Today, the Irish Data Protection Commission (DPC) published its long-anticipated decision regarding the legality of Meta’s transfers of personal data from the EU to the US. The Irish DPC found that even when using the new 2021 Standard Contractual Clauses and supplemental measures, Meta’s transfers violated the GDPR. Under the decision, the Irish DPC issued a $1.3 billion fine and order for Meta to cease transferring personal data in violation of GDPR. Meta has indicated through an online response that it intends to appeal the decision and seek a stay of the order.
This decision is monumental because it threatens all data transfers from the EU to the US. While the record fine may be the headline, the injunction is the bigger issue. Meta used the same data transfer framework relied on by most companies, and implemented supplemental measures beyond those of many companies. Even with these measures, the DPC was still concerned that Meta could not protect EU data from the US government. While the decision states that the DPC has not imposed a permanent ban on data transfers from the EU to the US, this decision could be viewed as a ban given that it outright dismisses alternative options for transferring data, such as express consent, and offers no concrete supplemental measures to address the deficiencies in US law.
Another important aspect of the decision is the interplay among the various EU DPCs. Although the Irish DPC issued the decision, other DPCs weighed in, as authorized by the GDPR. The Irish DPC did not want to issue the record fine, but was overruled by other DPCs and the European Data Protection Board (EDPB) through a binding EDPB decision. Notably, all DPCs agreed on an injunction. This reemphasizes that the injunction is the bigger issue.
At this time, it is unclear what companies can do to address EU data transfer requirements, outside of continuing to execute Standard Contractual Clauses and implement supplemental measures. All eyes are on the appeal to the high court, and whether this decision will help push the US government to take measures to address EU concerns. We will continue to monitor the situation and provide updates.
It remains the case therefore that, in circumstances where the CJEU has found that US law interferes with the rights of data subjects under Articles 7, 8 and 47 of the Charter (as already set out above), the 2021 SCCs cannot compensate for the inadequacies in the level of protection afforded by US law.
https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf
unknownx500
