It will take some time for the implications of this week’s record fine issued by the Irish Data Protection Commissioner against Facebook’s parent company, Meta, to be realised. The fine, equivalent to £1bn, is for Meta’s failures to provide adequate safeguards for personal data transferred between the EU and the US over of a number of years, and is the next stage in the long-running issue between US and EU over protection for EU citizen data being processed in the US; the US is not regarded as offering an equivalent level of protection and assurance in the US, and following the over-turning of the US-EU privacy shield, the burden has been on controllers to show that they have adequate safeguards for data transfers.
The European decision shows that organisations who are subject to the GDPR take on a substantial risk when transferring data to any jurisdiction that does not have an adequacy finding (i.e. that they offer an equivalent level of protection to personal data to that set out in the EU GDPR). The decision re-confirms that it is not sufficient for a controller to solely rely on the Standard Contractual Clauses (SCC) or the UK equivalent (International Data Transfer Agreement – IDTA) as these contractual mechanisms can be overruled by local law and regulation. In the case of Meta, the European Data Protection Board (EDPB) has consistently determined that the US privacy laws allow too much power to US intelligence agencies to access personal data of European citizens.
Important to show steps have been taken to assess risk of data transfers
The EDPB has found that the level of protection offered by Meta to EU citizen personal data was not adequate – but the details of what will constitute "adequate" protection remain unclear, and different standards are likely to apply to sensitive or special category data. The risk assessment is even more critical for organisations to be able to show the steps that it has taken to assess the risk from its individual data transfer.
Facebook have hit back strongly, arguing that the steps that it takes are consistent with those taken by many organisations. Following Brexit, the UK is no longer bound to follow the EDPB decisions, although maintaining a harmonised approach with the EU on data transfers is important as the internet-enabled economy relies on the ability for data to move freely between different jurisdictions.
The proposal in the new Data Protection Bill currently going through parliament for the UK GDPR to be amended so that “equivalent level” of protection will become protection that is “not materially lower” than the protection offered in the UK and whilst this may mean a slightly lower threshold for data transfer from the UK, it may attract the EU’s gaze when it considers whether to maintain the UK’s adequacy decision which currently allow transfers from the EU to the UK without the need to rely on other safeguards.
The ICO will take some time to review the detailed decision, and in the meantime it serves as a timely reminder that all transfer arrangements need to be subject to regular review.
If you have an queries about Facebook’s data protection fine or any any other queries, please contact our data protection team here.