision, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, considering that this framework didn’t sufficiently ensure compliance with GDPR. A key concern for the court was US laws allowing public authorities to access and use personal information under surveillance programs. The court considered that the limitations on the protection of personal data arising from such laws were not sufficiently circumscribed.
After Schrems II, a remaining basis for transatlantic transfers of personal data was the Standard Contractual Clauses, the set of model contractual clauses that the European Commission issued and that are available for inclusion in contracts that involve transfers of data from controllers or processors in the EU/EEA (European Union/European Economic Area) to controllers and processors established outside that zone. It is on the basis of such SCCs that Meta was conducting the data transfers that gave rise to the 2023 fine. This leaves businesses in the dark regarding which legal basis and operational measures they can rely upon to transfer personal data from the EU to the US.
What to Watch
Following the invalidation of Privacy Shield, discussions have been ongoing between US and EU authorities toward a new Trans-Atlantic Data Privacy Framework that would place new limits on US intelligence authorities’ access to data, establish a redress mechanism including a Data Protection Review Court, and setting obligations for companies that process data transferred from the EU. In October 2022, US President Biden issued an Executive Order meant to advance a new EU-US framework by introducing new safeguards and control over data collection by US intelligence agencies, and a mechanism for individuals to redress their privacy concerns.
The recent fine against Meta highlights the relevance of the current discussions toward a new framework. The issue seems increasingly important, at a time when many businesses routinely process large volumes of personal data. Beyond issues related to surveillance programs and national security, new technology available to businesses to process personal information appears likely to render the issue more controversial, and to influence regulatory trends. Artificial Intelligence and other tools introduce new risks and concerns when it comes to how businesses process personal data.
In the meantime, below are a few steps that in-house counsel should consider taking:
- Review their organization’s practices and agreements regarding the processing and transfer of personal data outside the EU/EEA to countries that have not been recognized as providing “equivalent safeguards” under Article 46 of GDPR;
- Assess the legal basis on which the business transfers personal data from the EU/EEA;
- Review the necessity of transferring personal data from Europe to the US, and the possibility of localizing personal data in Europe; and
- Monitor the evolution of the EU-US discussions toward a new framework, and whether European courts and authorities will view the framework as sufficient (another decision in the line of Schrems II could challenge the sufficiency of the new framework).
Quick Overview: Meta Faces Record GDPR Fine, by Bartosz Marcinkowski, Partner at Domański Zakrzewski Palinka (May 31, 2023)
Meta Fined EUR 1.2 Billion for Violating GDPR, by Charlotte H N Perowne, Huw Beverley-Smith, Jeanine E Leahy, from Faegre Drinker Biddle & Reath LLP (May 22, 2023) (faegredrinker.com)
Meta Ireland fined record €1.2bn and ordered to suspend EU-US data transfers, by Debbie Heywood, from Taylor Wessing (May 22, 2023) (taylorwessing.com)
Irish Regulator Fines Meta 1.2 Billion Euros and Orders it to Cease Data Transfers to the U.S. | Privacy & Information Security Law Blog (May 22, 2023) (huntonprivacyblog.com)
Key Takeaways from the Irish DPC and EDPB decisions on Facebook Data Transfers, by Ruth Boardman, from Bird & Bird (May 23, 2023) (twobirds.com)
Meta fined GDPR-record 1.2 billion euros in data transfer case, by Jedidiah Bracy (iapp.org)
FAQs – EU-U.S. Data Privacy Framework Updates (1-4) | Privacy Shield
EU-US data transfers: key lessons from Meta’s record-breaking GDPR fine, by Samantha Gilbert - Lexology Pro
Meta’s response to the fine: Our Response to the Decision on Facebook’s EU-US Data Transfers | Meta (fb.com)
Connect with In-house Peers
- Join the ACC IT Privacy and eCommerce Network (ACC members only)
- Connect with in-house peers on the ACC Network forums (ACC members only)
This page was published on May 24, 2023 and updated on May 26, 2023.