SPOTLIGHT ON €1.2 BILLION FINE AGAINST META FOR GDPR VIOLATIONS AND IMPLICATIONS FOR EU-US DATA TRANSFERS
By Olayinka Aileru
It is an interesting coincidence, that exactly five years after the coming into force of the General Data Protection Regulation (GDPR), the digital community would wake up to the imposition of a record fine of €1.2 Billion Euros against Meta (Facebook) Ireland Limited for breach of the (GDPR)1. The fine was imposed by the Irish Data Protection Commissioner, in respect of unlawful transfers of personal information of EU Facebook users for processing in the United States. The GDPR makes it mandatory for organisations engaged in data transfer for processing outside of the EU, to ensure that the processing in the third country is done under circumstances that guarantee an equivalent level of protection offered by the GDPR to EU citizens. The Irish Data Protection Commissioner (DPC) in its judgement found that the transfer of Facebook users’ information is in violation of their privacy and data rights, as the US where the processing activities took place does not guarantee a level of protection commensurate to what is required by the GDPR for such cross-border processing2.
Besides the fine imposed on Meta Ireland, the social media giant was equally mandated to desist, and cease all further transfers of personal data of users of the Facebook Platform for processing in the United States. Barring any successful appeal against the decision of the DPC, Meta will be cutting a check of €1.2 Billion Euro to the Irish regulators. The decision, in this case, is, without doubt, a reinforcement of the importance attached to privacy and data protection in the European Union/European Economic Area. However, beyond its potential to deepen the jurisprudence on data protection in the EU, the decision is an indictment on the data protection regime applicable in the US, particularly as it highlighted the mass surveillance programs of intelligence agencies in the country under circumstances that gave little to no regard for privacy rights of data subjects involved. The decision will no doubt have a cross-border effect on EU/US trade relations, particularly in relation to operations of digital platforms, with the potential to shape the data protection laws in the latter’s legal system. In addition, the decision will undoubtedly have a ripple effect on the data processing activities of many foreign entities having data processing configurations similar to those of Meta. While there is scope for a more holistic analysis of the economic and legal implications of the decision of the DPC, this article only seeks to spotlight the salient factors underlining the judgement, and its implication on data transfers between the EU and the US.
Background to the case
Prior to the coming into force of the GDPR, data rights of EU citizens were governed by the EU Charter on Fundamental Rights3 which was supplemented by the Data Protection Directive4. The Directive in recognition of the important role that data plays in facilitating cross-border transactions in the digital age, allowed for the transfer of data to countries outside of the EU for processing activities, provided such third countries ensure an adequate level of protection similar to those provided to EU citizens under the latter’s data protection laws. In respect of the United States, the European Commission in 2000 made the ‘Safe Harbour Decision’ through which it certified, that data protection laws of the US provided a level of protection commensurate to the standards set under EU law. Through the Safe Harbour decision, organisations carrying on business in the EU were allowed to transfer the personal data of EU citizens to their US partners for data processing without any fear of breaching the Directive. It was under this arrangement that META Ireland was transferring Facebook data of EU citizens to its parent company in the United States for processing.
This arrangement was however undone, by the Snowden Revelations in 2013 which exposed the mass Surveillance program of the US government carried out pursuant to the Foreign Intelligence Surveillance Act (FISA). This Act permits the US government to demand, that digital platforms such as Facebook turn over large volumes of personal data in their records to national intelligence agencies under circumstances that guaranteed little to no oversight on processing activities done with the information. The report of an EU/US working group indeed confirmed that the US pursuant to FISA mandated the main internet service providers and technology companies providing online services, such as Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Apple, Skype and YouTube to turn over large volumes of their user’s information to the NSA and the CIA5.
On the basis of these revelations, Mr Maximilian Schrems an Austrian lawyer challenged the ‘Safe Harbour Decision’, by requesting that the Irish Data Protection Commission stop Meta Ireland from further sending his personal data to the US where intelligence agencies can unjustifiably have access to them. Surprisingly, the Irish DPC was unwilling to investigate the complaints against META Ireland on the basis of the EU Commission’s Safe Habour Decision6. This reluctance on the part of the DPC triggered a court action which culminated in the European Court of Justice (CJEU) decision in 2015 invalidating the ‘Safe Harbour Decision7’. Subsequent to the decision, negotiations were entered into between the US and the EU to address the perceived lacunae in the data protection laws of the United States, as well as to ensure that safeguards are put in place that will enable US-based digital platforms to continue to do business in the EU without violating the latter’s data protection laws. These negotiations led to the ‘EU-US Privacy Shield Agreement 2016 which effectively replaced the Safe Habour Decision.
In the meantime, the Irish DPC pursuant to the initial complaints by Mr Schrems initiated an investigation against Meta Ireland. The determination of the DPC on the investigation led to further proceedings before the High Court in Ireland. As the validity of the new Privacy Shield agreement was considered necessary to the determination of the complaints against Meta Ireland, the issues were referred to the CJEU. Incidentally, the GDPR enacted in 2016 became operational in 2018 while proceedings against the Privacy Shield Agreement were pending. This resulted in the case being decided on the provisions of the Regulation. In another well-considered judgement of the CJEU in 2020, the Privacy Shield agreement was invalidated because as found by the Court, the purported safeguards under the agreement do not provide a level of protection equivalent to safeguards guaranteed under EU law, with the consequence that the agreement was invalidated8. The proceedings before the DPC were thus continued on the basis of the interpretation of the agreement by the CJEU
The Standard Contractual Clauses (SCCs)
In the interim when the respective Safe Habour and Privacy Shield were invalidated by the CJEU, META Ireland continued to engage as usual in its data transfer activities with META INC pursuant to Data Transfer and Processing Agreements (DTPA) which were tailored substantially to Standard Contractual Clauses (SCCs) approved by the EU Commission. The SCCs apply, as additional guarantees in respect of data transfers to countries which by EU standards, do not provide an adequate level of protection for data rights equivalent to those provided under EU laws. The SCCs contained undertakings and guarantees by entities adopting them, to ensure that transfers for processing activities abroad are only done where there is assurance of a level of protection equivalent to those applicable under EU law. More importantly, the SCCs imposed an additional obligation on data exported from the EU to carry out data transfer impact assessment and to cease further transfers where circumstances exist or arise that makes it impossible for data transferred to the third country to be adequately protected as guaranteed by the GDPR.
During proceedings before the DPC, Meta Ireland argued that it was entitled to rely on its Data Processing agreement with Meta INC which agreement in its opinion addressed the shortcomings and inadequacies identified in the US law. In addition, reliance was placed on the Data Transfer Impact Assessment carried out by META as the basis for its conclusion, that the level of protection afforded under US law to data subjects whose personal data is transferred to the US is essentially equivalent to that guaranteed by relevant EU Law as reflected by the EU Standard. The decision of the DPC ultimately turned on the impact of the SCCs on the transfer activities of Meta, considered in the light of the two decisions of the CJEU and the analysis therein. Essentially, the DPC had to consider whether these agreements are sufficient, to provide the level of protection required to validate cross-border transfer of Facebook data of EU citizens as prescribed by the GDPR.
The decision of the DPC
In a judgement which is more of a scathing indictment of the US data protection system than Meta’s non-compliance with the GDPR, the data commissioner held that the transfers pursuant to the SCCs were unlawful in the light of the findings of the CJEU in the two previous cases which invalidated the Safe Harbour and Privacy Shield decisions. The judgement of the DPC was more of a rehash of the decision of the CJEU which invalidated the Privacy Shield in 2020. Primarily, the Commissioner considered that the terms of the SCCs incorporated into the Data Processing Agreements between Meta Ireland and its parent company in the US do not address the concerns of wholesale surveillance of data of EU citizens through the operations of FISA. It was considered for example that the incorporations of the SCCs into the Data Processing agreements had no practical effect on the continued obligations of META to turn over Facebook data to US Intelligence Agencies upon a request made pursuant to FISA.
More importantly, the DPC considered that there is no practical means of seeking redress by an EU data subject who feels aggrieved by the surveillance operations of the US government, especially as complaints over FISA Surveillance are not justifiable in American Courts. The DPC duly considered the measures, and efforts of Meta to ensure compliance with the GDPR, among which are putting in place protective organisational, technical and legal measures to ensure that personal data are protected as required by the GDPR. Also, the DPC considered the impact of the Data Transfer Impact Assessment carried out by Meta in respect of the transferred data. The DPC equally agreed that there was no wilful desire by Meta to breach the GDPR as it honestly believed, albeit erroneously that changes introduced by the US government to address the perceived shortcomings of FISA Surveillance are sufficient to mitigate the dangers to EU data subjects’ rights in the US.
The DPC nevertheless came to the conclusion that Meta was negligent as it had no reasonable basis to hold the belief, as the shortcomings under the US system go to the root of rights protected by the GDPR, as well as under the EU Charter of Fundamental Rights. In the opinion of the DPC, in the absence of an adequate level of protection in the US commensurate with those obtainable in the EU, META has the strict obligation of putting in place supplemental measures which would compensate for the inadequate protection provided by US law, whereas the measures adopted by Meta only sought to mitigate the dangers, which measures fell far short of the requirement of the GDPR. The DPC noted that Meta had the option of restricting the processing activities of EU Facebook users to the EU, but it deliberately chose its present convenient and cost-effective business configurations which have the effect of undermining the safeguards provided by EU law. In the final analysis, the DPC bearing in mind the repeated nature of the breach, the number of users affected by the breach, and the need to dissuade further breaches of the GDPR felt justified to impose a fine of €1.2 Billion Euro as a consequence of the breach. In addition, an order banning further transfers of data to the US in breach of the GDPR was also made against the company.
IMPLICATIONS FOR EU-US DATA TRANSFERS
In light of the provisions of the GDPR, as interpreted by the EU Courts, there is no doubt that the DPC had justifiable grounds to sanction Facebook as it did in this case, especially bearing in mind that much of the data processing configurations of Meta turned on business expediency, rather than regard for appropriate behaviour prescribed by the law. Since the year 2015 when the first related decision in Schrems v Data Protection Commissioner was handed down exposing the Surveillance practices in the US, Meta had the option of modifying its system’s configurations in ways that restrict the processing of Facebook information of EU citizens to the European Union. Indeed the DPC was miffed by the continued cross-border transfer of data by META when it noted in its judgement, that the law should not bow to the convenience of META’s business expediency which has continued to undermine the data rights of EU citizens. Although the DPC considered that Meta felt justified in the reliance it placed on the agreements between the EU and the US, as well as the SCCs, it concluded that these cannot take the place of adherence to the provisions of the law.
The business practice of META might not have been a deliberate ploy to circumvent the law. Nonetheless, its data processing configurations exposed it to the unpleasant situation of conflicting allegiance to two legal regimes. This conflicting allegiance was noted in a joint statement issued by Meta’s President of Global Affairs and Chief Legal Officer in response to the sanction by the DPC. It was emphasised that the issues arising from the case concern conflict of laws between two systems which the policymakers are expected to iron out at inter-governmental levels9. This statement betrays the mindset of META as an entity which sees itself as a hapless business organisation caught in the web of allegiance to conflicting legal systems..
However, this position does not take cognizance of the objective of the GDPR as a statute enacted to regulate data processing affecting EU citizens, as opposed to legislation seeking to effect the “Europeanization” of data protection laws of other nations. The decision of the DPC in this regard, makes a clear statement that foreign companies seeking to do business in the EU must abide by EU laws regardless of their allegiance to the laws of their home countries. Another effect of the decision is that digital platforms operating in the EU have a strict obligation to abide by the GDPR regardless of trade/bilateral agreements signed between their home countries and the EU. While there is merit in META’s press release that strict national data protection rules have the potential to balkanise and carve the internet into regional and national silos, this sentiment should take the backstage in the instant case when it is considered, that the real issues concern the right to privacy and protection of personal information at the expense of business organisations desire to make money.
Since the 2020 decision of the ECJ in Data Protection Commissioner v Facebook Ireland which invalidated the Privacy Shield agreement, the EU and the US have entered into further negotiations for a substitute agreement to replace the invalidated Privacy Shield. This effort has culminated in the adoption of the Trans-Atlantic Data Privacy Framework nicknamed “Privacy Shield 2.0” in March 2022. Some of the provisions of the agreement were put into effect in the US by an Executive Order signed by the US President in October 2022. The EU Commission on its part gave its stamp of approval to the agreement in December 2022, and the agreement is to take effect in the EU sometime in the year 2023. One of the notable changes introduced in the US by the executive order is the establishment of a Data Protection Review Court with the power to make binding decisions in respect of the violation of the data rights of EU citizens.
The foregoing no doubt reinforces the cross-border impact that EU data protection laws currently have on other nations. This has been termed in academic circles as the “Brussels Effect”10 through which EU regulations become entrenched in non-EU legal frameworks leading to a Europeanization of significant aspects of global commerce, such as the determination of data protection standards. Incidentally, some of the changes introduced by the recent agreements were noted by the DPC in the case against Meta. However, the changes were not considered sufficient to sway the decision of the court in favour of Meta, as they were viewed to be at best cosmetic changes which did not address the fundamental issues of wholesale surveillance of personal information of EU citizens. This position is shared in legal circles11 including by Mr Maximilian Schrems who has expressed readiness to challenge the validity of the new agreement when it is officially declared operational in the EU.
Beyond the impact of this decision on digital platforms operating in the EU, the judgement against META is an indictment on the US legal system despite its vaunted claim to being a nation founded on respect for the rule of law. Particularly concerning are the various lapses identified by the DPC in the operations of FISA and the surveillance program of the US. It is strange to consider how a nation founded on the principles of constitutional democracy, can justify a system of mass surveillance that allows little to no recourse to seek redress before the courts as the final arbiter of grievances. This situation exposes the double standard of the US as a nation, considering that it is currently embroiled in a campaign of calumny against organisations with foreign ties such as Tik Tok, which it sees as an agent used by the Chinese government to spy on US citizens12. The US government should be really concerned to engage in some sort of soul-searching so that the European Union could attain the moral high ground in pointing out the flaws in its data protection laws. With respect to “Privacy Shield 2.0” its efficacy in bringing some semblance of stability to EU-US data transfer will be revealed in due course.
References
- (META Ireland is a subsidiary of the social media giant META INC (US) which owns the popular social media platforms Facebook, Whatsapp and Instagram. The subsidiary is responsible for all EU operations of Meta Inc.
- The full text of the judgement is available at https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf
- See for example Article 7 and 8 EU Charter of Fundamental Rights.
- EU Directive 95/46/EC
- See Report – A7-0139/2014 on NSA Surveillance Activities. Available at https://www.europarl.europa.eu/doceo/document/A-7-2014-0139_EN.html
- This unwillingness of the DPC was validated by the CJEU in Maximilian Schrems v Data Protection Commissioner (2015) which held that only the Court of Justice of the EU has the power to invalidate a decision of the EU Commission. See Para 52 of the Judgement.
- Case C-362/14 Maximilian Schrems v Data Protection Commissioner (2015)
- Case C- 311/18 Data Protection Commissioner v Facebook Ireland (2020)
- Available at https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/
- Anu Bradford, ‘The Brussels Effect’, (2012). Northwestern University Law Review, Vol. 107, No. 1. Available at file:///C:/Users/Home/Downloads/SSRN-id2770634.pdf
- Andre Walter, “Privacy Shield 2.0: EU-US data transfers decision drafted” (2022). Available at https://www.pinsentmasons.com/out-law/news/privacy-shield-20-euus-data-transfers-decision-drafted
- Catherine Thorbecke and Brian Fung, “The US government is once again threatening to ban TikTok, what you should know” https://edition.cnn.com/2023/03/18/tech/tiktok-ban-explainer/index.html;
About Aileru
I am an LL.M. Student at the University of Aberdeen Scotland UK with a concentration on Intellectual Property and Information Law. My current research interest covers data protection and cybersecurity law, trademarks and brand protection, IP rights and access to medicine as well as cross-border patent protection. Prior to coming to the UK, I had over 8 years of commercial litigation experience in Nigeria covering real estate, commercial transactions, procurement, criminal defence and trademark defence. I am an avid writer and have written extensively on legal issues cutting across diverse areas of Nigerian law.
In my downtime, I like to play chess, take long walks or swim in the ocean.