Meta hit with record €1.2 billion fine for data transfers to the US

The Snowden revelations in 2013 about US intelligence authorities having access to personal data through tech companies, triggered a decade-long battle, spearheaded by privacy activist, Max Schrems, challenging the legality of Facebook's transfer of personal data to the US.  As a result, transatlantic frameworks to facilitate the transfer of personal data to the US, Safe Harbour and then the Privacy Shield, were invalidated by the Court of Justice of the EU (CJEU) in decisions known as Schrems I and Schrems II respectively.  This left many businesses, like Meta, exporting data from the EU to territories that do not have an adequacy decision, seeking to rely instead on the EU's SCCs, undertaking transfer impact assessments (including an assessment as to whether the importing territory offers data subjects essentially equivalent protection to that offered by EU law) and, where necessary, implementing supplementary measures to address the risks identified.   

The DPC's decision now adds to the existing uncertainty and financial risk to businesses taking this approach.

The DPC concluded that:

• US law does not provide a level of protection that is essentially equivalent to that provided by EU law. Meta's data transfers were in breach of Article 46(1) GDPR as they failed to guarantee an essentially equivalent level of protection to data subjects to that offered by EU law.
  
  
• Neither the SCCs (the 2010 "old" SCCs or the 2021 "new" SCCs), nor the supplementary provisions put in place by Meta could compensate for the inadequate protection provided by US law.
  
  
• Meta could not rely on any of the derogations set out in Article 49 (in Meta's case, explicit consent, contractual necessity, or public interest) to justify the transfer.

The DPC has therefore taken the following corrective action:

• Ordered that Meta suspend any future transfer of personal data (within 12 weeks of the end of the appeal periods).
  
  
• Ordered Meta to bring processing operations into compliance, by ceasing processing, including storing, personal data of EEA users in the US transferred in violation of the GDPR (within 6 months of the decision). While there's room for debate about the measures this entails (and whether it goes so far as to require the deletion or bulk return to the EEA of historic data), this wording seems to allow some flexibility and the DPC also contemplated compliance being achieved via new developments (such as a US adequacy decision - see section 4 below).   
  
  
• Imposed a €1.2 billion fine.

The decision is only binding on Meta's Irish entity and the DPC points out that it is not within its power to make an order to suspend or prohibit transfers to the US generally.  However, the message emanating from the EDPB is loud and clear – it has said that the level of the fine should be a "strong signal to organisations that serious infringements have far-reaching consequences".    

While Big Tech will undoubtedly be first in line for any further enforcement action around data transfers, the implications are not limited to Big Tech.  Meta, according to a statement issued by Nick Clegg and its Chief Legal Officer, has been "singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe".  The organisational, technical and legal measures that Meta had implemented were extensive (e.g., policies, encryption of data in transit and challenging government requests for access) but they were nevertheless deemed to be insufficient: they could not prevent non-court supervised access to a user’s data without the user's knowledge, which the US section 702 Foreign Intelligence Surveillance Act (FISA) downstream programme PRISM allows.  To compensate for the deficiencies of US law, a data exporter "must not merely “mitigate” the deficiencies in US law…but must ensure that data subjects receive essentially equivalent protection to EU law".  If the extensive supplementary measures implemented by Meta are not considered to be capable of compensating for the inadequate protection offered by US law, what options are left for other businesses?   

Some businesses can show that, in practice, problematic legislation will not apply to their transferred data.  The decision is less troublesome for them in that the DPC highlighted that the EDPB Supplemental Measures Recommendations do not exclude a risk-based approach.  In Meta's case, the DPC decided that Meta could not rely on a risk-based approach because it could not show that in practice there would be no actual access by surveillance authorities.             

Nevertheless, if a company with Meta's resources cannot make up for the privacy shortcomings of US law, it is clear this is a situation that companies cannot address alone and that a political solution is needed.

The EU/US Data Privacy Framework (DPF), which we previously wrote about here and which is intended to form the basis of a US adequacy decision, may offer some hope on the horizon as a future data transfer mechanism for those organisations that certify to it.  For those not certified, continuing to rely on SCCs coupled with a transfer impact assessment, the DPF would also offer a binding (positive) EU legal assessment of US laws and practices.

That said, on 11 May 2023, the European Parliament voted for a resolution opposing the adoption of a US adequacy decision under the DPF, calling on the European Commission to continue negotiations with its US counterparts.  It fears that the DPF, as it stands, will not provide essential equivalence and will be invalidated, causing further uncertainty and disruption for EU citizens and businesses.  The resolution is not binding on the Commission but will be taken into consideration, along with the opinion of the EDPB.  The EDPB's opinion, while broadly supportive, also recommended changes.

The Commission has suggested, following the DPC enforcement, that the DPF is expected to be in place by the summer.

Meta is anticipating that the DPF will be in place (effectively overtaking the DPC's two orders) before the compliance deadlines referred to in section 2 above expire, although the DPF will not nullify the fine.  It will appeal the decision and apply for a stay on the suspension order.  It has said that there will be no immediate disruption to Facebook users because of the implementation periods for the decision.

And beyond Meta? If the scale and nature of an organisation's processing is otherwise relatively low risk and its data are unlikely to be subject to surveillance under FISA, its data transfers are much less likely to attract a regulator's attention, for now at least.  As we've also seen from the regulator in-fighting surrounding this decision, the regulatory approach to enforcement is far from consistent and there were only four regulators that insisted on more severe action against Meta.  We therefore expect most organisations to continue with their current practice of using SCCs and await the DPF, rather than localise their data now.  Big tech companies transferring vast quantities of data on the back of SCCs to the US that fall within the scope of the FISA 702 PRISM surveillance programme will feel a much greater pressure to localise data, having seen the heavy price of non-compliance, although they too may hang out to see what the summer brings.  

Whether the DPF proves to be a long-term solution is of course another matter: in the absence of a significant change in US surveillance laws, Schrems will no doubt challenge the DPF before the CJEU in the same way as its predecessor frameworks.