Editor’s Note: NYU Law’s Program on Corporate Compliance and Enforcement (PCCE) is following the developments from the recently-announced and record-breaking fine against Meta Platforms, Inc. for alleged violations of Europe’s General Data Protection Regulation (GDPR) over transfers of personal data from the EU to the U.S. The relevant decisions of the Irish Data Protection Commission and the European Data Protection Board are available here and here. The question of compliance with rules for cross-Atlantic data transfers is subject to significant legal uncertainty and political disputes between the relevant jurisdictions. In this post, privacy experts offer insights into the decision.
From left to right: Joe Jones, Katja Langenbucher, Thomas Streinz, and Trisha Sircar. (Photos courtesy of the authors)
The Meta Decision Poses Intractable Questions for Global Businesses
by Joe Jones
Meta and the United States are canaries in the coalmine. In supporting 10% of its global revenue, Meta’s transfers of data to the U.S. is one piece in an increasingly complex puzzle of international data transfers.
While the record-breaking 1.2 billion euro fine applies to Meta, the decisions of the EDPB and Irish DPC cast a shadow of uncertainty for data transfers by the many thousands of EU organisations transferring data to the United States. If none of the EU’s permitted transfer mechanisms work for the U.S. on account of purported gaps in the laws and practices related to national security and law enforcement – gaps that no company, not even Meta, can fill – then three intractable questions arise.
With no lawful route to transferring data to the U.S., can – and how can – businesses sustain their operations, from the most basic to the most fundamental, that depend on such transfers? With the spectre of having to delete or repatriate EU data already in the U.S. looming, can – and how can – such corrective orders be achieved, noting the complex data processing architectures and impacts on operations when disgorging such volumes of data? In today’s data-driven world where global organisations – from big businesses to humanitarian charities – operate in many of the 150+ countries not deemed “adequate,” what prospect is there that such transfers of EU data to those countries will also be deemed to fall foul of the deficiencies purported to exist in the U.S.? Moving away from the current global web of unilateral or bilateral data transfer arrangements to more stable and scalable multilateral frameworks is topic du jour in fora such as the OECD, the G7, and the Global CBPR Forum. Many are willing those fora onto success. For now and for the near term, however, uncertainty and complexity remains.
Joe Jones serves as the Director of Research and Insights for the International Association of Privacy Professionals (IAPP). Previously, he served as the Deputy Director for International Data Transfers with the UK Government and is globally recognized as a leader in privacy law and policy.
High Fines Might Become the New Normal
The Irish Data Protection Commission’s decision (IDPC) is not a surprise. Rather, it provides a textbook example of regulatory competition (some might say arbitrage) in the EU. Following the ECJ decision in Schrems II, the IDPC had concluded that Meta Ireland infringed Article 46(1) GDPR. Still, it was unwilling to administer a fine. Under Art. 60 GDPR’s cooperation procedure, several supervisory authorities (Austrian, German, Spain and French) raised concerns, triggering a dispute resolution decision by the European Data Protection Board (EDPB). After its binding decision, fining Meta was inevitable. When determining the amount of the fine, the EDPB instructed the IDPC to give due regard to the high level of seriousness of Meta’s infringement. Against that background, fining Meta EUR 1.2 billion sets a new record for GDPR-violations, even if it remains far below the FTC’s $5 billion penalty of 2019.
The decision will still have considerable impact on the practice of data transfer between the US and the EU. For large US corporations, high fines might become the new normal, especially for grave, enduring infringements, that are committed knowingly and affect personal data of a high number of citizens. For EU corporations with US service providers, compliance costs, e.g. for transfer impact assessments, will remain high. This puts enormous burden not only on small and medium-size enterprises using, for instance, cloud services. In the face of everyday office software or video conferencing tools, public agencies, cities, state universities, and schools also face serious risks.
The larger issues remain unresolved. Access to data is a core driver in the worldwide race to develop artificial intelligence. History and culture have produced very different approaches to data privacy across the US, the EU, and China. Each entails its distinct trade-off when balancing privacy protection, innovation, (public or private) mass surveillance, and geopolitical power. Moving forward, the focus must be on fine-tuning regulatory responses across the Atlantic, moving towards a fair and responsible common framework.
Katja Langenbucher is a law professor at Goethe-University’s House of Finance in Frankfurt, an affiliated professor at SciencesPo, Paris, and a long-term guest professor at Fordham Law School, NYC. She is also a SAFE Fellow with the Leibniz Institute for Financial Research SAFE.
After Meta: Towards More Coordinated Enforcement of European Data (Protection) Law?
The decision against Meta may be a harbinger for more coordinated enforcement of European data protection law and may also hold important lessons for the future implementation of the rapidly evolving European data law beyond data protection law. What is technically a national decision (the Irish DPC) against a national entity (Meta Ireland), is materially a European (EDPB) decision against a global entity (Meta). As the different narrative and tone of the DPC’s and EDPB’s respective press releases reveal, European data protection authorities do not always agree on enforcement priorities and appropriate remedies. The EDPB forced the DPC to impose a substantial fine and an infrastructural remedy (deletion) for already transferred personal data.
The EU’s General Data Protection Regulation (GDPR) adopted the EU’s traditional approach towards implementation: EU law is to be administered and enforced by EU member state authorities. While GDPR increased the fines for core violations substantially, its “one stop shop principle” amounted to a “choose your regulator” principle as companies could choose their main establishment in the EU strategically. In contrast, the EU’s new flagship platform regulations – the Digital Markets Act (DMA) and Digital Services Act (DSA) – centralize enforcement against gatekeepers and very-large online platforms (VLOPs) in the European Commission. Some wonder whether GDPR enforcement should ultimately follow the same model (e.g., by centralizing enforcement against the largest entities in the European Data Protection Supervisor). By forging a European consensus against a reluctant national data protection authority, the EDPB may have restored the credibility of the GDPR’s decentralized yet coordinated enforcement mechanism.
The Meta decision illustrates once again that “the EU” is not a monolith. If it had (only) been up to the European Commission, transatlantic EU-US exports of personal data would likely never have been in jeopardy. Without the Court of Justice’s fundamental-rights protective stance in reaction to Max Schrems’ activist litigation, the Irish DPC would not have been in the situation it found itself in. By channeling pressure from other European data protection authorities, the EDPB positioned itself against lenient GDPR enforcement.
Thomas Streinz is the Executive Director of Guarini Global Law & Tech and an Adjunct Professor of Law at New York University School of Law.
Cautious Optimism for the New Trans-Atlantic Data Privacy Framework
The European Union (EU) has slapped Meta with a historic $1.3 billion (€1.2 billion) fine and has ordered Meta to stop processing EU personal data to the United States (US) within five months. It also gave Meta six months to stop “the unlawful processing, including storage, in the US” of EU personal data already transferred to the US, meaning that any EU personal data will need to be removed from Meta servers.
The Irish Data Protection Commission (DPC), which oversees Meta operations in the EU, alleged that the company violated the General Data Protection Regulation (GDPR) when it continued to send the personal data of European citizens to the US in light of the 2020 European Court ruling that invalidated the Privacy Shield and imposed tighter requirements around the use of standard contractual clauses (SCCs) as a mechanism for data transfers (the Schrems II decision). The DPC stated that Meta’s data transfer mechanism through the SCCs does not protect EU personal data from US government mass surveillance programs, potentially calling into question the ability of any company to transfer EU personal data to the US. Specifically, the DPC found neither the old nor the new SCCs, coupled with the “supplementary measures” used by Meta following the Schrems II decision, met the GDPR standard of essential data protection equivalence.
A part of this decision does not come as a total surprise. The invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans. The European Commission and US government have been negotiating for more than two years to finalize the new Trans-Atlantic Data Privacy Framework. This month, the European Commission called for improvements, saying the safeguards employed by the US are not strong enough. However, what does come as a surprise from this decision is that the new SCCs are an instrument widely used by organizations to transfer EU personal data to the US and have been used since the July 2020 ruling in the Schrems II decision. The legality of the SCCs as a valid data transfer mechanism has never been tested in court. Accordingly, this ruling will have a significant impact on all companies that process EU personal data.
As Meta appeals this decision, we remain cautiously optimistic that a new Trans-Atlantic Data Privacy Framework is likely to be finalized. Meta will likely benefit from this data-sharing arrangement, however, the fine may still stand. Until then, organizations of all shapes and sizes will have to pay close attention to how they process EU personal data. Data exporters should, at a minimum, undertake thorough risk assessments of EU personal data transfers and document them appropriately. This will require them to outline any “supplementary measures” they employ and ensure that those measures are being implemented in practice.
Trisha Sircar is a Partner and Co-Privacy Officer at Katten Muchin Rosenman LLP.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).