BEERG Comment: Meta GDPR fine, SCCs and EU/US data transfers

Tom Hayes and Derek Mooney write: As you will know, earlier this week Facebook’s parent company, Meta, was hit with a €1.2 billion ($1.3 billion) fine by the Irish data protection authority, the Data Protection Commission (DPC). Reuters has a comprehensive report overview of the decision and its implications. You can find the EDPB’s binding decision HERE, the Irish DPC’s statement HERE and the response from Facebook/Meta HERE. 

In its statement the Irish DPC states bluntly that it disagreed with the imposition of a fine, saying: 

The DPC disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR.

The Irish Data Protection Commission is the lead supervisory agency, given that Facebook/Meta has its EU headquarters in Dublin. It has been working with the company to address the issues with data transfers, and it is saying publicly that it did not consider that the fine was justified and that it was compelled to impose this massive fine by the European Data Protection Board (EDPB). This raises serious questions about just how autonomous national regulators now are. 

When the General Data Protection Regulation (GDPR) was going through the legislative process there were arguments about whether the day-to-day supervision should be centralised or left to member states. The legislators agreed to leave it to Member States. This was the one-stop-shop approach which the Commission hailed in 2012 as one of GDPR great strengths and benefits for business, saying: 

A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the Member State in which the company has its main establishment.

This principle is now being hollowed out and the EDPB is becoming the de facto central authority for data protections decisions. This is not what the legislators decided, and it now falls to the Irish government to step up and defend the autonomy of the DPC. Otherwise, why bother with individual country supervisory authorities if they can be overruled by the EDPB. The phrases “overreach” and “power grab” come to mind. Indeed, we in BEERG have been warning of this overreach for several years.  

Without diving into the weeds of the technical details, it seems that Meta was fined because the DPC/EDPB held that its use of “standard contractual clauses” was insufficient and did not protect EU citizens’ data transferred to the US from being accessed by the US security services. This will be a cause of concern to the many thousands of companies, including EU companies using such clauses to transfer data across borders every week. 

Business today simply cannot function without such data transfers. Twice the European Court (CJEU) has struck down deals between the EU and the US to allow for such transfers. A new deal on transfers is now on the table, but privacy activists are already planning to challenge it. The European Parliament says this new deal does not go far enough to protect personal data transferred to the US. 

We are forced to wonder why the EDPB was so intransigently determined to impose a punitive fine when a new political agreement on EU/US data transfers is just a few months from implementation?

To say that there is a degree of hypocrisy involved here would be an understatement. Everyone knows that the national security services in EU Member States accesses personal data in the same way as those in the US, or the UK for that matter which has a post-Brexit “adequacy decision” from the EU Commission. 

There is more than a whiff of “anti US business” in the way certain EU data protection authorities work. It often seems that, rather than work with businesses to ensure that personal data is handled in a secure and safe manner, these authorities see their role as finding reasons to impose the biggest fines they can on such businesses. The Inquisition mindset dies slowly, however, with an operating assumption that every GDPR breach must constitute an offence and that they have no obligation to show actual or deliberate company misconduct. Think Salem, Massachusetts with network packets.

Data knows no borders and attempts to impose borders on data is a labour of Sisyphus. You can try to push the rock to the top of the hill, but you will never get there, and it will just roll back down again. It is time for those who want to see a modern, prosperous Europe, comfortable in the coming AI age and in which personal data is properly protected, take back the narrative from the data privacy fundamentalists who have had a free hand for too long.  Time for balance and common-sense.