Data protection: Meta's mega matter

Almost five years to the day from the GDPR coming into force, the biggest ever data penalty – by some measure – of €1.2 billion was issued to Facebook on 22 May 2023. Arguably of greater impact is the formal suspension order requiring Facebook not just to halt exportation of European Union user data to the United States, but to bring any data already transferred to the US into compliance.

Even without a crystal ball, it might have been easy enough to predict back in 2018 that the biggest penalties would go to big tech, given their data use (we’ve seen that play out with other significant penalties to the likes of Amazon, Google and TikTok). What would have been less easy to predict, as we all completed risk radars in 2018, is that the penalty was not for intrusive profiling, or a security breach, but for sending personal data to the US. It might also have been hard to predict that the penalty would be the result of the hotly debated binding dispute resolution procedure in GDPR, which gives ultimate decision making power to the European Data Protection Board (EDPB), laying bare the political wrangling behind the decision.

While the impact is primarily felt by Facebook for now, this decision sends a clear message to all global organisations that the EDPB is a force to be reckoned with when it comes to international data transfers. It undoubtedly bolsters uncertainty surrounding liability for personal data transfers across the Atlantic – all eyes will now be on whether the new EU-US Data Privacy framework can be negotiated on time to enable a viable alternative.

Blockbuster, but no popcorn

How did we get here? A series of blockbuster data events….

The Facebook/Meta decision is the culmination of 10 years of challenge and, according to the Schrems website NYOB, €10 million of costs – so let’s take a look at how we got here (warning: not a popcorn moment!).

The prequel – Panama Papers: Long before GDPR was even a glint in the eye of the European Commission, levels of US surveillance were a concern of privacy groups globally, heightened by the Panama Papers revelations.

Schrems I: First, we had Schrems I (predating GDPR in 2015), in which the CJEU invalidated the EU-US Safe Harbour regime following a complaint from Max Schrems about Facebook relying on Safe Harbour, which disrupted a longstanding status quo on EU-US data transfers. Schrems I resulted in greater reliance on Standard Contractual Clauses (“SCCs”) and the introduction of a more comprehensive EU-US Privacy Shield regime in 2016.

Schrems II: In true Hollywood style, the sequel in 2020 – Schrems II – was a GDPR-fuelled blockbuster of a decision, following essentially the same challenge from Max Schrems against Facebook, with the CJEU invalidating the still fresh Privacy Shield. Schrems II introduced a new requirement to conduct “transfer impact assessments”, but stopped short of saying nobody could use the SCCs any more. At roughly the same time, the Commission finalised a modernised set of SCCs aimed at addressing some of the concerns raised in Schrems II. Anyone practising in this area will tell you that Schrems II left in its wake a lot of re-papering which is still ongoing for many organisations – especially in the UK where changes were further complicated and delayed by Brexit.   

What does this mean for Meta 2022?

The Meta decision is made against the backdrop of Schrems I and II, but – crucially – it is not a CJEU decision invalidating an entire regime. The decision, albeit having a significant impact, is at its simplest level enforcement by the Irish national data regulator (the DPC) against Facebook (one company within the Meta group). Schrems III will only happen if the new
EU-US privacy framework does not offer “essential equivalence” for EU data going to the States – that framework has been announced but is not yet published. The already heated debate around the new framework will undoubtedly now be hotter on the heels of the Meta decision, however.

Before we look at the new EU-US framework, let’s take a closer look at the Facebook enforcement itself.

The enforcement

1. Money: an administrative fine of €1.2 billion (payable to the DPC);
2. Suspension: suspension of any future transfer of personal data to the US by Facebook within five months of the decision; and
3. Remediation: within six months, specific measures to achieve compliant data use under Chapter V of the GDPR by ceasing unlawful processing (including storage) in the US of Facebook European users’ personal data. 

While Facebook has responded to the decision by labelling the penalties as “unjustified and unnecessary”, and has indicated it will seek to appeal, the EDPB’s chair Andrea Jelinek has stated that Meta’s infringement is “very serious since it concerns transfers that are systematic, repetitive and continuous”.

The impact

Ironically, while it is the fine which has grabbed the most headlines, it is the penalty that Facebook might be best placed to deal with. It remains to be seen how it would comply with the suspension and rectification orders. Simply stopping transfers of some user data may require systems to restructure. Perhaps even more impactfully, identifying and disentangling European user data from other US data (for example through encryption, anonymisation, re-localisation) could be technically impossible – like recovering a drop of ink from a swimming pool. At this stage, the associated technical and operational challenges seem insurmountable. Although the enforcement applies only to Facebook, we suspect Facebook would not be alone in having that issue, given the large, incongruous and often international nature of datasets in the age of big data.

The EDPB’s role

From a legal perspective, one of the most interesting aspects of the decision is what we can see about the debate behind it. The decision itself has taken almost a year to land, following the initial draft circulated by the Irish DPC as the lead supervisory authority to other European data regulators. Of those 27 regulators, objections were raised by only a handful (including a significantly influential group of France, Spain, Germany). The decision to impose a financial penalty was, in particular, something which the DPC had not originally proposed, having felt it would not have a deterrent effect – but this was essentially overruled. 

This decision is recommended reading for anyone seeking insight into the many competing factors that DPAs will consider when imposing penalties, and what side of the fence they may fall down on. While our own ICO in the UK was not party to this decision process (and has been able to keep its powder dry), it is worth noting that the UK GDPR (at time of writing) still very closely mirrors GDPR.

The new EU-US framework: a solution?

The Meta decision – significantly – highlights the point that was already established in Schrems II, that SCCs alone are not enough to ensure that transfers to “non-adequate” territories are compliant with GDPR. In this case, all the post-Schrems II compliance mechanisms, including SCCs, transfer risk assessment and supplementary security measures, were in place and, Facebook argued, demonstrated. Some commentators are questioning whether the only measure left is to change US domestic law, something that is beyond the power of individual organisations, even Facebook. That is why all eyes now turn to the new EU-US privacy framework. In the three years that have passed since Schrems II, the UK and US have been continually negotiating an alternative data transfer mechanism, the Trans-Atlantic Data Privacy Framework.

If approved, the mechanism will provide businesses relying on international data transfers with a route to compliance with EU and UK law, putting an end to years of uncertainty created by the Schrems II judgment.

Doubts have been expressed about whether the proposed framework offers equivalent protection to data subjects as under EU law, notably by the European Parliament which recently urged the Commission not to adopt the current version. The Parliament expressed concerns that, as it stands, the framework still allows for bulk collection of personal data, does not make bulk data collection subject to independent prior authorisation, nor does it provide for clear rules on data retention. As we might expect, Schrems III waits in the wings: Max Schrems too has indicated that he will challenge the framework in court if it is accepted in its current form.

While data subjects, organisations and regulators continue to await the new framework with bated breath, the DPC’s decision is already catalysing an even bigger push at a political level to get the framework up and running. Despite the harsh criticism emanating from the EU Parliament, it is expected that a decision will be made on the adequacy of this mechanism in summer 2023. However, even if the EU Commission approves the new EU-US data transfer framework, the CJEU’s blessing is far from guaranteed (and with its invalidations having retroactive effect, there are no sighs of relief quite yet).

What do we do right now?

As noted, this decision specifically applies only to data processing by Facebook. Nevertheless, the DPC has stated that, due to the way US surveillance laws operate, “the analysis in this decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider… may equally fall foul of the [transfer rules]”. 

So while the focus of this decision is big tech transferring extensive and potentially sensitive datasets, the repercussions will undoubtedly be felt by the many organisations seeking clarity around how to conduct business as usual activity involving global transfers in a way that is compliant.

There is inevitable concern that the many organisations transferring data to the US (and other jurisdictions that don’t offer “essential equivalence”) can’t just stop it overnight – even UK-only organisations often need to use suppliers overseas to meet commercial pressures. What then can we do? The message for now has to be, keep calm and carry on. With limited tools in their arsenal, organisations should continue to follow the EDPB and equivalent UK guidance on security measures, and undertake thorough risk assessments and document practices in impact assessments and SCCs. This will be the best defence if a regulator comes knocking.

A final thought to leave you with: although privacy class actions are very unwell post-Lloyd v Google, they are not dead. In the wake of this recent decision, Max Schrems is calling for those who have suffered emotional damage as a result of Facebook’s US transfers to sign up to privacy class actions under the EU Collective Redress Directive. This is certainly an area to keep an eye on, as the law continues to evolve at pace.