Last month, the Irish Data Protection Commission (“DPC”) issued a highly-anticipated decision in a multi-year enforcement action against Meta Ireland (“Meta”) stemming from Meta’s transfers of personal data from the European Economic Area (“EEA”) to the U.S. The decision directs Meta to stop transferring personal data from the EEA to the U.S. and cease processing personal data of EEA residents unlawfully. It also includes a record-breaking €1.2 billion fine against Meta for the unlawful data transfers.

Background

This decision is the latest development in a series of enforcement actions against Meta relating to data transfers. At issue in the May 2023 decision was whether Meta’s transfers of personal data from the EEA to the U.S. were legal following the Schrems II decision, which invalidated the EU-U.S. Privacy Shield and required companies relying on standard contractual clauses (“SCCs”) to implement additional safeguards to protect personal data transferred from the EEA to the U.S. and certain other jurisdictions. 

Echoing the Schrems II decision, the DPC concluded that neither the older (2010) versions of the SCCs nor the updated (2021) versions were sufficient, alone, to protect data being transferred to the U.S. Instead, the DPC noted that companies seeking to rely on the SCCs would need to implement sufficient supplemental safeguards to protect data transferred from the EEA to the U.S. from surveillance by U.S. authorities. Even though Meta had implemented supplemental safeguards with the SCCs, the DPC concluded that those safeguards were insufficient to protect the data, in particular once the data had arrived in the U.S.

The DPC also concluded that Meta could not invoke any “derogations,” such as contractual necessity or consent of the data subject, in order to legally transfer the personal data. The DPC noted that derogations are exceptions that should be used only under exceptional circumstances.

Requirements of Order against Meta

The DPC has ordered Meta to take the following steps:

1. Suspend all transfers from the EEA to the U.S. by October 2023;
2. Suspend the unlawful processing, including storage, in the U.S. of personal data of EEA users transferred in violation of the European Union General Data Protection Regulation (“GDPR”) ; and
3. Pay a fine of €1.2 billion for its violations of Article 46(1) of the GDPR.

Meta has confirmed that it will be appealing the DPC’s decision.

Implications for data transfers from the EEA to the U.S.

The decision further imperils data transfers relying on the new SCCs. Despite Meta’s deployment of several supplemental measures to safeguard data being transferred to the U.S., the DPC concluded that the safeguards were insufficient to protect the data from access by U.S. surveillance authorities. While the decision applies solely to Meta, the DPC’s holding has implications for companies subject to the Foreign Intelligence Surveillance Act (“FISA”) Section 702, a U.S. surveillance law that applies to “electronic communications service providers,” a term that is broad enough to capture cloud service providers. Following are key takeaways from the decision:

• Derogations should be invoked in limited circumstances. The DPC concluded that the “contractual necessity” derogation – which in some circumstances companies can use to transfer data where such transfer is strictly necessary to perform a contract with the data subject – could not be relied upon for “systematic, bulk, repetitive and ongoing transfers” to the U.S. as this would give rise to a breach of the fundamental right of EU/EEA users to effective judicial protection. The DPC also rejected Meta’s attempt to rely on the “public interest” derogation for the same reasons. Meta also could not rely on the data subject’s consent to the transfer, with the DPC concluding that, among other things, consent could not be obtained for a future transfer if the occurrence and specific circumstances of the transfer were not known at the time of consent. 
• Many supplemental technical and organizational measures currently employed in the industry are likely insufficient. The DPC concluded that the measures employed by Meta to protect data transferred to the U.S. were insufficient to compensate for “inadequacies” in U.S. law. For example, while the DPC noted that encryption could protect data in transit from access by surveillance authorities pursuant to Section 702 of FISA and Executive Order 12333, U.S. surveillance authorities could request that Meta decrypt and provide the personal data once it reached the U.S. Executive Order 12333 authorizes U.S. intelligence agencies to collect foreign “signals intelligence” information (i.e., intelligence from communications and other data passed or accessible by radio, wire and other electromagnetic means). The DPC did not identify measures it would consider sufficient to protect personal data transferred to the U.S.
• Non-compliance with GDPR requirements around data transfers can be incredibly costly. The fine against Meta is the largest fine ever levied against a company for GDPR non-compliance. In calculating the fine, the DPC considered several factors, including the duration of the infringement, the number of affected data subjects, and previous infringements of the GDPR by Meta.

Although this decision causes uncertainty for companies relying on the SCCs for transfers of data from the EEA to the U.S., the European Commission has indicated that it expects to finalize the EU-U.S. Data Protection Framework (the “Framework”) this summer, as a successor to the invalidated EU-U.S. Privacy Shield. The recent Meta decision puts further pressure on the European Commission to finalize the Framework to put transfers from the EEA to the U.S. on stronger footing.

How can GD help?

Companies should evaluate their legal basis for transferring personal data from the EEA and UK to the U.S. and understand the risks relating to such transfers. If you have any questions regarding this client alert, please reach out to your Gunderson Dettmer attorney or contact one of our data privacy experts:

Anna Westfelt   (650) 463-5367   [email protected]

Cecilia Jeong    (646) 490-9094   [email protected]

Frida Alim         (415) 801-4921   [email protected]

James Gately   (617) 648-9313   [email protected]