Meta Fine, Not Fine

The other shoe has finally dropped on transatlantic data transfers. While the detail of the Data Protection Commission’s decision in relation to Meta’s reliance on Standard Contractual Clauses will need to be considered through careful reading of the published decision, what we know at this point is:

1. Meta will be ordered to suspend transfers of Facebook data to the US. This has a lead-in period attached (6 months).
2. Meta will be fined €1.2 billion, (or around 5% of the losses so far on Metaverse). This brings their total fines to €2.4 billion on aggregate. Or about 10% of the losses so far on Metaverse).
3. Depending on the lead-in time on the suspension of transfers, there may or may not be an effective alternative measure that Meta can rely on for these transfers as the much hyped Transatlantic Data Agreement (aka ‘TADA’, because it is magic) may not be in place in time to bridge the gap.
4. In addition to suspending transfers, Meta has to delete Facebook data of European users that is stored in the US.
5. Whatever the detail is of the Meta/Facebook decision will have implications for other transfers of personal data to the United States by other cloud platforms (think Office365, Google Workspace, Twitter, etc.)
6. Oh.. and Article 49 derogations as a basis for transfer to the US get a kicking as well – basically they won’t work as a fall back.

For an industry that likes to tout disruption as a business model, this is what disruption looks like in the cold light of day. And, of all the elements of the decision, the most disruptive is the long-heralded suspension of transfers to the US under Standard Contractual Clauses and the order to delete data held in the US, not the fine.

What Happens Next?

Based on historic form, Meta will (checks notes) try to appeal this into a hole in the ground. This is part of their standard approach to these things and it may result in the actual enforcement of the decision being delayed.

But this decision is significant not for the fine but for the exercise of the power to suspend transfers. The fine is a fraction of what Meta has spend on Zuckerberg’s vanity project to reinvent Second Life, which has been around for years.

What happens next is that organisations will now need to:

• Review the DPC’s decision for the details of the issues which triggered the suspension of processing on the basis of SCCs. It will be important to understand the actual fact pattern and what the gaps were that need to be addressed in other uses of SCCs for transfers outside the EU/EEA
• Organisations will then need to apply the learnings from the decision to their use of SCCs and, where possible, address the weaknesses that have befallen Meta. This will be tricky for organisations who have Big Tech firms as data processors as the pace of action will be driven by the pace of action by those firms. And their pace of action may not always take in to account the particular risks to the rights and freedoms of the data subjects who are your customers, staff, or service users.
• These reviews should not be confined to assessments of transfers to the United States – any transfer to a country outside the EU/EEA based on standard contractual clauses will now need to be reviewed in light of the specifics of this decision.

The Transatlantic Data Agreement (TADApf)

The devil will be in the detail as to whether the TADA will fix the problem of transfers to the US for Meta. Some key details to remember:

1. The TADApf Adequacy decision has not been finalised. As of today it doesn’t exist. It may not exist in time for Meta to switch to it as an alternative basis, even with the six-month lead in window.
2. The TADA has been criticised by EU Data Protection Regulators and by the European Parliament as being ‘close but no cigar’. This is a pattern we have seen before with Privacy Shield. So, TADA when it arrives may be subject to challenge to the CJEU almost instantly.

The US Government has moved quite an amount in putting forward their side of the TADApf and the progress there should be applauded. However, it remains to be seen if the structures meet the standard required under the string of Schrems decisions at the CJEU. The key question as we build the bridge across the Atlantic is whether the far side is supported by proper piers and pillars or is it tied on to a tree branch with a piece of rope.

But what about “necessary transfers”?

Under GDPR there is provision for “necessary transfers”, but these are under Article 49 of GDPR as derogations to the general rules on cross-border transfers, and the EDPB guidance is clear that this is for emergency and occasional use only, not as part of any systemic and ongoing processing. There is even a complaint before the Belgian DPA on that very question relating to transfers to a professional body.

Indeed, the DPC’s decision considers the potential application of Article 49 derogations at length, including public interest, contractual necessity, and even (although flagged as not relevant to the specifics of the decision at hand) explicit consent. And it finds them all to be not applicable for transfers to the US (which is interesting to me as I have an open complaint with the Belgian DPA re: cross-border transfers to the US relying on Article 49).

So, commenters saying that there should be an allowance for Meta to move to a federated model and for necessary transfers to take place need to stop and ask if that will actually work in the absolutist interpretation that has emerged from regulators and the CJEU on foot of high profile cases and legal arguments. In fact, I would ask such commenters to spell out, specifically, the legal basis for such a “necessary transfers” basis and, importantly, I’d ask them to explain how that would work as a matter of general principle across all online services (because if the answer is that simple and can be made work, they will be heroes).

As Immanuel Kant wrote: “Act only on that maxim that you wish would become a universal proposition“.

The Data Governance Angle

This decision raises data governance questions for Meta as well as for other Data Controllers or Data Processors relying on Standard Contractual Clauses.

What’s the matter, Meta?

A fundamental question that will need to be addressed by Meta as part of their response to this decision is whether they have the underlying data structures to segregate data and prevent EU data being transferred to the US. Bluntly: they probably don’t, because that’s not the kind of thing you think about when you are moving fast and breaking things and your boss is prioritising spending the money on his #SecondHandLife VR vision.

This will have an impact on whether Meta can actually comply with the decision to suspend transfers. Which makes the horserace between the decision and the TADA Adequacy Decision all the more pressing. Meta has said previously that they would exit the European market if decisions went against them (they subsequently walked these comments back, perhaps because of the technical and process challenges of excluding users wholesale from the platform, and the fact that it would look very much like a white flag of surrender and an acceptance that their business model is incompatible with EU law and fundamental rights.

The deletion of data from servers in the US also raises some data architecture and data governance questions I suspect, unless Meta has already figured out how to hermetically seal EU data away from US servers (see my note below on the red herring of “necessary transfers” and federation being a work around).

The impact on mere mortals

Mere Mortal data controllers who rely on Meta / Facebook face a Data Governance and Data Strategy challenge now. This will be particularly true for those organisations who have, in recent years, relied on the shiny strip mall that is Facebook as their only storefront.

But these challenges will be faced by every organisation that is relying on SCC’s as their basis for transfers outside the EU/EEA or who have such transfers going on in their data supply chain. This data supply chain question is critical for organisations to get their minds around fast, and it highlights the value of a good Register of Processing Activities. Organisations need to quickly identify which processing activities in their organisations are relying on SCCs for transfers of data outside the EU/EEA (e.g. to India, Australia, South Africa etc), and then review each destination jurisdiction against the fact pattern in the DPC’s decision.

This will need to be done with an eye on the risk that an EU Supervisory Authority (any of the 27) may now, on the basis of the precedent of this decision, suspend the use of SCCs as a basis for transfer from their jurisdiction, but this will likely be copied by other Regulators. The Data Strategy impact will come as part of that assessment:

• What transfers can you live without?
• What processes can you switch to other providers?
• What additional supplemental measures can you implement to mitigate risks associated with SCCs?