E-Bulletin No 03/23

Meta Platforms Ireland Limited (Meta IE) was issued a 1.2 billion euro fine following an inquiry into its Facebook service, by the Irish Data Protection Authority (IE DPA). This fine, which is the largest GDPR fine ever, was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR. The ruling, which comes with a grace period of at least five months before Meta needs to comply, applies only to Facebook and not to Instagram and WhatsApp, which Meta also owns. The company said there would be no immediate disruption to Facebook’s service in the Europe Union.

      Recap: How did we get here?

      This administrative penalty is the culmination of Schrems I and Schrems II judgments that struck down Privacy Shield scheme as "invalid due to lack of proper oversight of the ability of US security and law enforcement agencies in their access to non-US citizen's data carried out under Section 702 of FISA and EO 12333 and the lack of sufficient rights for individuals. The Foreign Intelligence Surveillance Act ("FISA") was enacted in 1978 to regulate US governmental electronic and physical surveillance of communications for foreign intelligence purposes. FISA was originally intended to govern surveillance activities targeting individuals inside the US. In 2008, however, s702* was enacted to authorize the acquisition of foreign intelligence information about non-US persons located outside the US. A non-US person is anyone who is not a US citizen or permanent US resident. Unlike the "traditional" FISA provisions, which require the government to obtain orders on an individualised basis and demonstrate probable cause, the Attorney General ("AG") and Director of National Intelligence ("DNI") submit written certifications to the FISC that jointly authorise surveillance activities for up to one year. The government does not have to specify which non-US persons will be targeted or demonstrate probable cause. It merely needs to attest that a significant purpose of the activities is to obtain foreign intelligence information and certify that appropriate targeting and minimization procedures will be implemented. Once the FISC, special court authorized to approve surveillance whose decisions are sealed, has approved a certification, the government issues directives to US electronic communications service providers that compel the providers to “immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition” of communications. In practice, the government sends the providers “selectors” (such as telephone numbers or email addresses) that are associated with specific "targets" (such as a non-US person or legal entity). Service providers must comply with these directives in secret and are not allowed to notify their users. The term "electronic communications service provider" is defined broadly to include telecommunications carriers such as AT&T and T-Mobile, providers of electronic communications services and remote computing services (e.g., Facebook, Google and AWS), as well as any other communications service providers that have access to wire or electronic communications (either in transit or in storage).

      In 2013, Snowden leaked a number of secret US documents revealing the existence of two government surveillance programs: PRISM and UPSTREAM. Both are conducted under s702 of FISA but operate in different ways. PRISM involves the direct 'downstream' collection of communications by the NSA through the compelled assistance of electronic communications service providers. Effectively, the government sends a selector, such as an email address, to a US-based provider, and the provider is required to provide the government with all communications sent to or from that selector. UPSTREAM, on the other hand, involves the indirect 'upstream' collection of communications through the compelled assistance of telecommunications providers that provide the backbone of the internet (e.g. AT&T and Verizon). Essentially, the NSA copies and filters the vast quantity of data flowing through the network of cables, switches and routers that make up the Internet. Because the data is obtained without the knowledge or assistance of downstream providers, UPSTREAM has been described as a form of 'backdoor' surveillance.

      In the Schrems II case†, the CJEU, in the first place, declared invalid the European Commission’s Privacy Shield Decision and in the second place, affirmed the validity of the SCC Decision while stipulating stricter requirements for SCC-based transfers.

      The Court held that the US does not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by the GDPR and the Charter of Fundamental Rights (CFR). The legal bases of US surveillance programmes such as PRISM and UPSTREAM are not limited to what is strictly necessary and would be considered a disproportionate interference with the rights to protection of data and privacy (Article 45(1) GDPR, read in light of Articles 7, 8 and 52(1) CFR), since they do not sufficiently limit the powers conferred upon US authorities and lack actionable rights for EU subjects against US authorities. Contrary to the European Commission’s adequacy findings, the Ombudsman mechanism does not remedy, but rather exacerbates these deficiencies, as the mechanism interferes with the right to effective judicial protection (Article 45(1) GDPR, read in light of Article 47 CFR), due to concerns over the independence of the institution and on the enforceability of its decisions.

      Facebook continued international transfers of personal data of EU/EEA individuals who visit, access, use or otherwise interact with the Facebook service to the USA pursuant to SCCs enshrined in Article 46(1) GDPR derogations enshrined in Article 49 GDPR.  According to Facebook’s assessment, ‘the level of protection required by EU law is provided for by relevant US law and practice’ and that Company implemented supplementary measures in addition to the 2021 SCCS in order to ‘further ensure that an adequate level of protection continues to apply to user Data transferred from its European branch located in Ireland to its headquarters in the US. 

      According to EDPB, the lower standard applied by Facebook’s European Branch (Meta IE) when implementing the SCCs and supplementary measures, as well as the subsequent failure to implement supplementary measures that were aimed to compensate for the inadequate protection provided by US law (rather than address or mitigate ‘any relevant remaining inadequacies in the protection afforded by US law and practice indicate a very high degree of negligence on the side of Meta IE. In that context, recital 107 of the GDPR states that, where ‘a third country, a territory or a specified sector within a third country no longer ensures an adequate level of data protection the transfer of personal data to that third country should be prohibited, unless the requirements relating to transfers subject to appropriate safeguards are fulfilled’. To that effect, recital 108 of the GDPR states that, in the absence of an adequacy decision, the appropriate safeguards to be taken by the controller or processor in accordance with Article 46(1) of the regulation must ‘compensate for the lack of data protection in a third country’ in order to ‘ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union. (Schrems II decision, paragraph 95) 

      EDPB‡ recommends controllers to assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools they are relying on, in the context of your specific transfer. Controllers’ assessment should be focused first and foremost on third country legislation that is relevant to data transfer and the Article 46 GDPR transfer tool relied upon.

      Controllers acting as data exporter to third countries are also supposed to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.

      Technical measures recommended are strong encryption, pseudonymisation, split or multi-party processing (i.e. prior to transmission, data exporter splits the data in such a way that no part an individual processor receives suffices to reconstruct the personal data in whole or in part).

      In addition to technical measures, additional contractual measures such as Transparency obligations, obligations to take specific actions and obligations empowering data subjects to exercise their rights may increase the effectiveness of protection. Additional organisational measures may consist of internal policies, organisational methods, and standards controllers and processors could apply to themselves and impose on the importers of data in third countries.

      In the absence of adequacy decision or contractual clauses, transferring personal data to a third country that does not provide an equivalent protection may take place only on one of the following conditions:

      (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

      (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

      (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

      (d) the transfer is necessary for important reasons of public interest;

      (e) the transfer is necessary for the establishment, exercise or defence of legal claims;

      (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

      (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. 

      Nevertheless, in its Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, p.4, the EDPB highlights that the, the derogations must be interpreted restrictively so that the exception does not become the rule. The EDPB also recalls that Recital 111 GDPR refers ‘occasional’ and Art. 49(1) GDPR to ‘not repetitive’ in the ‘compelling legitimate interests’ derogation. The EDPB explains that these terms indicate that such transfers may happen more than once, but not regularly, and would occur outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals. More specifically, a data transfer that occurs regularly within a stable relationship between the data exporter and a certain data importer can basically be deemed as systematic and repeated and can therefore not be considered occasional or not repetitive. Accordingly, EDPB concluded that ‘it is not open to Meta Ireland to rely on the derogations at Article 49(1) GDPR (or any of them) to justify the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US’. 

      The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. Several supervisory authorities argued that Meta IE acted intentionally or at least with dolus eventualis.

      Final decision was adopted after the IE DPA, as lead supervisory authority (LSA), had triggered a dispute resolution procedure concerning the objections raised by several concerned supervisory authorities (CSAs). Among others, CSAs issued objections aiming to include an administrative fine and/or an additional order to bring processing into compliance. The EDPB highlights that GDPR does not include a one-stop-shop mechanism and referred to the shared competences of the CSAs. The GDPR requires supervisory authorities to cooperate pursuant to Article 60 GDPR to achieve a consistent interpretation of the Regulation. Facebook chose Ireland because of its more relaxed attitude towards taxation and regulations. But when it comes to personal data protection, the least demanding member state cannot be used to circumvent legal provisions. Au contraire, integration dynamics forces a trading-up mechanism in which the member states that impose more stringent rules compel others to adopt similar legal mechanisms. 

      Privacy Framework: Deux Ex Machina?

      In the wake of the Schrems II decision that invalidated Privacy Shield, the EU and the US have been negotiating an alternative mechanism for transfers – the Trans-Atlantic Data Privacy Framework (the "Framework").

      The expectation is that the Framework will likely be available for Meta and others at some point during summer 2023 - and perhaps there is even more reason to think this will be the case following added pressure on the European Commission after this decision.

      Is it still possible to rely on Standard Contractual Clauses ("SCCs") to transfer data to third countries?

      The Schrems II judgement did not invalidate SCCs but required that each data exporter assessed the laws of the destination country to ensure that use of the SCCs properly protected the data transferred in that context. Latest decision did not change the status quo. But it did require data exporters to make a detailed assessment and take precautionary technical, contractual and administrative measures. 

      It should be pointed out that EDPS found insufficient the "supplementary measures" that Meta had adopted and many of these measures are those also put in place by other exporters.

      Although addressed to Meta, the decision is also intended to act as a deterrent to other exporters. Exporters may start to think seriously to locate their data storage inside the European Economic Area. 

* (50 USC §§ 1881a et seq) For full text please visit: https://www.govinfo.gov/app/details/USCODE-2014-title50/USCODE-2014-title50-chap36-subchapVI-sec1881a

† Judgment of the Court (Grand Chamber) 16 July 2020, Case C‑311/18, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems 

‡ (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data)