Facebook will have a five-month grace period before ceasing future data transfers to the U.S., and a six-month deadline to stop holding current data in the U.S.
Conclusion of a three-year inquiry:
Ireland's Data Protection Commission ("DPC") has announced on Monday, May 22nd, after a long inquiry, that Meta Ireland (Facebook) infringed GDPR's Article 46 with respect to its cross-border personal data transfers from the EU to the U.S., as part of its service delivery.
While Facebook effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment on the Schrems II matter.
Therefore, the DPC has imposed an administrative fine in the amount of €1.2 billion to sanction the infringement that was made by Facebook.
According to the regulator's decision, by the end of 2023, Facebook will no longer be able to make new data transfers from the EU to the U.S (within five months); and will be forced to cease storing current personal data of EU/EEA users within the U.S. (within six months).
Background (and politics) of trans-atlantic data transfers:
The DPC's inquiry has commenced after the invalidation of the EU-U.S. Privacy Shield arrangement by the Court of Justice of the European Union (CJEU) in July 2020. Recently (in April 2023), the European Data Protection Board (EDPB) has announced similar conclusions with respect to the processing of personal data by Facebook.
The EU authorities have repeatedly raised concerns over the ability of the U.S. intelligence agencies to track and use personal data of EU persons, specifically without any true protection on their fundamental rights or with a right of redress in U.S. courts. Also previously noted, that there is no supervision on U.S. intelligence agencies' conduct with respect to infringements of privacy rights, nor any disclosure or mandatory policies are available.
At the turn of this year, it was announced that the both EU and U.S.'s presidents have reached a general agreement with respect to a new adequacy decision to the U.S. (the EU-U.S. Data Privacy Framework). It is expected that this new framework will be adopted during this year, and perhaps will "save" Facebook from the fine and the other sanctions, which may be even more costly than the fine itself.
Key legal implications:
- So far, the sanctions will be imposed only on Facebook and not on other Meta apps, such as Instagram or WhatsApp.
- The DPC decision is dramatic as it derogates from the validity of the new SCCs and creates uncertainties to every business that is processing personal data of EU persons in the U.S., whether by access or other transfers, or if the business is maintaining any storage of such data within the U.S. (which both are very common).
- Moving storage to EU locations may be expensive, but it is a natural first response to accommodate the DPC's approach.
- Businesses should also take into consideration that processing is much safer to be conducted in an adequate country (such as Israel). Processing from the U.S., whether by access or receipt of data by other means, has become uncertain for many companies, service providers, NGOs, academic or medical centers.
- Many controllers tend to add supplemental measures to the SCCs for making it easier with their providers or partners, but the DPC's decision challenges this by saying that such supplements may not compensate for the deficiencies in U.S. law identified by the CJEU in the Schrems II judgment.
- The decision pushes controllers and other data exporters to implement measures to ensure a higher standard of data protection in the recipient country, making it more similar to the EU's and reducing the ability to rely on a risk-based approach with respect to data transfers.
Recommendations:
- Assess your exposure to Article 46, by initially (i) mapping the personal data in your IT systems; (ii) check for transfers from the EU, and (iii) determine whether such data is associated with your data subjects (such as users, customers, employees, etc.).
- Identify your service providers who process EU personal data and review the legal mechanism that was incorporated to make cross-border data transfers lawful.
- When you make risk assessment to your service providers or business partners, specifically ask them – where do they store their data and wherefrom access to the data is being conducted.
- If you are the data exporter, incorporate strict provisions in your DPAs and SCCs to ensure compliance of your cross-border data transfers with applicable data protection laws and to accommodate to the DPC approach.
- Adopt technical and organizational measures to implement controls for storing, processing or accessing EU and other protected personal data to allow for full awareness and a better position to make quick and efficient actions for obtaining compliance with privacy laws' requirements relating to cross-border data transfers.
|
|
|
|
For the DPC press release click here.
To review the full resolution of the DPC click here.
If you have any additional questions, please do not hesitate to contact our privacy protection department.
The information provided in this document is not intended to replace legal advice and is only intended as general information.
|
|
|
