International Data Transfers to the US following Meta ruling

Facebook’s owner, Meta, was recently handed a record £1.04bn fine by Ireland’s Data Protection Commission (DPA) following violations of the General Data Protection Regulation (GDPR) and ordered to suspend the transfer of user data from the EU to the US. This ruling comes amid continued pressure within the EU and UK for more stringent requirements regarding data transfers to the US.

The fine handed down by the DPA, the regulator responsible for this ruling, follows a legal challenge brought by Max Schrems over a decade ago contending that EU citizens’ personal data was not adequately protected from US intelligence agencies when transferred to the US. In 2020, the CJEU identified various safeguarding deficiencies in relation to the US government’s ability to access EU personal data under US law on grounds of national security.

Importantly, the CJEU held that in order to transfer personal data to a third country that does not benefit from an adequacy decision, it will be necessary for a company to:

• enter into standard contractual clauses (SCC’s), or use another transfer tool, like binding corporate rules (BCR’s); and
• carry out an assessment of the laws of the third country to ensure the data would receive essentially equivalent protection that that under the EU regime – a Data Transfer Impact Assessment (DTIA).

Decision

The DPA found that the changes introduced by Meta “did not address the risks to the fundamental rights and freedoms” that the CJEU had identified in the Schrems II ruling in 2020, despite the fact that the transfers largely took place on the basis of standard contractual clauses endorsed by the EU.

Meta’s chief legal officer has stated that they intend to appeal the decision and are “disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe”.

Comment

Whilst serving as a warning to companies regarding their handling of international data transfers, this ruling also emphasises that reliance on SCC’s alone will not be enough to evidence compliance with EU GDPR when transferring EU citizens’ data across the Atlantic.

Whether the ruling will have any real practical impact remains to be seen. Under the conditions of the fine, Meta will have until 12 November to move back or delete user data from US servers.  In the meantime, the European Commission and the US have recently agreed a EU-US Data Privacy Framework (DPF). The DPF will effectively harmonise GDPR legislation with US data collection in relation to EU citizens’ data that is exported to the US. If the DPF takes effect before the suspension order takes effect, as is anticipated, and providing Meta (Ireland) conforms to the requirements for data transfers under the new DPF, the suspension order is unlikely to have any real practical effect. Seemingly, Meta/Facebook could potentially have a new legal basis under which the data can transfer from the EU to US.

While the size of the fine may cause alarm to the numerous businesses which routinely transfer personal data to the US, it’s worth noting that this follows years of dialogue between Meta/Facebook and EU data protection authorities. It also remains to be seen whether the UK would impose a fine on this level in relation to data transfers to the US, especially given the work towards UK-US adequacy.

What next?

The US has been seen as a target for a future data adequacy partnership with the UK and it is expected that the UK will finalise its UK-US adequacy ahead of the EU’s anticipated adequacy decision under EU GDPR. However, until such time as the UK adopts an adequacy finding for the US, exporters of UK data will need to rely on an appropriate safeguard  or a derogation to transfer data from the UK to the US such as SCC’s and will still need to carry out a DTIA.

Organisations which transfer data to the US on a regular basis should review what safeguards they are relying on, ensure they have carried out a DTIA, and consider if they can implement additional supplemental measures to protect personal data they have transferred to the US.

Contact us

If you require any help or advise on any of the information in this article, please get in touch with us or contact Elliot Fry or Kathryn Rogers.