Image by Reto Scheiwiller from Pixabay
by Florence G’sell
On May 22, 2023, the Irish Data Protection Commission (DPC) published its decision of May 12, 2023 fining Meta Platforms Ireland Limited €1.2 billion for violating the General Data Protection Regulation (GDPR). This recent decision, which imposes the highest fine ever under the GDPR, states that the conditions under which Meta (formerly known as Facebook) has transferred personal data to the US since July 16, 2020 did not ensure an adequate level of data protection for individuals in line with European Union requirements . Consequently, Meta is given a period of 5 months to halt all personal data transfers to the US and 6 months to align all its data storage and processing practices with EU law.
Although spectacular, this decision was foreseeable and expected. It represents the latest stage in the litigation brought by Maximilian Schrems and his association NOYB in the wake of Edward Snowden’s revelations about US surveillance programs. Notably, the impact of this decision goes well beyond Meta’s data transfers to the US. By challenging the legal foundation on which most international data transfers are currently conducted, this decision has significant implications for all companies engaged in such transfers to countries outside the European Union.
Following the CJEU ruling that invalidated the Privacy Shield on July 16, 2020, the Irish Data Protection Commission (DPC) initiated an investigation into Facebook’s data transfers to the US to determine their legality. Since the Privacy Shield’s invalidation, Meta (formerly Facebook), like many other companies, has relied on Standard Contractual Clauses (SCCs) for personal data transfers. However, the Irish DPC found that Meta’s provided guarantees were insufficient in this context and issued a preliminary order in autumn 2020, demanding the cessation of data transfers to the United States. Meta appealed the order and obtained a temporary suspension of the order.
After a series of complex developments, the case was reviewed by the European Data Protection Board (EDPB), composed of representatives from all national data protection authorities, following the dispute resolution mechanism outlined in the GDPR. In such cases, the relevant national data protection authorities have the opportunity to express their objections as “relevant supervisory authorities”. Multiple national data protection authorities raised objections in this particular case regarding the penalties to be imposed. As the lead authority, the Irish Data Protection Commission thus initiated a dispute resolution procedure based on Article 65 of the GDPR. Subsequently, the EDPB made a binding decision dated April 13, 2023,, settling the matter. The Irish authority has thus simply adopted, in its own decision, what had been decided at European level.
Although the magnitude of the fine is noteworthy, it is important to emphasize that the primary aspect of the decision is the requirement to halt data transfers to the USA. The Irish Data Protection Commission had already established this ruling in 2020, which was a consensus among all national data protection authorities. Meta now has a timeframe of five months from the notification date of the decision (which occurred on May 12) to cease its transfers. Therefore, the transfers must be terminated no later than October 12.
Another important aspect pertains to the illicit data transfers that have taken place since the invalidation of the Privacy Shield in 2020. Various national data protection authorities, led by the French CNIL, believed that this situation necessitated compliance measures. Consequently, Meta was instructed to ensure the compliance of its processing activities with Chapter V of the GDPR. This involves ceasing any unlawful processing, including storage, of personal data from European Economic Area users in the United States. Although not explicitly stated in the decision, it seems implied that Meta will need to delete data transferred to the US since July 2020. Some national data protection authorities share this view, although it is possible to speculate that data encryption might be considered as an alternative (provided it prevents access by surveillance authorities). In any case, Meta has a 6-month timeframe to achieve compliance.
The imposed fine of 1.2 billion euros on Meta is exceptionally high. Not only is it the largest fine issued under the GDPR, but it also marks the first penalty related to unlawful data transfers. Initially, the Irish Data Protection Commission (DPC) was hesitant to impose such a substantial fine, considering Meta’s good faith. However, the data protection authorities of Germany, Austria, Spain, and France insisted on it. While the EDPB left the final amount of the fine to the Irish authority, it directed the DPC to impose a penalty that reflects the seriousness of the breaches, the company’s size, and the number of affected users. The EDPB highlighted the significant number of individuals impacted and the prolonged duration of the GDPR violation since July 16, 2020. It also recommended a sum that is sufficient to punish and deter unlawful transfers, ranging from 20% to 100% of the GDPR maximum. The Irish DPC, in its own words, set this amount taking into account the consequences of its decision for Meta, which has constantly stressed that the ruling could lead it to cease offering the Facebook service in the European Union, which represents 10% of its revenues.
Chapter V of the General Data Protection Regulation (GDPR) outlines rules governing international transfers of personal data from the European Economic Area (EEA). The purpose is to ensure that individuals’ level of data protection remains intact when their personal data is transferred outside of Europe. Companies are obligated to establish “adequate safeguards” for such transfers, unless the receiving country has obtained an adequacy decision from the European Commission, which exempts them from additional measures.
In the case of the United States, no adequacy decision has been granted due to the limited privacy protections provided by US legislation. Two specific legislative provisions have raised concerns among European authorities: Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333.
Enacted in 1978, the FISA serves as the authorization and regulatory framework for intelligence-related electronic communications surveillance. Over the years, it has undergone several amendments. In 2008, Congress introduced Section 702 as a new provision within FISA to permit the collection of information on non-US citizens. Section 702 empowers US intelligence agencies to conduct targeted surveillance on foreign individuals located outside the United States who are likely to possess, receive, or communicate intelligence information related to terrorism, arms trafficking, and other such activities. The intelligence services have the discretion to determine the targets for surveillance without judicial oversight, provided these individuals are neither US nationals nor present within US territory, thus lacking the constitutional protections guaranteed by the US Constitution. Notably, Section 702 of FISA is scheduled to expire on December 31, 2023, but it is likely that Congress will decide to renew it, which is the wish of the Biden administration.
Each year, the Attorney General and Director of National Intelligence prepare “certifications” that authorize 702 surveillance programs. These certifications are then submitted to the Foreign Intelligence Surveillance Court (FISC) for approval. The certifications encompass several key elements, such as identification of the categories of foreign intelligence information to be collected, confirmation that a “significant purpose” (not the “primary purpose”) of the program is to gather foreign intelligence information, and verification that the program utilizes a U.S. electronic communications service provider. If all the required elements are present, the FISC is obligated to approve the 702 surveillance program. It is important to note that the FISC does not participate in the actual decision-making process regarding targets. Once the collection has been approved by the FISC, the authorities select the targets for monitoring and can compel electronic communication service providers to assist in the data collection process against these identified targets.
Currently, two forms of data collection based on Section 702 are effective. Under PRISM, the authorities directly gather communications from specific targets (e.g., email addresses) through cooperation with US-based telecommunications companies (such as AT&T) and internet service providers (like Facebook, Google, Amazon). The National Security Agency (NSA) receives the collected information and may share it with the Central Intelligence Agency (CIA) and Federal Bureau of Investigation (FBI). Another type of collection, known as “upstream” collection, is also employed. In this case, the NSA retrieves data relating to communications to, from, or “about” a target as it passes through networks controlled by US-based service providers. To achieve this, the NSA utilizes devices positioned at strategic points within the US internet infrastructure. Raw data collected in this manner can only be accessed by the NSA but may be shared with the CIA and FBI after undergoing a minimization process.
Executive Order 12333, initially enacted in 1981 and subsequently modified, grants authorization for surveillance activities conducted outside the United States, specifically targeting foreign individuals. This order operates separately from Section 702 FISA, which applies to surveillance activities conducted within the US. Executive Order 12333 allows for the bulk collection of data without judicial oversight, facilitating the acquisition of extensive volumes of information. In its surveillance operations, the National Security Agency (NSA) identifies foreign entities, such as individuals or organizations, that possess intelligence information relevant to specific identified needs. For instance, the NSA focuses on identifying individuals who may be associated with terrorist networks. This process often involves the collection of metadata from overseas communications, particularly telephone calls. Notably, Executive Order 12333 permits the collection of data encompassing communications between individuals located outside the United States and those located within the United States.
European data protection authorities believe that these provisions allow US authorities to access personal data transferred to the US in contravention of the protection guaranteed by the GDPR. For this reason, the United States and the European Union have long attempted to agree on mechanisms designed to offer Europeans whose data is transferred to the United States a satisfactory level of protection. These include Safe Harbor, in force from 2000 to 2015, and the Privacy Shield, in force from 2016 to 2020. The adequacy decisions taken in consideration of these mechanisms were, however, successively annulled by the Court of Justice of the European Union. Since the Privacy Shield was invalidated on July 16, 2020, companies must therefore use a valid alternative legal mechanism to ensure that transfers of personal data from the EU to the US are accompanied by adequate safeguards. They generally base transfers on Standard Contractual Clauses (SCCs), which are standard clauses pre-approved by data protection authorities. Model standard contractual clauses are published by EU authorities and adopted by companies wishing to legally transfer their data.
In its decision on the Privacy Shield, the Court of Justice acknowledged the use of standard contractual clauses for data transfers. However, it also emphasized that companies utilizing these clauses must assess the legal framework of the receiving country to ensure that the transferred personal data receives a level of protection “substantially equivalent” to that within the EU. Data Transfer Impact Assessments are required to evaluate the protection provided by the laws of the destination country and determine if additional measures are necessary to ensure equivalent data protection for individuals. The assessment should include verifying whether the legislation of the recipient country allows compliance with the standard contractual clauses. Other aspects should be considered, such as the volume and sensitivity of the data transferred, its encryption status, and whether authorities in the recipient country have previously sought access to data from the company.
In the case of Meta, the contractual clauses and guarantees offered by the company were deemed insufficient. The Irish Data Protection Commission (DPC) specifically noted that Meta’s revised standard contractual clauses, which were updated in 2021, did not adequately address the challenges posed by US legislation. Moreover, the additional measures implemented by Meta were evaluated in light of the relevant US laws and were found to be inadequate in providing “essentially equivalent” protection
Although this decision exclusively concerns Meta, it carries potential implications for all entities using standard contractual clauses for data transfers to the USA. The Irish Data Protection Commission (DPC) acknowledges the wide-ranging scope of its decision, applying to all providers of electronic communications services involved in transferring personal data. Consequently, this ruling introduces significant legal uncertainty.
It is important to note that the decision does not invalidate the use of standard contractual clauses as a legal basis for data transfers. However, it emphasizes that relying solely on these clauses is insufficient to ensure adequate protection when transferring data to countries without an adequacy decision. In the case of data transferred to the US, it remains uncertain whether any additional measures can truly provide satisfactory protection. While end-to-end encryption may be a potential solution, its effectiveness against surveillance techniques employed by US authorities is questionable, as these authorities have the power to demand disclosure of encryption keys. One possibility would obviously be to imagine that the companies transferring the data do not themselves possess the encryption keys. However, as pointed out by Anupam Chander and Joe Jones, not being able to decrypt the data would prevent those companies from carrying out certain tasks, such as moderation, and would undermine their business model, which relies on profiling and targeted advertising.
Currently, Meta is strongly opposing the decision. In a statement by Nick Clegg, Meta’s Director of Public Affairs, the company expressed its good faith in using standard contractual clauses and criticized the potential consequences of a fragmented and isolated internet where data circulation is hindered. Clegg highlighted the negative economic impacts of the decision and the potential restriction of developing shared services across different countries. Additionally, Meta announced its intention to appeal the decision and seek a stay of execution.
However, it is likely that Meta will not have to halt its transfers in October as mandated by the Irish Data Protection Commission (DPC). This is because the Data Privacy Framework, a new agreement between the USA and the EU, is expected to come into effect through the adoption of a new adequacy decision. In the spring of 2022, the European Union and the United States reached a new preliminary agreement to establish a new mechanism facilitating data transfers across the Atlantic. Under this agreement, the US has committed to ensuring that government surveillance activities and data collection are conducted in a manner that is “necessary and proportionate,” aligning with the standards that Europeans adhere to. Additionally, the US has pledged to establish an independent authority responsible for overseeing and regulating data collection and processing by US authorities. Simultaneously, US companies will continue to self-certify their compliance with the provisions of the GDPR by registering with the Department of Commerce. Therefore, with the implementation of the Data Privacy Framework and the new adequacy decision, it is expected that Meta and other companies will be able to resume data transfers without interruption, subject to meeting the necessary requirements outlined in the agreement.
Following the new agreement, U.S. President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) on October 7, 2022. This Executive Order 14086 has the objective of establishing a stronger framework for surveillance activities. It specifies that U.S. authorities are only allowed to collect data for specific national security purposes, when it is necessary to achieve those purposes, and in a manner that is proportional to those priorities. The principles of “necessity” and “proportionality” are explicitly mentioned in the Executive Order. To ensure compliance with the new safeguards, intelligence agencies will need to modify their procedures under the oversight of the Privacy and Civil Liberties Oversight Board. This board will conduct an annual audit of the procedures. In addition, the Executive Order introduces an appeal mechanism for individuals whose data is collected. Claims will be reviewed by the Civil Liberties Protection Officer within the Office of the Director of National Intelligence (CLPO). The decisions made by the CLPO can be challenged before a newly established Data Protection Review Court (DPRC). Both the CLPO and DPRC will have the power to issue legally binding decisions that the U.S. intelligence services must comply with.
These appeal possibilities offered by EO 14086 represent a significant development within the Data Privacy Framework. They aim to address European concerns, as the lack of adequate appeal mechanisms played a role in the Court of Justice of the European Union’s decision to invalidate the Privacy Shield. However, it’s important to note that, according to the Executive Order, this right to seek redress is limited to citizens of countries designated as “qualifying states” by the U.S. Attorney General. Before extending this right to European citizens, the Attorney General will have to assess whether European legislation on data collection and surveillance adequately respects the privacy rights of US citizens.
On December 13, 2022, the European Commission released a draft adequacy decision, considering the additional safeguards and the right to redress provided by the recent US legislation. Similar to the adoption of the Privacy Shield, this draft decision has received reservations and criticism. On February 28, 2023, the European Data Protection Board (EDPB) issued a non-binding opinion, expressing reservations. The EDPB acknowledges that the Data Privacy Framework and EO 14086 have made significant improvements. However, there are certain provisions that need further clarification, particularly concerning data retention. The EDPB also expresses its disappointment that the collection of mass data does not require prior authorization from an independent body. Furthermore, the EDPB emphasizes that the authorization procedure under section 702 FISA remains unchanged. The FIS Court grants authorization for surveillance programs in general terms without specifically determining the targets. As a result, US legislation does not oversight of this surveillance by an independent judicial authority. Lastly, while the establishment of the new Data Protection Review Court is a positive development, there is a need for clarification regarding the conditions for filing cases before it, especially regarding the requirement that the plaintiff’s rights must have been “adversely affected” in order to lodge a complaint.
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) expressed its opinion on April 13, 2023, stating that the Data Privacy Framework does not provide sufficient guarantees for EU citizens. In a resolution adopted on May 11, 2023, during a plenary session, MEPs have expressed their concerns regarding the new protection framework, stating that it does not establish a substantial level of equivalence in terms of data protection. They urge the Commission to continue negotiations in this regard. The resolution highlights various issues, including the lack of clarity in data retention rules and the possibility of bulk collection of personal data without independent prior authorization. Additionally, the EU Parliament draws attention to the fact that the new Data Protection Review Court (DPRC) will issue confidential rulings and that its judges can be removed from office by the President of the United States. It also states that the President has the power to override the court’s decisions, thereby undermining its true independence. Although the EU Parliament’s resolution is not legally binding for the Commission, it carries significant political weight.
The European Commission must now seek approval of a committee consisting of representatives from the 27 EU member states. To adopt the decision, it needs the support of at least 55% of the member states, representing at least 65% of the EU population. This means that a minimum of 15 member states out of the 27 must approve the decision. Furthermore, if there is opposition, it must include at least 4 Council member states representing at least 35% of the EU population. By the end of May, the Commission confirmed that the new adequacy decision was expected to be adopted in the summer of 2023. However, it is not impossible for this adequacy decision, once adopted, to be invalidated again by the Court of Justice. Maximilian Schrems has already announced his intention to challenge it.
In the end, the solution for the concerned companies may be to refrain from transferring data to the United States and process it within Europe instead. As explained by Anupam Chander and Joe Jones, Microsoft has made this choice for certain services under the “EU Data Boundary” project. Similarly, TikTok, which launched the “Texas” project in the US to process data collected in the United States, is reportedly on the verge of implementing a similar approach in Europe with the “Clover” project. However, this option is not the easiest to implement for globally integrated companies.
Florence G’sell is Professor of Private Law and holds the Digital, Governance and Sovereignty Chair.