Meta’s Facebook has been fined yet again. The Data Protection Commission (DPC) fined the company a staggering €1.2 billion for illegal transfers of data to the US. This decision comes as no surprise; Facebook has been under scrutiny for data protection issues for years. This is the largest fine issued to date under the EU General Data Protection Regulation (GDPR), five years after it came into force.

This blog will walk you through why and how Facebook got this record-breaking fine. We’ll also discuss what Facebook could have done differently to be compliant with data protection law.

The long story

The decision on Facebook has been long awaited. The origins of this case date back nearly a decade following controversies around US Government surveillance and leaks from the now infamous whistle-blower Edward Snowden. Those controversies spurred the privacy advocate Max Schrems to challenge the legality of Facebook’s data transfers to the US due to concerns over US surveillance laws and law enforcement access to personal data.

Over the years, we saw two cross-border data sharing agreements invalidated. The Safe Harbor Framework fell after the Court of Justice of the European Union’s 2015 ‘Schrems I’ ruling. In 2020, the CJEU’s 2020 ‘Schrems II’ ruling invalidated Privacy Shield . (Here’s the blog we wrote about that at the time.)

This initiated a series of negotiations between the US Government and the EU Commission to tackle the concerns raised by the CJEU and establish a third agreement known as the EU-US Data Privacy Framework (DPF). The DPF is pending final EU approval for ‘adequacy’ and should come into effect by the end of the summer.

The fine

This brings us to Meta’s large fine. The DPC recently conducted a thorough assessment of Meta Ireland (formerly Facebook Ireland) and determined four main points regarding the legality of Facebook’s transfer of data to the US.

1. The DPC determined that US data protection laws are not equivalent to the EU’s. Although the new Executive Order has been passed, it is not fully implemented. Because there’s currently no redress mechanism in place, therefore it can’t be considered for this decision.
2. The Standard Contractual Clauses (SCCs) that Facebook used were insufficient to address the data protection issues associated with the risk of transferring to the US.
3. Meta Ireland didn’t have additional measures in place to compensate for the inadequate protection of personal data under US law.
4. Meta Ireland was not able rely on the derogations outlined in Article 49(1) of the GDPR for data transfers.

The DPC concluded that Meta Ireland is in violation of Article 46(1) of the GDPR by conducting data transfers without adequate protection. It deemed the following corrective measures appropriate:

1. a) Suspension order: Meta Ireland must suspend data transfers in accordance with a provided timeline of approximately five months.
2. b) Compliance with GDPR: Meta Ireland must bring its processing operations into compliance with the GDPR’s requirements. This includes ceasing the unlawful processing and storage of personal data of EEA users transferred in violation of the GDPR. The deadline for compliance is six months from the date of notification of the DPC’s decision.
3. c) Administrative fine: The DPC fined Meta Ireland €1.2 billion.

What does this mean for everyone else?

If you’re starting to panic about your data transfers, don’t! This decision specifically applies to Meta Ireland. However, it highlights a broader situation. It indicates that any internet platform categorised as an electronic communications service provider, and subject to the Foreign Intelligence Surveillance Act (FISA) 702 PRISM programme, may face challenges in meeting the requirements of Chapter V of the GDPR and the EU Charter of Fundamental Rights when transferring personal data to the US.

The DPC raised this concern before the Irish High Court and the Court of Justice of the European Union (CJEU) when questioning the validity of the SCCs as a mechanism for transfers to the United States. The CJEU ultimately upheld the validity of SCCs as a legal instrument but emphasised the need for a case-by-case assessment to determine the lawfulness of data transfers conducted under their terms to a third country.

Given the CJEU’s findings and the limitations of the DPC’s authority, it isn’t possible for the Irish regulator to issue a general order to suspend or prohibit transfers to the United States as a whole.

PRISM break

A side note here about PRISM. It’s a surveillance programme operated by the United States National Security Agency (NSA) under the Foreign Intelligence Surveillance Act (FISA). It allows the NSA to collect data from various internet platforms, including communication services and social media platforms, with the aim of gathering foreign intelligence information.

Some widely used service providers which fall under FISA 702 PRISM are Microsoft, Google, AWS, LinkedIn, WhatsApp, Apple and Yahoo. It’s important to note that this list is not exhaustive. Other internet platforms may also fall within the definition of an electronic communications service provider subject to the PRISM programme.

The Meta Ireland decision raises concerns and implications for other service providers covered by the PRISM programme and businesses that use these services. Although the DPC’s decision specifically applies to Meta Ireland, the underlying issues regarding data protection, adequacy of safeguards, and compliance with EU laws are relevant to other providers operating under similar circumstances.

What could Meta have done differently?

The DPC’s decision outlined that there are alternative measures that Meta did not use. Other companies that transfer data to the US can take the following measures to enhance how they protect data, reduce potential risks associated with data transfers, and ensure compliance.

• Host data in Europe: storing your data in Europe can offer an additional layer of protection, enhancing data security.
• Pseudonymisation of data: Employing pseudonymous data techniques involves replacing identifiable information with pseudonyms.
• Key management and encryption: Implementing robust key management and encryption mechanisms for your data, and ensuring that encryption keys are stored in Europe, can significantly enhance the security and compliance of your data transfers. It provides an extra layer of protection against unauthorised access and strengthens data privacy practices. Meta wasn’t using these measures and instead was sending data in the clear.

By considering and implementing these supplementary measures, you can reinforce your data protection strategies and achieve a higher level of compliance with GDPR regulations when transferring data to the United States – or when using service providers covered by the PRISM programme. Taking these proactive steps will help safeguard your data and ensure your company adheres to the necessary privacy standards.

What you need to do next

The DPC’s decision on Meta Ireland also highlighted the potential for new measures to be developed and implemented to address the deficiencies identified in the assessment. There’s hope on the horizon for EU-US transfers with the DPF on the way.

It will be highly important in the coming months to sign up to the new EU-US transfer framework. We also recommend keeping an eye out for updates and changes to it. In the meantime, here are five actions you can take to ensure your data transfers stay compliant with GDPR.

• Review your data transfers, service providers, and associated risks in light of the DPC’s decision to ensure any risks associated with the use of these providers who fall within scope of FISA 702 PRISM are properly documented
• Conduct Transfer Impact Assessments
• Host data in the European Union where possible
• Use supplementary measures like encryption and pseudonymisation
• For companies that are certified to the Privacy Shield, there should be an easy migration path. If they aren’t, they will need to certify to the new framework.

Cliona Perrick is a data protection consultant with BH Consulting.