On May 22, 2023, the Irish Data Protection Commission (DPC) published its decision of 12 May 2023 fining Meta Platforms Ireland Limited €1,2 billion for violating the General Data Protection Regulation(GDPR). This recent decision, which imposes the highest fine ever under the GDPR, states that the conditions under which Meta (formerly known as Facebook) has transferred personal data to the US since July 16, 2020 did not ensure an adequate level of data protection for individuals in line with European Union requirements . Consequently, Meta is given a period of 5 months to halt all personal data transfers to the US and 6 months to align all its data storage and processing practices with EU law.
Although spectacular, this decision his decision was foreseeable and expected. It represents the latest stage in the litigation brought by Maximilian Schrems and his association NOYB in the wake of Edward Snowden’s revelations about US surveillance programs. Notably, the impact of this decision goes well beyond Meta’s data transfers to the US. By challenging the legal foundation on which most international data transfers are currently conducted, this decision has significant implications for all companies engaged in such transfers to countries outside the European Union.
- What is the background to this decision?
In the wake of the CJEU decision invalidating the Privacy Shield on July 16, 2020, the Irish data protection authority, the Data Protection Commission, opened an investigation into the Facebook service to determine whether transfers of data from Facebook/Meta to the United States were legal. Since the invalidation of the Privacy Shield, Meta, like many other companies, must base transfers of personal data on Standard Contractual Clauses (SCCs). Judging that the guarantees offered by Meta were, in this context, insufficient, the Irish DPC had, in the fall of 2020, issued a preliminary order ordering the cessation of transfers to the United States. Meta had then appealed and obtained a reprieve.
After a series of complex developments, the case was reviewed by the European Data Protection Board (European Data Protection Board– EDPB), omposed of representatives from all national data protection authorities, following the dispute resolution mechanism outlined in the GDPR. In such cases, the relevant national data protection authorities have the opportunity to express their objections as “relevant supervisory authorities”. Multiple national data protection authorities raised objections in this particular case regarding the penalties to be imposed. As the lead authority, the Irish Data Protection Commission initiated a dispute resolution procedure based on Article 65 of the GDPR. Subsequently, the EDPB made a binding decision on April 13, 2023, settling the matter. The Irish authority has thus simply adopted, in its own decision, what had been decided at European level. .
- What exactly does the decision provide for?
Although the magnitude of the fine is noteworthy, it is important to emphasize that the primary aspect of the decision is the requirement to halt data transfers to the USA. The Irish Data Protection Commission had already established this ruling in 2020, which was a consensus among all national data protection authorities. Meta now has a timeframe of five months from the notification date of the decision (which occurred on May 12) to cease its transfers. Therefore, the transfers must be terminated no later than October 12.
Another important aspect pertains to the illicit data transfers that have taken place since the invalidation of the Privacy Shield in 2020. Various national data protection authorities, led by the French CNIL, believed that this situation necessitated compliance measures. Consequently, Meta was instructed to ensure the compliance of its processing activities with Chapter V of the GDPR. This involves ceasing any unlawful processing, including storage, of personal data from European Economic Area users in the United States. Although not explicitly stated in the decision, it seems implied that Meta will need to delete data transferred to the US since July 2020. Some national data protection authorities share this view, although it is possible to speculate that data encryption might be considered as an alternative (provided it prevents access by surveillance authorities). In any case, Meta has a 6-month timeframe to achieve compliance.
The imposed fine of 1.2 billion euros on Meta is exceptionally high. Not only is it the largest fine issued under the GDPR, but it also marks the first penalty related to unlawful data transfers. Initially, the Irish Data Protection Commission (DPC) was hesitant to impose such a substantial fine, considering Meta’s good faith. However, the data protection authorities of Germany, Austria, Spain, and France insisted on it. While the EDPB left the final amount of the fine to the Irish authority, it directed the DPC to impose a penalty that reflects the seriousness of the breaches, the company’s size, and the number of affected users. The EDPB highlighted the significant number of individuals impacted and the prolonged duration of the GDPR violation since July 16, 2020. It also recommended a sum that is sufficient to punish and deter unlawful transfers, ranging from 20% to 100% of the GDPR maximum. The Irish DPC, in its own words, set this amount taking into account the consequences of its decision for Meta, which has constantly stressed that the ruling could lead it to cease offering the Facebook service in the European Union, which represents 10% of its revenues. .
- What are the legal grounds for the decision?
Chapter V of the General Data Protection Regulation (GDPR) outlines rules governing international transfers of personal data from the European Economic Area (EEA). The purpose is to ensure that individuals’ level of data protection remains intact when their personal data is transferred outside of Europe. Companies are obligated to establish “adequate safeguards” for such transfers, unless the receiving country has obtained an adequacy decision from the European Commission, which exempts them from additional measures.
In the case of the United States, no adequacy decision has been granted due to the limited privacy protections provided by American legislation. Two specific legislative provisions have raised concerns among European authorities: Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. These provisions have been identified as particularly problematic from a data protection standpoint.
Enacted in 1978, the FISA serves as the authorization and regulatory framework for intelligence-related electronic communications surveillance. Over the years, it has undergone several amendments. In 2008, Congress introduced FISA lawauthorizes and regulates the surveillance of electronic communications for intelligence purposes. It has been amended many times since its adoption. In 2008, Congress added a provision, the section 702, as a new provision within FISA to permit the collection of information on non-US citizens. Section 702 empowers US intelligence agencies to conduct targeted surveillance on foreign individuals located outside the United States who are likely to possess, receive, or communicate intelligence information related to terrorism, arms trafficking, and other such activities. The intelligence services have the discretion to determine the targets for surveillance without judicial oversight, provided these individuals are neither US nationals nor present within US territory, thus lacking the constitutional protections guaranteed by the US Constitution. Notably, Section 702 of FISA is scheduled to expire on December 31, 2023, but it is likely that Congress will decide to renew it, which is the wish of the Biden administration.
Each year, the Attorney General and Director of National Intelligence prepare “certifications” that authorize XNUMX surveillance programs. These certifications are then submitted to the Foreign Intelligence Surveillance Court (FISC) for approval. The certifications encompass several key elements, such as identification of the categories of foreign intelligence information to be collected, confirmation that a “significant purpose” (not the “primary purpose”) of the program is to gather foreign intelligence information, and verification that the program utilizes a U.S. electronic communications service provider. If all the required elements are present, the FISC is obligated to approve the XNUMX surveillance program. It is important to note that the FISC does not participate in the actual decision-making process regarding targets. Once the collection has been approved by the court, the authorities select the targets for monitoring and can compel electronic communication service providers to assist in the data collection process against these identified targets.
Currently, two forms of data collection based on Section 702 are effective. Under PRISM, the authorities directly gather communications from specific targets (e.g., email addresses) through cooperation with US-based telecommunications companies (such as AT&T) and internet service providers (like Facebook, Google, Amazon). The National Security Agency (NSA) receives the collected information and may share it with the Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI). Another type of collection, known as “upstream” collection, is also employed. In this case, surveillance agencies retrieve data relating to communications to, from, or “about” a target as it passes through networks controlled by US-based service providers. To achieve this, the NSA utilizes devices positioned at strategic points within the US internet infrastructure. Raw data collected in this manner can only be accessed by the NSA but may be shared with the CIA and FBI after undergoing a minimization process.
Executive Order 12333, initially enacted in 1981 and subsequently modified, grants authorization for surveillance activities conducted outside the United States, specifically targeting foreign individuals. This order operates separately from Section 702 FISA, which applies to surveillance activities conducted within the US. Executive Order 12333 allows for the bulk collection of data without judicial oversight, facilitating the acquisition of extensive volumes of information. In its surveillance operations, the National Security Agency (NSA) identifies foreign entities, such as individuals or organizations, that possess intelligence information relevant to specific identified needs. For instance, the NSA focuses on identifying individuals who may be associated with terrorist networks. This process often involves the collection of metadata from overseas communications, particularly telephone calls. Notably, Executive Order 12333 permits the collection of data encompassing communications between individuals located outside the United States and those located within the United States.
European data protection authorities believe that these provisions allow US authorities to access personal data transferred to the US in contravention of the protection guaranteed by the GDPR. For this reason, the United States and the European Union have long attempted to agree on mechanisms designed to offer Europeans whose data is transferred to the United States a satisfactory level of protection. These include Safe harbor, in force from 2000 to 2015, and from Privacy Shield, in force from 2016 to 2020. The adequacy decisions taken in consideration of these mechanisms were, however, successively annulled by the Court of Justice of the European Union. Since the Privacy Shield was invalidated on July 16, 2020, companies must therefore use a valid alternative legal mechanism to ensure that transfers of personal data from the EU to the US are accompanied by adequate safeguards. They generally base transfers on Standard Contractual Clauses (SCCs), which are standard clauses pre-approved by data protection authorities. Model standard contractual clauses are published by EU authorities and adopted by companies wishing to legally transfer their data.
In its decision on the Privacy Shield, the Court of Justice acknowledged the use of standard contractual clauses for data transfers. However, it also emphasized that companies utilizing these clauses must assess the legal framework of the receiving country to ensure that the transferred personal data receives a level of protection “substantially equivalent” to that within the EU. This assessment includes verifying whether the legislation of the recipient country allows compliance with the standard contractual clauses. Data Transfer Impact Assessments are required to evaluate the protection provided by the laws of the destination country and determine if additional measures are necessary to ensure equivalent data protection for individuals.
In the case of Meta, the contractual clauses and guarantees offered by the company were deemed insufficient. The Irish Data Protection Commission (DPC) specifically noted that Meta’s revised standard contractual clauses, which were updated in 2021, did not adequately address the challenges posed by US legislation. Moreover, the additional measures implemented by Meta were evaluated in light of the relevant US laws and were found to be inadequate in providing “essentially equivalent” protection.
- What are the consequences of the decision?
Although this decision exclusively concerns Meta, it carries potential implications for all entities using standard contractual clauses for data transfers to the USA. The Irish Data Protection Commission (DPC) acknowledges the wide-ranging scope of its decision, applying to all providers of electronic communications services involved in transferring personal data. Consequently, this ruling introduces significant legal uncertainty.
It is important to note that the decision does not invalidate the use of standard contractual clauses as a legal basis for data transfers. However, it emphasizes that relying solely on these clauses is insufficient to ensure adequate protection when transferring data to countries without an adequacy decision. Rigorous Data Transfer Impact Assessments must be conducted, and additional measures implemented should offer sufficient safeguards. Several factors should be considered, such as the volume and sensitivity of the data transferred, its encryption status, and whether authorities in the recipient country have previously sought access to data from the company.
It remains uncertain whether any additional measures can truly provide satisfactory protection when large technology companies transfer data to the US. While end-to-end encryption may be a potential solution, its effectiveness against surveillance techniques employed by US authorities is questionable, as these authorities have the power to demand disclosure of encryption keys. One possibility would obviously be to imagine that the companies transferring the data do not themselves possess the encryption keys. However, as pointed out by Anupam Chander and Joe Jones, not being able to decrypt the data would prevent those companies from carrying out certain tasks, such as moderation, and would undermine their business model, which relies on profiling and targeted advertising.
- What can we expect from now on?
Currently, Meta is strongly opposing the decision. In a statement by Nick Clegg, Meta’s Director of Public Affairs, the company expressed its good faith in using standard contractual clauses and criticized the potential consequences of a fragmented and isolated internet where data circulation is hindered. Clegg highlighted the negative economic impacts of the decision and the potential restriction of developing shared services across different countries. Additionally, Meta announced its intention to appeal the decision and seek a stay of execution.
However, it is likely that Meta will not have to halt its transfers in October as mandated by the Irish Data Protection Commission (DPC). This is because the Data Privacy Framework, a new agreement between the USA and the EU, is expected to come into effect through the adoption of a new adequacy decision. In the spring of 2022, the European Union and the United States reached a new preliminary agreement to establish a new mechanism facilitating data transfers across the Atlantic. Under this agreement, the US has committed to ensuring that government surveillance activities and data collection are conducted in a manner that is “necessary and proportionate,” aligning with the standards that Europeans adhere to. Additionally, the US has pledged to establish an independent authority responsible for overseeing and regulating data collection and processing by US authorities. Simultaneously, US companies will continue to self-certify their compliance with the provisions of the GDPR by registering with the Department of Commerce. Therefore, with the implementation of the Data Privacy Framework and the new adequacy decision, it is expected that Meta and other companies will be able to resume data transfers without interruption, subject to meeting the necessary requirements outlined in the agreement.
Following the new agreement, U.S. President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities(EO 14086) on October 7, 2022. This Executive Order 14086 has the objective of establishing a stronger framework for surveillance activities. It specifies that U.S. authorities are only allowed to collect data for specific national security purposes, when it is necessary to achieve those purposes, and in a manner that is proportional to those priorities. The principles of “necessity” and “proportionality” are explicitly mentioned in the Executive Order. To ensure compliance with the new safeguards, intelligence agencies will need to modify their procedures under the oversight of a newly established Privacy and Civil Liberties Oversight Board. This board will conduct an annual audit of the procedures. In addition, the Executive Order introduces an appeal mechanism for individuals whose data is collected. Claims will be reviewed by the Civil Liberties Protection Officer within the Office of the Director of National Intelligence (CLPO). The decisions made by the CLPO can be challenged before a new Data Protection Review Court (DPRC). Both the CLPO and DPRC will have the power to issue legally binding decisions that the U.S. intelligence services must comply with. These appeal possibilities offered by EO 14086 represent a significant development within the Data Privacy Framework. They aim to address European concerns, as the lack of adequate appeal mechanisms played a role in the Court of Justice of the European Union’s decision to invalidate the Privacy Shield. However, it’s important to note that, according to the Executive Order, this right to seek redress is limited to citizens of countries designated as “eligible states” by the U.S. Attorney General. Before extending this right to European citizens, the Attorney General will have to assess whether European legislation on data collection and surveillance adequately respects the privacy rights of US citizens.
Following the adoption of Executive Order 14086, the European Commission published, on December 13, 2022, a draft adequacy decision considering the additional safeguards and the right to redress provided by the recent US legislation. Similar to the Privacy Shield, this draft decision has received reservations and criticism. The European Data Protection Board (EDPB) issued an opinion, on February 28, 2023, expressing reservations. While the EDPB acknowledged the progress made by EO 14086, it pointed out certain concerns. For instance, it noted that US legislation still permits bulk data collection and lacks a comprehensive framework for automated decision-making and profiling. The EDPB also emphasized the necessity to clarify various mechanisms, including the procedures for individuals to exercise their right to seek recourse.
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) expressed its opinion on April 13, 2023, stating that the Data Privacy Framework does not provide sufficient guarantees for EU citizens. In a resolution adopted on May XNUMX, XNUMX, during a plenary session, Members of the European Parliament (MEPs) affirmed that the European Commission should not proceed with the adequacy decision. According to the resolution, although the new framework represents an improvement over previous mechanisms, it still lacks adequate guarantees. MEPs highlighted several concerns, including the continued allowance of bulk data collection in certain cases without independent prior authorization, the absence of clear rules on data retention, and the confidential nature of decisions issued by the new court established to grant European citizens the right of appeal. The resolution also emphasized that the judges of this court can be dismissed by the US President, undermining its independence. While the Parliament’s resolution is not legally binding for the Commission, it carries significant political weight and highlights the reservations and concerns of the European Parliament regarding the adequacy decision.
The European Commission must now seek approval of a committee consisting of representatives from the 27 EU member states. To adopt the decision, it needs the support of at least 55% of the member states, representing at least 65% of the EU population. This means that a minimum of 15 member states out of the 27 must approve the decision. Furthermore, if there is opposition, it must include at least 4 Council member states representing at least 35% of the EU population. By the end of May, the Commission confirmed that the new adequacy decision was expected to be adopted in the summer of 2023. However, it is not impossible for this adequacy decision, once adopted, to be invalidated again by the Court of Justice. Maximilian Schrems has already announced his intention to challenge it.
In the end, the solution for the concerned companies may be to refrain from transferring data to the United States and process it within Europe instead. As explained by Anupam Chander and Joe Jones Microsoft has made this choice for certain services under the EU Data Boundary project. Similarly, TikTok, which launched the Texas project in the US to process data collected in the United States, is reportedly on the verge of implementing a similar approach in Europe with the Clover project. However, this option is not the easiest to implement for globally integrated companies.