Author: Elliot Fry, Managing Associate in the commercial team at Cripps.
The Irish Data Protection Authority recently imposed a record fine of €1.2bn for Meta (the owner of Facebook and Instagram) due to Meta’s transfers of personal data to the USA.
The GDPR requires anyone transferring personal data outside of the EU to ensure that personal data is subject to adequate protection. The EU has decided that certain countries (like the UK) offer an adequate level of protection, allowing for unrestricted transfers. That is not the case for transfers to the US, and so exporting personal data to the USA requires additional measures to be taken (unless they can rely on one of the limit exemptions provided for in the GDPR). This is, in part, due to the powers of the US Government to require access to data.
The most common measure used when exporting data is a set of “Standard Contractual Clauses “ (SCCs) between the exporter (in the EU) and the importer (in the receiving country). Those SCCs are issued by the EU but are not, by themselves, always sufficient to ensure compliance. The EU also requires supplemental measures (practical steps like encryption, pseudonymisation or reducing the amount of data) to help ensure individuals’ rights are protected, depending on the risk associated with the transfer.
Meta in this case relied on the SCCs, and the fine was imposed because their supplemental measures were judged to be insufficient to adequately protect the individuals whose data was being transferred.
While Meta obviously transfers more (and more detailed) personal data to the US than most other businesses, lots of businesses transfer personal data to the US. The concern is that if Meta cannot do so in a compliant way, what hope do the rest of us have?
While most businesses will hopefully have completed a GDPR compliance project, international transfers remain a difficult area, as the EU’s requirements continue to change.
While the size of the fine is a cause of concern, it’s worth remembering that this followed years of dialogue between the authorities and Meta. Data protection authorities will inevitably focus on the highest profile cases, and are likely to have been influenced by the perception that Meta deliberately or negligently ignored previous warnings and profited from this continued breach. The UK’s data protection authority has also not yet indicated that it will be pursuing the same approach towards international transfers and enforcement decisions.
Still, businesses which routinely transfer personal data outside the EU (either through using service providers, or because they have parent or group companies outside the EU) should carry out an impact assessment and review what data is being transferred and what measures are in place for compliance. At the very least, SCCs should be put in place, and any supplemental measures should be recorded. If you are using a service provider outside of the EU, you may want to ask them what measures they have in place to ensure compliance.
If possible, businesses may look to reduce their transfers of personal data outside of the EU, or stop them altogether. If that causes difficulties, it’s worth ensuring that your compliance measures are fully documented, and evaluating the risk involved in continuing those transfers.
Discussions between the EU and US regarding a data transfer regime are in progress, and the hope is that a compliant solution can be reached which allows for unrestricted transfers. In the meantime, companies are left in an uncertain position of being potentially non-compliant and relying on the fact that data protection authorities are only focusing on the highest profile cases.