Our Response to the Decision on Facebook’s EU-US Data Transfers

Editor’s Note: NYU Law’s Program on Corporate Compliance and Enforcement (PCCE) is following the developments from the recently-announced and record-breaking fine against Meta Platforms, Inc. for alleged violations of Europe’s General Data Protection Regulation (GDPR) over transfers of personal data from the EU to the U.S. The relevant decisions of the Irish Data Protection Commission and the European Data Protection Board are available here and here. The question of compliance with rules for cross-Atlantic data transfers is subject to significant legal uncertainty and political disputes between the relevant jurisdictions. In this post, Meta responds to the decision.

by Nick Clegg and Jennifer Newstead

Photos of the authors

Nick Clegg and Jennifer Newstead (photos courtesy of Meta Platforms, Inc.)

Takeaways

  • Thousands of businesses and organisations rely on the ability to transfer data between the EU and the US to operate and provide everyday services.
  • This is not about one company’s privacy practices — there is a fundamental conflict of law between the US government’s rules on access to data and European privacy rights, which policymakers are expected to resolve in the summer.
  • We will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts.
  • There is no immediate disruption to Facebook in Europe.

The ability for data to be transferred across borders is fundamental to how the global open internet works. From finance and telecommunications to critical public services like healthcare or education, the free flow of data supports many of the services that we have come to rely on. Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day.

Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on. That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years.

In 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield – a key legal mechanism for the transfer of personal data from the EU to the US. This decision created considerable regulatory and legal uncertainty for thousands of organisations, including Meta.

At the time of its decision in 2020, the CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards.  As such, like thousands of other businesses, Meta used SCCs believing them to be compliant with the General Data Protection Regulation (GDPR).

Today, the Irish Data Protection Commission (DPC) has set out its findings into Meta’s use of this common legal instrument to transfer Facebook user data between the EU and the US. Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last minute by the European Data Protection Board (EDPB). We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.

Meta Uses the Same Legal Mechanisms as Other Organisations

Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans. It is a conflict that neither Meta nor any other business could resolve on its own. We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe. 

The DPC initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate. However, this was overruled by the EDPB, which also chose to disregard the clear progress that policymakers are making to resolve this underlying  issue. This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.

It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.

There is Already a Political Agreement to Solve the Underlying Conflict of Law

Policymakers in both the EU and the US are on a clear path to resolving this conflict with the new Data Privacy Framework (DPF). In March 2022, President Biden and Commission President Von der Leyen announced that they reached an agreement on the principles of a new framework to enable the free flow of transatlantic data. Policymakers on both sides of the Atlantic have committed to fully implementing the DPF “as quickly as possible.” 

Regulators, including the EDPB, have welcomed the improvements made by the DPF. We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved. This will mean that if the DPF comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users.

At a time where the internet is fracturing under pressure from authoritarian regimes, like-minded democracies should work together to promote and defend the idea of the open internet. No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.

Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook while keeping their data safe and secure. There is no immediate disruption to Facebook because the decision includes implementation periods that run until later this year. We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.

Nick Clegg is President, Global Affairs, and Jennifer Newstead is Chief Legal Officer at Meta Platforms, Inc.  This post originally appeared on Meta’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).