What do we do about our international data transfers following the IDPC’s 22 May 2023 Meta decision?
01 June 2023
Further to the news of the long awaited Irish Data Protection Commission’s (“IDPC”) final decision in the Meta international data transfers inquiry, we make short comment below about what businesses (both controller and processor, and everything in between) might, and indeed can, consider doing in response.
Please see our initial comment here.
Note we say “might” consider doing and make only a “short” comment as there are a feast of interrelated issues to consider and various moveable parts coming into play in the next 2-6 months (a “moveable” “feast” if you will) and as such it is hard to predict what might happen or really how you should (or indeed, can) respond. Things that might happen in the 2-6 months are (without limitation) as follows:
1. How will Meta Ireland’s publicly acknowledged intention to appeal proceed? How long will it take? What impact will this have on the orders made against it by the IDPC? Will there be an application for injunction? Will there be a further referral to the CJEU?
In broad summary the orders from the IDPC are:
a. a stop transfers order: Meta must stop personal data transfers to the US within 5 months of 12 May 2023 unless it can find a way to validate them (although with appeals this period can be extended several months).
The IDPC (and other interested EU regulators – all of them!) came to this decision because in their view “U.S. law does not provide a level of protection that is essentially equivalent to that provided by EU law” and none of the myriad wide ranging and market leading supplemental measures Meta put in place to supplement their use of the new EU SCCs, and as detailed in their transfer impact/risk assessment (TIA or TRA), could get round this.
Do note the IDPC’s rather extreme comment “Meta Ireland does not have in place any [yes “any”] supplemental measures which would compensate for the inadequate protection provided by US law” (IDPC Decision 7.202(3)).
The supplemental measures that Meta had in place, and which the IDPC analysed were categorised into three areas: organisational measures (including various policies such as a Disclosure Policy; a Disproportionate Requests Policy; a Notification Policy; a Data Access Policy; Law Enforcement Guidelines; Facebook Transparency Reports; Data Sharing Policies; and a People Security Policy); technical measures (including a Comprehensive Information Security Program (“CISP”) that was described as protecting “the confidentiality, [i]ntegrity, and availability of data stored on [Meta US’s] systems, platforms and products”); and legal measures (for instance Meta US had provided additional transparency to its users in respect of government agency requests; as well committing to challenging governmental data access requests it believes are unlawful).
b. a compliance order re previously transferred personal data: “to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the IE SA's final decision to Meta IE”, namely Meta have been ordered (although without much clarity in terms of the order) to work out what to do with data allegedly transferred unlawfully up to the IDPC’s decision (Delete? Anonymise? “Re-patriate”? – amongst other options).
c. the fine - €1.2 Bn – one comment only – largest fine so far under GDPR dwarfing the Luxembourg DPA’s Amazon fine ( see our comment here Amazon Luxembourg fine) (How this number was reached could be an article in and of itself – but right now is not the main issue to consider).
2. When will the US turn President Biden’s much lauded Executive Order (see our comment here Biden EO) from paper to reality, e.g. deeming the EU, the EEA “3”, the UK and Switzerland as “qualifying states” so their citizens can benefit from the court of redress (indeed when will that court actually come into being!); and similarly when will the relevant security agencies in the US actually implement the text in Section 2(a)(ii)(A) and (B) of the Executive Order namely that surveillance activities must be only “necessary to advance a validated intelligence priority” and “proportionate to the validated intelligence priority for which they have been authorized” and as continued in Section 2(a)(iii) “signals intelligence activities shall be subjected to rigorous oversight in order to ensure that they comport with the principles identified above”.
3. When will the EU-US (and then one assumes the EU-UK, and EU-Swiss) adequacy/decision framework be finalised, namely the EU-US Data Privacy Framework (the “DPF”) (see our comment here EU US Adequacy Decision)?
4. What is the UK ICO’s response to all of this? What about the Swiss FDPIC? So far, at the time of writing, silence and even giving a speech to the European Parliament’s LIBE Committee the day after, John Edwards made no mention of the case (LIBE Speech).
Further of course each data exporter/data importer will need to look at the decision on a case-by-case basis and see how it applies to them. Yes there are key general themes (see our proposed Action Plan at the end of the note) but there are myriad different scenarios here (again without limitation):
1. What if you are the size of Meta but only transfer very vanilla B2B personal data? Should this decision concern you at all assuming you have put in place decent compliance re your transfer mechanisms?
2. On the contrary what if you are a minnow but transfer a lot of special category/sensitive data?
3. There is material focus from IDPC on s.702 FISA’s known downstream programme (PRISM) – what if you are not an e-communications provider and therefore not subject to s.702 – again can you view this decision differently? Are your supplemental measures more likely to work?
4. What if you are in the UK or Switzerland?
5. What about the impact on other pending investigations/decisions such as use of Google Analytics?
6. What about US financial services companies many of which will not be able to rely directly on any EU-US DPF to validate transfers of personal data to the US? So do not have the potential (fingers crossed) back stop of being able to use the DPF directly.
And on that note, what do we do outside our internal/intra group transfer paradigm?
Many of our clients have just finished or are polishing off final touches to their latest round of both intra-group updates but also 3rd party vendor updates to ensure both new SCCs are in place and adequate TIA/TRAs and due diligence is in place. [By our reckoning this about the third or fourth round of contractual updates since GDPR came into force – imagine if all that time, energy and money had been put into productive commerce, research and innovation?].
Does another round of frantic questionnaire sending or contractual updates need to happen? Or should we all wait until if and when the EU-US adequacy decision is finalised and many many US vendors will transition to being certified participants of the DPF? [Which in and of itself will likely necessitate yet another round of paper pushing…]
So in summary what can you do? Not much and the position is “grey” to say the least but we recommend the following as a first step “The Action Plan”:
1. Revisit your SCCs (internal and vendor templates/agreements) to make sure they have all been updated – while the decision was at pains to make it clear that use of the 2021 SCCs would not have validated the transfers to the US, it nevertheless is important to at least be on the front foot;
2. Ensure your TIA/TRAs are as detailed as possible (of course noting the IDPC’s comment on the Meta TIA in the decision IDPC Decision especially their comments on the “Record of Safeguards” and the section from page 94 on “Whether there are Supplemental Measures that could Address the Inadequacy Protection Provided by US Law”);
3. Revisit your supplemental measures as far as you are able (review the IDPC decision again on this point):
4. [This is perhaps an option many cannot take] Consider reducing or suspending transfers - (a) look at your transfers and see if they can be reduced and/or (b) look at any data you hold in the US currently and what you might need to do; particularly if the organisation to whom you are importing data is caught by section 702 of FISA; and
5. Explore Article 49 derogations – explore whether any of the Article 49 transfer derogations might be applicable. Although the general EDPB Guidance on these derogations makes clear they can only be used narrowly (EDPB on Article 49), and the IDPC decision also makes similar comment about their narrow application (see section 8).
But most crucially watch this space and hope “Government” responds speedily and effectively to close some of the gaps and answer some of the questions set out above.
We will also be having a In House Data Club “ad hoc” session on this in the coming weeks. Please look out for details.
Click here to read the Irish Data Protection Commission’s (“IDPC”) final decision in the Meta international data transfers inquiry.