The DPC Decision on Meta EU-US data transfers is imminent – what can we expect?
The European Data Protection Board (EDPB) has adopted a dispute resolution decision about Meta’s Facebook EU – US Data Transfers, which will be binding upon the DPC in relation to its own final decision. Although there are many territorial transfers across the world, transfers from the EU to the US are particularly important, and many regulators across the world will be watching the DPC’s actions closely. Whilst we do not know what exactly the DPC decision will entail until it is issued, this article explores what the possible effects may be and what to look out for in the decision.
Why is this important?
The EDPB had to issue a binding decision due to differences of opinions between the DPC and the other EU Supervisory Authorities (SAs), and difficulties in reaching consensus between them. When this occurs, the GDPR Article 65 provides for dispute resolution through the EDPB, which was pursued here. On April 13, 2023, the EDPB announced in a press release on the EDPB website that it has adopted its decision on this matter. The EDPB clarified that the decision, which is binding on the DPC, addresses the legal questions arising from the DPC draft decision on Meta Ireland’s Facebook Services.
This decision is of particular interest to Ireland which is host to the EU Headquarters of many US companies. Nevertheless, the decision has an impact upon all Irish and other EU business organisations engaged in EU-US data flows, which could have major economic impacts. The White House has reported this year that the economic value of EU-US transfers is of the order of 7 trillion US dollars (The White House 2023).
What might we expect?
A possible grace period for action?
On certain aspects we can only surmise what the outcome will be. For example, a recent LinkedIn video by IAPP, considered whether the DPC would give Meta a grace period to bring its processing into line with GDPR requirements (IAPP 2023). Historical cases would indicate that this is a real possibility, and it may not be unreasonable to expect a grace period of between 1 to 3 months. Even if Meta Ireland was granted such a grace period, remedial actions would be difficult for Meta Ireland to achieve, assuming of course that the size of the dataset(s) involved are extremely large.
Moreover, we can likely expect the DPC to issue an additional order to bring the processing into compliance. We know that it is reasonable to expect a ban on transfers because RTE has reported as follows:
‘…Dixon has said other regulators had not disputed her order to ban the data transfer mechanism.’ (RTE 2023)
The exact scope of the ban and what effects it will have for Meta Ireland will garner widescale interest and commentary.
The possibility of deletion?
Certainly, the DPC could look to the actions of another similar European Regulator. In 2022 the European Data Protection Supervisor (EDPS) ordered Europol to erase data. It is feasible that the DPC could order deletion of the shared Meta Ireland’s Facebook data. Alternatively, there is the possibility that if the conditions contained in the DPC’s decision are too onerous to comply with, Meta Ireland may have to resort to delete these data anyway.
What about the Data Privacy Framework?
One further consideration is if the DPC decision will take into account developments in relation to the new Data Privacy Framework and the US Presidential Executive Order (EO) 14086 which enhances safeguards for United States Signals Intelligence Activities. In February of this year the EDPB said of the US legislative progress:
Regarding government access to data transferred to the U.S., the EDPB acknowledges the significant improvements brought by Executive Order (EO) 14086. The EO introduces the concepts of necessity and proportionality with regard to U.S. intelligence-gathering of data (signals intelligence). (EDPB 2023)
This consideration is harder to gauge because the DPC has not discussed these developments in the context of the Meta decision. Whilst these developments have a direct bearing upon EU-US data transfers, it should be no surprise if they do not make it into the DPC’s decision. This is because these considerations were not ‘at play’ at the time when the complaints against Facebook were made.
The EDPB’s press release seems to hint that we can expect the DPC to issue an administrative fine, and that it is likely that the fine may be significant. The EDPB press release states the following:
More specifically, in its binding decision, the EDPB settles the dispute on whether an administrative fine and/or an additional order to bring processing into compliance must be included in the Irish DPA’s final decision. (EDPB 2023)
However, how the fine is calculated will be interesting to unpick.
While we have to wait until the DPC decision is published to examine and analyse the exact details and impacts, the decision will have significant ripple effect across the tech sector in Ireland and abroad, as well across media organisations and business in general.
The Trilateral Research Data Protection and Cyber-risk team has extensive experience and expertise in dealing with the data protection around data transfers. If you need help, please contact one of our experts, or email firstname.lastname@example.org to discuss your requirements. Our team would be happy to help.