In a recent Insight we discussed the record €1.2 billion fine imposed on Meta Platforms Ireland Limited by the Irish Data Protection Commission (DPC) for unlawfully transferring the personal data of Facebook users from Europe to the US.
Shortly following the DPC’s decision, the European Commission announced that it had adopted an adequacy decision for an EU-US Data Privacy Framework, adding a new twist to an ongoing tale.
A quick recap
Meta was handed a record fine by the DPC after relying on Standard Contractual Clauses (SCCs) to provide the safeguards required by GDPR to transfer data outside of the European Union. Central to the DPC’s decision was that the European Commission did not consider that US law provided equivalent levels of protection for personal data compared to the EU. A key reason for this conclusion was that US surveillance agencies can collect electronic communications of non-US persons stored by US internet service providers. Therefore, the DPC determined that entities transferring data to the US needed to take additional measures to compensate for the lack of equivalence. The DPC found that the SCCs used by Meta (and of course many others) were not a sufficient measure to address this gap in protection under US law.
Introducing the EU-US Data Privacy Framework
On 10 July the European Commission announced it had adopted an adequacy decision for the EU-US Data Privacy Framework.
The new Framework is a set of privacy principles and safeguards developed by the US Department of Commerce and the European Commission to provide a mechanism for personal data transfers from the European Union to the US. It allows US entities to self-certify compliance with the Framework. EU data can then be transferred to these self-certified US entities without the need for any additional measures. Unsurprisingly, Meta Platforms, Inc. (Meta’s US entity) has already self-certified under the new Framework.
Key aspects of the new Framework include limiting US surveillance access to EU data to what is necessary and proportionate, and the establishment of a Data Protection Review Court to which EU individuals will have access. It is these features in particular which the European Commission relied on to issue its adequacy decision, resolving that US data protection law is essentially equivalent to that of the EU.
Because the Framework relies on self-certification, the US Department of Commerce has said that they will monitor compliance by participating organisations on an ongoing basis. Non-compliance can then ultimately be enforced by the Federal Trade Commission (FTC) (or another statutory body that can ensure compliance). For example, the FTC can prosecute non-compliance as “unfair or deceptive acts in or affecting commerce” under section 5 of the US’s FTC Act. So, it will be important for participating organisations to take care in their compliance assessments with the Framework.
Will the new Framework hold up?
The question of whether the US has adequate data protection laws when compared to the European Union has some history:
• In 2000 the European Commission issued a “Safe Harbour” decision allowing data transfers from the EU to the US. This was invalidated by the European Court of Justice (ECJ) in 2015 following legal action from privacy campaigner Max Schrems (this decision is known as Schrems I); and
• In 2016 the European Commission approved a different EU-US data transfer regime known as the “Privacy Shield”. However, the Privacy Shield was also invalidated by the ECJ in 2019 (in a decision known as Schrems II).
The new EU-US Data Privacy Framework is touted as addressing concerns previously raised by the ECJ. However, critics argue that the new Framework changes little in practice so expect to see the issue before the ECJ once again. For example, Max Schrems – the man behind much of the previous litigation in this area – reacted to the announcement of the Framework by stating:
"We have now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it."
What happens next?
For now, organisations who have self-certified to the Framework can receive EU data without having to put in place additional safeguards.
An interesting footnote – the Meta decision included a suspension order requiring it to cease personal data transfers to the US, and a compliance order requiring it to bring its processing obligations into compliance with GDPR and to cease unlawful processing. However, the DPC stated at the time of its decision that these orders would not be effective if the gap in protection between EU and US laws was resolved by a future adequacy decision. So, while the fine will stand (at least at this stage), these other orders have for now been superseded by the new Framework, which has provided Meta with a much-needed lifeline.
Max Schrems has indicated that he expects the issue of EU-US data transfers to be back before the ECJ by the beginning of next year, with his privacy advocacy and enforcement organisation NOYB eyeing up various options for a challenge.
So, it will pay for businesses operating in the EU and US to continue to keep tabs on how this long-running saga (and compliance nightmare) progresses.