• 3 min read

Meta's EU - US personal data transfers deemed unlawful

yber Security and safety information, personal data concept. Digital Padlocks on abstract technology background. 3d rendering

The largest ever EU GDPR fine was imposed on Meta Platforms Ireland Ltd (aka Facebook) by the Irish data protection regulator in May; an eye watering €1.2 billion.

The case related to Meta’s use of the EU standard contractual clauses (both the old version and the current version with a vast and varied array of supplementary measures also put in place by Meta to safeguard personal data) to legitimise personal data transfers from the EU to the US after the Privacy Shield mechanism became unlawful in 2020 following the Schrems II case. These are the same standard contractual clauses which the majority of UK organisations also use to legitimise transfers from the UK to ‘third countries’ (i.e. countries outside of the UK which do not have adequacy decisions/regulations). 

The Irish data protection regulator found that Meta failed to provide an essentially equivalent level of protection to the EU personal data which it transferred to the US, which was a breach of the EU GDPR. 

In addition to the fine, Meta was ordered to:

1. Suspend EU – US personal data transfers.

2. Bring its processing operations into compliance “by ceasing the unlawful processing, including storage, in the U.S. of personal data”. Whilst there may be other options this would seem on the face of it to require the return or deletion of the personal data transferred to and stored in the US where this was done on the basis of the EU standard contractual clauses (which is much easier said than done!).

Meta does not have to do these things immediately and has already said it will challenge the decision and seek to pause the timescales it has been given to action the above so there is no immediate impact on EU citizens’ Facebook use. Also, the general hope is that the new EU – US data transfer mechanism will come into effect before Meta has to do anything, in which case the period of non-compliance and EU GDPR breach may remain, but personal data transfers from the EU to the US should become legitimate again. 

The main concern with transfers of personal data to the US relates to US surveillance laws, including the Foreign Intelligence Surveillance Act (FISA). In the Meta case the Irish data protection regulator commented that “the analysis in this decision exposes a situation whereby any internet platforms falling within the definition of an electronic communications service provider subject to the U.S. Foreign Intelligence Surveillance Act 702 PRISM program may equally fall foul” of the EU GDPR’s requirements on international data transfers. It follows that organisations may have more scope to lawfully rely on the EU standard contractual clauses to transfer EU personal data to the US if the application of these laws do not apply to the US importer or they apply but to a lesser degree.

For UK organisations, the Meta decision poses two key questions:

1. How does it impact UK law and the UK GDPR? EU decisions (including those of the Irish data protection regulator) don’t apply or directly impact organisations in the UK, but given the UK GDPR is effectively the same as the EU GDPR it would follow that the decision may be the same if considered by the UK regulator / court even if the enforcement action itself e.g. fines was different. However, the UK data protection regulator (the Information Commissioner’s Office) is generally considered to take a less stringent approach to enforcement of the UK GDPR than its EU equivalents and the government’s proposed data protection reforms are seeking to reinforce that approach on a legislative basis. That said, this decision reminds UK organisations to take the international data transfer requirements and the need to carry out transfer risk assessments and adopt appropriate supplementary measures seriously when UK data subjects’ personal data is transferred from the UK to any third country (not just the US).

2. Does the decision impact organisations other than Meta? The answer to this is most definitely yes. The decision didn’t say all EU – US personal data transfers are unlawful or must stop but the  issues are certainly not unique to Meta. Indeed if you read Meta’s press release, they make it clear that this is a much larger issue than just them and one which requires political resolution. 

Our data protection and technology teams have many years of experience in advising organisations on both their technology requirements and those related to compliance with data protection law. To speak to one of the team you can get in touch by calling us on 0800 2800 421

Answers are just a click away