EU EDPB vs. Irish DPC vs. Meta Platforms
May 24, 2023
The Irish Data Protection Commission (DPC) has evaluated the legality of Facebook’s (now Meta Platforms) data transfer for over 10 years. In those 10 years, we have seen the Irish DPC trying to avoid ruling on the matter multiple times and the European Data Protection Board (EDPB) forcing them to do it. We now have a final ruling on the matter, which is unfavorable to Meta. In fact, in addition to having to stop the data transfer within 5 months and having to move back all data within 6 months, Meta has to pay a € 1.2 billion fine.
The first interesting point of this story is the legality of moving data from the EU to the US. The fact that companies should avoid or, at least, limit as much as possible the transfer of data from the EU to the US is widely known at this point. I think this DPC inquiry makes it more clear-cut, by removing the “or, at least, limit as much as possible” part. In fact, the wording of the inquiry conclusion is unambiguous and talks about “any future transfer of personal data to the US”. This part of the sentence might soon become obsolete due to the conversations between the EU and the US around the Trans-Atlantic Data Privacy Framework. This legal framework should make it easier to transfer data between the EU and the US without violating the GDPR, which is expected to be ratified in the next 3 months. Although, it is critical to remember that even if that framework is ratified, it is not retroactively, so any data transfer that occurred before the ratification is still problematic. Also, this would be the third attempt to create such a framework, and the first two (International Safe Harbor Privacy Principles first, followed by EU-US Privacy Shield) have been invalidated by the European Court of Justice (CJEU), so there is no guarantee that this time will be any different.
The second interesting aspect of this inquiry is around the Standard Contractual Clauses (SCCs). A point of view that I always had, which has now been confirmed with this inquiry, is that SCCs are way less useful than how they are used at the moment. At the moment SCCs are used to “mitigate” the risk of data transfers by claiming that the company will not share data if not in ways that are GDPR compliant. The big issue is that SCCs are, as the name suggest, contractual clauses, while the actions that they are trying to protect against are mandated by US laws. Pointless to say that US laws take precedence on contractual clauses and, therefore, SCCs are just a tick-box exercise with no real-world impact.
The third aspect that I think it is interesting in this whole story is about the power that the national Data Protection Entities have if they don’t want to proceed against an organization. Due to how the Data Protection Entities are structured, the Data Protection Entity that has to rule on a potential GDPR violation is located in the country of the defendant. Since the biggest country in the EU is Germany, with 83 million people out of a total of about 450 million people living in the EU, the plaintiff is (statistically speaking) located in a different country from the Data Protection Entity ruling the case. Consequently, there might be some pressure on the regulating Data Protection Entity to avoid ruling against a local business. Although in this particular case there might not have been any pressure on the Irish DPC, we have seen that if a national Data Protection Entity rules in a way that is very different from the EDPB consensus, the EDPB has the power to overrule the national Data Protection Entity. This is not a new concept, and in this case it proved to be a very slow process, but it is an important stepping stone toward a more homogeneous application of the GDPR throughout the whole EU.
Personally, I’m confident that rulings such as this one are of critical importance for the capillary and coherent application of GDPR.