Share This Article
The GDPR fine of € 1.2 billion issued by the Irish data protection commission against Meta raises the question of how companies deal with data transfers leading to a status of anxiety perfectly expressed by The Scream of Munch.
But let’s start from the beginning:
The GDPR fine against Meta for data transfers
The Irish Data Protection Commission identified severe gaps in Meta’s security measures, both organizational and technical. Despite establishing policies for disclosure, disproportionate requests, law enforcement, and securing data during transmission and on Facebook laptops, these efforts were considered insufficient. They fell short of rectifying the inherent flaws in the US legal system or providing ample protection in alignment with EU law against the wide-ranging authority of the US government under Section 702 FISA DOWNSTREAM (PRISM) requests.
Indeed, according to DPC, Meta US must divulge users’ personal data if requested under Section 702 FISA by the US government. This circumstance creates a contradiction: while the EDPB Supplemental Measures Recommendations endorse a risk-based approach, the decision dismisses Meta’s assertions about limited US government requests based on the CJEU’s contention that there are no bounds to Section 702 FISA powers.
The position of the DPC appears to be that, due to Meta being identified as an electronic communications services provider caught under s.702/PRISM, any contractual, technical, or organizational measures, no matter how robust they may be, cannot fully address the shortcomings in US law. This approach is because if a valid government request is made under s.702, Meta would be legally obligated to disclose personal data of its users.
Paragraph 7.199 of the decision prescribes that “the EDPB Supplemental Measures Recommendations do not exclude a so-called risk-based approach.” But the provisions cannot be read because the DPC validates such an assessment.
Besides, this decision was validated by the other privacy authorities as part of the consistency procedure. As such, a similar view is expected to be followed by other EU data protection regulators.
How companies shall deal with data transfers after the Meta decision?
Companies seem to have reached a dead end. The image of The Scream of Munch was materializing in my head…
The migration to a fully EU-based technical infrastructure without access to data from outside the EEA would be highly costly, and, in some cases, there are no valid alternatives to US suppliers. An adequacy decision on data transfers to the US will likely be approved, but the risk of a Schrems 3 is exceptionally high, especially after the Meta case.
The Irish Data Protection Commissioner has not fully closed the door to a risk-based approach, and even if that was the case, a risk assessment is the backbone of data protection compliance. As such, in a potential dispute before courts, the company would have valid arguments to defend its case.
In this scenario, performing a transfer impact assessment (TIA) using a risk-based methodology widely recognized in the market represents the sole viable option. In contrast, the “wait and see” strategy without performing a TIA will inevitably lead to a fine.
A solution like DLA Piper’s data transfer methodology and legal tech solution named “Transfer” is already used by 300+ clients and was reviewed by the main European data protection authorities. You can have more information at the link HERE and reach us to arrange a demo.
On the same topic, you can find the following article interesting “Do you have a data transfer impact assessment methodology based on the Schrems II decision?”