Key Takeaways from DPC’s Meta Transfers Decision
The headlines of the Data Protection Commission’s recently published decision are widely known. Unsurprisingly in the circumstances, the DPC determined that Meta’s transfers of personal data to the United States have been conducted in breach of the requirements of the GDPR, interpreted in light of the CJEU’s decision in the Schrems II case, in particular, and Meta has been:
- fined €1.2billion;
- ordered to suspend its transfers of personal data to the United States within approximately 16 weeks; and
- ordered to bring its processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR within 6 months.
If one digs a little deeper, however, there are key passages in the DPC’s decision that will be particularly significant as organisations consider its implications for their cross-border transfers of personal data. The following are among the more noteworthy.
First, there’s the penultimate paragraph of the DPC’s decision that confirms the extent to which it will be relevant to third parties involved in transfers to the US:
“This Decision will bind Meta Ireland only. It is clear, however, that the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA. This point was raised by the DPC before the Irish High Court and the CJEU when it raised questions as to the validity of the SCC instruments specifically as a mechanism underpinning transfers to the United States. In the event, the CJEU upheld the validity of the SCCs as a legal instrument, emphasising the need to undertake a case-by-case assessment to determine whether, in any given case, data transfers to a third country conducted under their terms are lawful or not. In the circumstances, and notwithstanding the findings made by the CJEU in the Judgment in relation to US law, it is not open to the DPC to make an order suspending or prohibiting transfers to the United States generally.”
Next, paragraph 9.51 outlines the potential impact of an adequacy decision by the European Commission in respect of the EU-U.S. Data Privacy Framework on the orders issued by the DPC to Meta. This makes it clear that the DPC envisages that such an adequacy decision could effectively supersede both the suspension order and the cessation order imposed on Meta:
“I note, in this regard, that neither the CSAs (by way of the Deletion or Return Objections or otherwise) nor the EDPB expressed disagreement with my view, set out at paragraph 9.46 above, that “new measures, not currently in operation, may yet be capable of being developed and implemented by Meta Ireland and/or Meta US to compensate for the deficiencies identified herein”. While that view was expressed in the context of the suspension order that was proposed by the DPC in the Draft Decision (and which is reflected in Section 10, below), it applies equally to the Cessation Order. Accordingly, and for the sake of clarity and legal certainty, the orders specified in Section 10, below, will remain effective unless and until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by way of new measures, not currently in operation, such as the possible future adoption of a relevant adequacy decision by the European Commission pursuant to Article 45 GDPR.”
Thirdly, there’s paragraphs 8.5 to 8.22 in which the DPC sets out her understanding of the potential applicability of Article 49 derogations, where transfers are being made to a third country that is not covered by an adequacy decision and which does not have laws considered to provide for “essentially equivalent” protection for personal data.
8.5 “For the avoidance of doubt, I accept that, in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or of appropriate safeguards pursuant to Article 46 GDPR, the derogations provided for under Article 49 GDPR may be relied on to make transfers to third countries which do not satisfy the “essential equivalence” standard. Meta Ireland’s characterisation of Chapter 8 of the RPDD to the contrary is incorrect.”
8.22 “I am therefore required to interpret and apply Article 49 GDPR as precluding derogations that do not comply with the “essence” of a fundamental right. It is only where a derogation from a fundamental right respects the “essence” of that right that it is necessary to proceed to a balancing test.”
The above are just three extracts from a 215 page decision. Both the DPC’s decision and the EDPB’s decision on disputed elements of an earlier draft of the DPC’s decision contain further key passages that set out the DPC and EDPB’s interpretations of fundamental provisions of and concepts enshrined in the GDPR, such as the principle of proportionality in relation to corrective measures. These will be stress-tested in the inevitable challenges to these decisions before Irish and European courts.
In the meantime, organisations have further clarity (albeit not all of it welcome) on what compliance with Chapter V of the GDPR entails from EU data protection authorities’ perspective. Most eyes will now turn to the eagerly anticipated decision of the European Commission regarding the EU-U.S. Data Privacy Framework. Meanwhile, looking beyond trans-Atlantic transfers the progress of the DPC’s inquiry into TikTok’s transfers of personal data to China and other ongoing inquiries and upcoming reviews of existing adequacy decisions will also be monitored closely.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.