It shouldn’t come as a surprise that the European Data Protection Board (EDPB), through Ireland’s Data Protection Commission (DPC), issued another fine against a large US technology company. What may come as a surprise is the scope of the Meta (fka Facebook) decision and the impact it will have on all US businesses that transfer data from the EU to the US.
Quick History of EU to US Data Transfers
The US-EU Safe Harbor program was established in July 2000 and was the primary way businesses transferred data from the EU to the US. This program was invalidated in October 2015 in a case referred to as Schrems I (which just happened to involve data transfers by Facebook). The countries scrambled to implement a new data transfer framework and did so in July 2016, putting into effect the EU-US Privacy Shield framework. After the General Data Protection Regulation (GDPR) went into effect in May 2018, this framework was challenged. In November 2020, in a case referred to as Schrems II, the EU-US Privacy Shield framework was invalidated. Companies pivoted to use Standard Contractual Clauses (SCCs) as the primary method to transfer data from the EU to the US. In June 2021, the European Commission published new model SCCs. A new negotiated Trans-Atlantic Data Privacy framework to permit data transfers from the EU to the US has not yet been adopted.
Although the Decision analyzes data transfers under both the pre-GDPR 2010 SCCs and the post-GDPR 2021 SCCs, in this article, we will focus only on the current data transfer structure under the GDPR.
The Decision
The 215-page decision boils down to this: US companies that want to transfer data from the EU to the US are in trouble.
What happened? The Decision found that:
- US law does not provide a level of protection that is essentially equivalent to EU law. Unlike US citizens that have constitutional rights, EU citizens do not have effective legal remedies when their data is transferred to the US. They are not informed of the collection of personal information by the US government and have no right to access, rectify, or erase data that is collected by the US government.
- The SCCs that almost every US company relies on to transfer data from the EU to the US cannot compensate for the deficiencies in US law.
- Companies need to put in place supplemental measures to compensate for the deficiencies in US law. However, in the EDPB’s opinion, nothing Meta did was sufficient and the Decision does not provide any guidance on what would be considered sufficient, short of the Trans-Atlantic Data Privacy framework (after it is adopted and until it is invalidated).
- No other derogation (exception to the data transfer) can be used by Meta to transfer data from the EU to the US.
Context, please!
Under GDPR Article 45, transfers of personal information from the EU to a non-EU country can only happen if the European Commission has determined that the non-EU country provides an adequate level of protection to EU citizens. The EU has clearly stated—on multiple occasions—that the US does not provide an adequate level of protection to EU citizens. That leaves US companies with the alternatives for data transfers provided by GDPR Article 46 (appropriate safeguards), Article 47 (binding corporate rules) or Article 49 (derogations). As Article 47 is feasible only for the largest companies and Article 49 only applies to limited circumstances, most companies relied on Article 46, which permits data transfers to happen if SCCs are in place.
While the Decision concedes that SCCs are one method of providing the “appropriate safeguards” required for data transfers, it further explains that the SCCs require both the data exporter (the company located in the EU) and the data importer (the company located in the US) to consider whether the data importer’s country’s laws (US law) make it so the data importer cannot appropriately safeguard EU citizens’ personal information. If the US company knows that the US government can access information, it needs to stop transferring data to the US.
Meta took various steps to bolster its safeguards, including conducting a transfer impact assessment, challenging law enforcement requests for data, and transferring data through end-to-end encryption. The Decision spends three pages summarizing all of the organizational, technical, and legal measures Meta put into place (see Decision Sections 7.179-7.191) but found that nothing can compensate for the ineffective legal remedies in the US for EU citizens.
According to the Decision, since Meta cannot change US law or bind the US government to ensure that EU citizens can bring a legal action in the US before an independent and impartial court, Meta cannot guarantee the necessary protection under SCCs. The Decision also found that Meta could not supplement the SCCs with sufficient additional safeguards[1] so, under the SCCs, were bound to suspend or end data transfers from the EU to the US.
Scope of the Decision
Although the Decision concludes by stating that the analysis in the Decision could apply to any internet platform falling within the definition of “electronic communications service provider” subject to FISA, the problems with US law that were considered in the Decision are significantly broader than just internet platforms. For example, the Decision discussed how telecommunications companies, such as internet service providers (ISPs), are required to allow the NSA to copy and filter internet traffic of non-US citizens located outside the US for foreign intelligence information. That access includes data in transit to the US through underwater cables. So, even if a US business is not an “electronic communications service provider” under FISA, unless it is mailing EU customers’ personal information to effectuate a data transfer, its customers’ data is likely to have the potential interception when travelling through fiber to reach the US electronically.[2] Merely adding a statement in a privacy notice that disclosure of personal information may be made to the US government is not sufficient.
The Decision goes on to elaborate about why the exceptions provided in Article 49 cannot be relied upon by Meta for systematic, bulk, repetitive and ongoing transfers to the US. In short, because the US does not provide essentially equivalent rights as EU law does by failing to provide EU citizens with the opportunity to take legal action in the US before an independent and impartial court, an exception cannot be used because the data transfer is not strictly necessary and cannot be used to circumvent the general rule that the data transfer should not take place. Therefore, Meta cannot claim contractual necessity (Article 49(1)(b)), public interest (Article 49(1)(d)), or explicit consent (Article 49(1)(a))[3] as valid exceptions that could permit a data transfer.
But wait, there’s more! The Decision provides an in-depth look at the infighting between the different supervisory authorities. The outcome of the showdown is that Meta needs to cease unlawful processing (which means no data transfer to the US and no storage of data in the US until the Trans-Atlantic Data Privacy framework is in effect, since there seems to be no other non-infringing means). Meta also needs to pay a fine. While the number is the largest amount to date under GDPR, what should be more troubling for US businesses is part of the rationale behind the fine. (1) The starting point of the violation is July 16, 2020, the date of the Schrems II judgment. (2) Because Meta should have known that the data transfers were unlawful post-Schrems II, the violation was with the highest degree of negligence and was not being conducted in good faith using transfer mechanisms provided for under the GDPR. (3) The affected data subjects are not only those whose accounts were accessed by the US government but anyone whose account could have been subject to access, i.e., every EU Meta customer. When Meta argued that it cannot conduct business in the EU without being able to transfer data to the US, the EDPB “recalls that it is the business model which must adapt itself and comply with the requirements that the GDPR set outs…and not the reverse.” (Decision citing paragraph 140 of the EDPB’s determination). When Meta argued that there is a conflict of laws between the US and the EU that it cannot remedy on its own, the EDPB responded that “these arguments have no bearing on the degree of responsibility” by Meta. (Decision Section 119).
Although the Decision’s impact on US businesses may seem patently unfair, the US takes similar measures to try to protect US citizens from possible foreign government collection of sensitive data for national security purposes. For example, Montana passed legislation to ban its residents from using the social media app TikTok due to Chinese laws that permit the Chinese government access to information. Similarly, the EU is taking a hardline stance to protect EU citizens from possible access to their information by the US government.
In light of this Decision, unless and until the Trans-Atlantic Data Privacy framework (or some other adequacy decision) is accepted by EU authorities, if your business is transferring data from the EU to the US, you should discuss risks and possible solutions with an attorney. Miller Nash’s Privacy & Data Security team can provide such assistance.
1 “…it is clear that the CJEU took the view that where public authorities in the third country have access to data, there is a particular risk that no adequate additional measures to guarantee the requisite protection can be taken and that the controller, processor or competent supervisory authority must suspend or end such data transfers.” [Emphasis added.] (Decision Section 7.21).
2 If there were any concerns that the right to an independent and impartial tribunal under Article 47 of the Charter was insufficient justification, the DPC augments its analysis by citing Privacy International v. Secretary of State for Foreign and Commonwealth Affairs, EU:C:2020:790. “…[T]he transmission of traffic data and location data to public authorities for security purposes is liable, in itself, to infringe the right to respect for communications, enshrined in Article 7 of the Charter, and to deter users of means of electronic communication from exercising their freedom of expression, guaranteed in Article 11 of the Charter.” (Decision Section 9.38).
3 The Decision implies that Article 49(1)(a) might, in some multiverse, be acceptable if explicit consent is obtained for each specific data transfer but cannot be used for ongoing data transfers, future data transfers, or different sets of transfers.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.