Where EU to US Transfers Stand After the Irish DPC’s Meta Decision

by: Max Landaw

On May 22, the Ireland Data Protection Commission (DPC) published its decision fining Meta Ireland (formerly Facebook) €1.2 billion in violation of Article 46 of the EU General Data Protection Regulation (GDPR).  This represents the largest fine in GDPR’s 5 year history.  Ironically, this fine does not represent the larger takeaway from the decision, namely that until the EU and the US finalize the long awaited EU-US Data Protection Framework (DPF), all transfers of EU personal data to the United States are on shaky grounds.  Naturally, many companies are concerned about the future of transfers to the United States and below, we answer some questions related to the Irish DPC decision and what it means for the future of EU to US transfers.

What happened in the case?

The decision is to some degree a culmination of litigation against Meta going back to the invalidation of previous transfer mechanisms, Safe Harbor (from Schrems I) and the Privacy Shield (from Schrems II).  Unable to rely on those transfer mechanisms, Meta began to rely on the 2010 and the subsequent 2021 EU standard contractual clauses (and additional safeguards) to effectuate intercompany transfers from its Meta Ireland subsidiary to its US entity.

Similar to the Schrems I and II cases, the Irish DPC focused on the following laws and practices of the US: Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA), the accompanying PRISM program, and Executive Order 12033.  Criticizing the US’s surveillance regime, the Irish DPC stated that the US government’s processing of foreign personal data goes beyond “preventative purposes”.  The Irish DPC found that Meta’s use of the standard contractual clauses and additional safeguards in transferring data from the EU to the US could not therefore compensate for “deficiencies” in US law which would allow the US government to intercept data in transit and demand the disclosure of EU personal data with little legal recourse to resist. In other words, the Irish DPC did not admonish Meta for its data protection practices; rather, existing US law cannot allow Meta to provide EU data subjects with measures that ensure “essential equivalence” (the standard from Schrems II) of EU data protection standards.

The full holding in the decision requires that Meta:

• Suspend (as opposed to completely ban) all EU to US personal data transfers;

• Bring its processing operations into compliance with Chapter V of GDPR by “ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 (six) months following the date of the notification of this [decision]”; and

• Pay a fine of €1.2 billion.

Meta plans to appeal this decision to the Court of Justice of the European Union (CJEU) and the 6 month ticking clock will force the European Commission to finalize the DPF by the end of 2023.  If the appeal proves unsuccessful and the DPF cannot be agreed, Meta will have to fundamentally alter its business practices by potentially completely localizing processing of EU personal data within the EU or pulling out of the EU altogether, a threat Meta has made before. 

Does this decision affect any business other than Meta?

The Irish DPC made clear that the decision binds Meta Ireland only.  However, it also recognized that “any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRSIM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA.”

The term, “electronic communications service provider” is defined very broadly.  The term includes telecommunications carriers, electronic communications services, remote computing services, and any other communications service providers that have access to wire or electronic communications.  Since many companies fall under the definition of “electronic communications service provider”, this case could serve as persuasive precedent for other EU member states in suspending transfers.  Since Meta is appealing the case, the CJEU could decide to make the Irish DPC’s holding binding on all EU member states.

However, one distinguishing factor could be that Meta, unlike many other smaller companies, appears to regularly receive US government requests for personal data.  The Irish DPC noted as such in the decision. Smaller companies whose products and services that are outside of the general ambit of FISA Section 702 may be able to distinguish themselves as not subject to the reach of US government interception and personal information requests.  It is an open question whether EU supervisory authorities would agree.

What distinguishes this case from other recent EU to US transfer cases?

In some ways, the Irish DPC’s decision in suspending transfers and finding that no transfer instruments are suitable is not novel.  Other supervisory authorities such as in Italy, Austria, and France have made similar holdings in relation to Google Analytics and EU to US transfers.  Those cases also cited the CJEU’s opinion in Schrems II highlighting the deficiencies in US law.

What sets this case apart from past cases is the Irish DPC’s analysis of very recent developments in US law.  In October of last year, President Biden issued Executive Order 14086 which serves as the legal foundation behind the DPF.  EO 14086 created the framework for safeguards around signals intelligence, namely by creating a mode of redress for foreign nationals who are to have access to independent administrative courts.

Interestingly, the Irish DPC declined to opine on the merits of EO 14086, merely noting that since the EU has not been deemed a “qualifying state” and that the administrative courts are not yet operational, it will analyze existing US law essentially as if EO 14086 does not exist.  This analysis (or lack thereof) raises hope for other companies seeking to effectuate EU to US transfers in the future.  Companies can 1) argue in their transfer impact assessments that the Irish DPC was incorrect to forego a substantive analysis of EO 14086 and 2) feel more assured that when the EU is designated a qualifying state and administrative courts become operational that the fundamental analysis of US law could change.  Additionally, this raises some hope that the CJEU will not immediately find the DPF (if the EU Commission approves it) dead on arrival, not to be sent to the EU-US transfer mechanism graveyard with Safe Harbor and Privacy Shield.

How can companies transfer EU personal data to the US now?

At the moment, this is unclear.  The Irish DPC explicitly addressed the use and insufficiency of standard contractual clauses in Article 46 and the derogations (such as explicit consent) in Article 49 of GDPR.  This is a huge blow to data transfers as 94% of companies transferring personal data out of Europe rely on standard contractual clauses as the preferred transfer instrument. 

The Irish DPC did not address the Article 46 safeguards other than standard contractual clauses such as binding corporate rules.  However, it appears that no other Article 46 safeguard could make up for US law’s perceived deficiencies.  On first glance, it may appear that binding corporate rules for intercompany transfers are a panacea which could solve the problems posed by the shaky grounds of the standard contractual clauses.  However, binding corporate rules require supervisory approval, which require the company to describe the “mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules.”  It is likely that based on this case with Meta Ireland, the Google Analytics cases, and other cases which have addressed EU to US transfers, that supervisory authorities would have the same issue with existing US law as the Irish DPC did.  Therefore, it is unlikely that binding corporate rules or any other Article 46 safeguard would be deemed a suitable substitute for standard contractual clauses.

One unattractive solution will be to localize processing of EU personal data, to avoid transfers altogether.  However, this is impractical for the vast majority of companies who are therefore left with little choice but to continue to rely on standard contractual clauses with additional safeguards, in hopes of being able to distinguish themselves from Meta. 

How should companies respond?

The good news is that despite the protestations of some members of the European Parliament, it appears the European Commission is poised to finalize the DPF this summer.  The Irish DPC’s decision should provide an extra political catalyst for the European Commission to avoid a scenario where businesses who transfer data to the US have to suspend operations or completely localize processing of personal data.  The European Commission has made no indication that there is a strong preference for extreme localization as appears to be the case in countries like China.  There is another political question raised: if US law is so deficient, is use of standard contractual clauses and additional safeguards to effectuate transfers of EU personal data to other jurisdictions with more surveillance-oriented regimes even more suspect?

One area to look into is to see how the UK responds to the Irish DPC decision in relation to UK to US transfers of personal data.  The UK is not beholden to the Irish DPC decision or any subsequent CJEU opinion but since the UK has largely adopted the Schrems II position that transfers to the US pose a serious threat to the rights of UK data subjects, the UK could take a similar approach.  One crucial difference is that while the EU requires transfers to a third country to provide an “essential equivalence” to EU data protection standards, the UK takes a potentially more permissive stance that transfers must not be “materially lower” than UK data protection laws.  It is not clear how different these standards are but the UK has been seen as a more business-friendly regime and may therefore come to a different conclusion than the Irish DPC.

For businesses, since no Article 46 safeguard seems safe for EU to US transfers, many companies will look to immediately sign up for the DPF once it comes into force.  This of course will not be the end of the story as Max Schrems has stated that he will use his organization, None of Your Business (NOYB) to invalidate this transfer mechanism until US law fundamentally changes.

However, such a case would take a few years to get through the EU court system which will allow companies to use the DPF as a valid transfer mechanism while the cases are pending.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.