The troubled history of EU to US data transfers, US surveillance, and EU fines.
21st June 2023
Meta has been battling the EU, Max Schrems and the Data Protection Commissioner for Ireland around the transfer of personal data from the EU to the US. The decision to fine Meta €1.2 billion is the latest development in a long history of trouble for EU – US data transfers. In this briefing we will discuss the background, the decision itself, and the likely implications for other tech companies or businesses transferring data out of the EU. We also look at the proposals for the EU-US Data Privacy Framework that will provide an option for US data transfers along the lines of the previous Safe Harbour/Privacy Shield schemes.
Data Transfer Principles
Personal data transfers from the EU to outside of the EEA require appropriate mechanisms to be in place. Countries designated as having adequate protections such as the UK, Canada, Japan, and New Zealand can receive personal data from the EU as if it were an intra-EU transfer. Notably the US is not included in this list. There have been attempts to put in place specific transfer schemes for the US, such as Safe Harbour and Privacy Shield (both now defunct). Currently the most common method for transfer is via the EU approved Standard Contractual Clauses, which establishes a contractual mechanism for appropriate safeguards between data exporters and data importers. Alternatively, there are eight exceptions which can allow for the transfer of data outside the EU, such as the explicit consent from the relevant data subject.
The Meta decision is the latest challenge to how organisations can transfer personal data to the US (and other countries without an EU adequacy decision). Although this relates specifically to EU law, it is highly relevant to UK companies who may have international operations transferring data from the EU to the US. Any transfers of personal data from the EU to the UK and then to the US are considered an “onward transfer” subject to the EU rules. The UK Information Commissioner allows UK companies to “piggyback” EU Standard Contractual Clauses with a UK addendum, therefore many UK organisations are using SCC’s as a basis for data transfers.
Safe Harbour blown out of the water by Wikileaks
The International Safe Harbour Privacy Principles were established in 2000 allowing companies to transfer data from the EU to the US, something which companies such as Meta would go on to utilise.
This system operated without much debate until the disclosure of classified US documents by Edward Snowden in 2013, in what became known as Wikileaks. It became evident from this that data transfers were happening that were not in line with the Safe Harbour Principles. In particular, the revelation that major tech companies were under surveillance by the National Security Agency meant that US was infringing the rights of EU citizens, in the eyes of privacy campaigners.
In response to the disclosures, Maximillian Schrems, an Austrian activist and lawyer, filed a complaint with the EU Commission. Schrems believed the transfers to be unlawful under both national and EU data protection laws. The EU Commissioner at the time declined to investigate and Schrems filed for judicial review of this decision.
In the meantime, the EU and the US began to work on clarifying for the EU Commission the exact scope of what had been disclosed by Snowden. The US confirmed the existence of the ‘PRISM’ programme and claimed that the Foreign Surveillance Act 1978 section 702, allowed for ‘upstream collection’ of personal data from tech companies. One major concern was that there was no need to identify an individual from who the data could be collected and no specific rationale for the data collection. In addition, there was no avenue for EU (or US) data subjects to be informed of the collection of their personal data and no opportunities for obtaining, erasing, or rectifying the data.
The review process and subsequent investigation concluded that Safe Harbour transfers could no longer take place. The investigation into the Safe Harbour Principles also found (as a preliminary view) that the 2010 Standard Contractual Clauses were not capable or remedying the deficiencies in US law. This resulted in proceedings in the Irish High Court and Supreme Court and ultimately the involvement of the CJEU.
Privacy Shield also destroyed
The EU and the US had been working on a successor to Safe Harbour and created the EU-US Privacy Shield. This came into effect in July 2016. The Privacy Shield was meant to be an improved version of the Safe Harbour Principles but concerns remained over its effectiveness in giving equivalent protections to data subjects as they would receive under EU law.
The resulting CJEU judgement (which came to be known as Schrems II) was handed down on 16 July 2020 and had the effect of invalidating the Privacy Shield, primarily because it could not be binding on US intelligence services, only conferring contractual rights for data subjects. In addition to this, the CJEU made objection to US surveillance based on Executive Order 12333 which had been originally signed under the Reagan presidency. That EO 12333 has a far wider scope and encompasses all US foreign intelligence, even where it doesn’t relate to US citizens.
Schrems II left the door open for organisations to continue to use Standard Contractual Clauses as a basis for US data transfers but more due diligence was expected to be shown through the use of Transfer Impact Assessments and analysis of whether local laws would override protections for data subjects.
Meta in the firing line
The Data Protection Commissioner for Ireland started an inquiry into Meta’s compliance with GDPR and a Preliminary Draft Decision (PDD) was issued with preliminary views on data transfers. After some back and forth and more judicial review, a revised version of the PDD was published on 21 February 2022 and the matter was essentially referred to the European Data Protection Board (EDPB).
It was concluded that the SCCs which Meta had been relying on for its data transfers from the EU to the US were not sufficient to make up for the lack of privacy protection in the US. This decision took account of US Executive Order 14086, which had attempted to bring the US in-line with the standards required.
EO 14086 did not plug the gap because:
- Any complaints that arise under the EO would only be received and reviewed under its redress system where they originate in a ‘qualifying state’. The EU has not been designated as a qualifying state.
- Even if the EU had been designated as a qualifying state, the redress system is not capable of being invoked by an EU citizen.
As a result of this decision, Meta received a large fine (€1.2 billion). The DPC for Ireland had originally not intended to impose a fine, but with the EDPB and countries such as France, Spain, Germany and Austria opposing, a significant fine was duly imposed. The EDPB was keen to highlight that the fine was imposed to ensure compliance by other companies and that without a fine there would be an implied acceptance of past infringements. The considerations in setting the level of the fine included that it amounted to a serious breach, involved large data sets, and related to a lot of data subjects.
Two orders were provided under the decision, a Suspension Order and a Cessation Order. The former requires Meta Ireland to stop transfers of data from the EU to the US within five months. The Cessation Order requires Meta to bring transfers of data in line with GDPR within six months of the decision date. Crucially, the Cessation Order also applies to previously made transfers of data, meaning any data historically transferred needs to be brought in line with GDPR. The full extent of how this will work is however not entirely clear. Germany and France both objected to the order with concerns over how the deletion of data might negatively affect users and business. The DPC was vague on the point of how such compliance should be reached but did note that a new and updated framework or system could suffice (a further successor to Safe Harbour of the Privacy Shield for example). However, any developments to bring Meta into compliance would not negate the fine. This seems to pave the way for a forthcoming EU adequacy decision on the Data Privacy Framework and the new UK-US data bridge.
The EU- US Data Privacy Framework
In response to the end of Privacy Shield the EU and US have been working on establishing a new mechanism, the Data Privacy Framework. Under this new scheme, US organisations can self-certify that they are compliant with the requirements of the Data Privacy Framework. The European Commission has issued a draft decision that this creates an adequate level of protection for US data transfers for these organisations. However, that Draft Decision is under scrutiny by the EDPB and the European Parliament. The EDPB opinion notes an overall improvement but does raise some concerns with the proposals and requests various clarifications from the Commission.
It will be interesting to see the developments in the coming months with the US government under pressure to get a deal over the line, especially as any losses would hit primarily US-owned companies such as Meta, Apple, Google etc. Add to this the recent history of privacy campaigners challenging the previous US transfer mechanisms, there will be a lot of attention on the final provisions of the Data Privacy Framework.
The UK-US Data Bridge Proposals
The UK-US Data Bridge was agreed in principle between the UK and the US on 8 June 2023 and will act as an extension to the EU Data Privacy Framework. Although, the agreement is only in principle at this stage so finer details have not been set out.
It is expected that the US Data Bridge will work by allowing the transfer of data to the US companies which are approved by the EU Data Privacy Framework. It is theoretically possible for the UK to grant an adequacy decision to self-certified US companies under a UK-only scheme but this would be limited in scope. Any EU personal data coming to the UK cannot then be part of an “onward transfer” to the US unless it is GDPR compliant. Therefore, the UK position is largely dependent on the EU putting their Data Privacy Framework in place (just don’t mention post-Brexit sovereignty).
Implications for others transferring data
So, what does all this mean for companies transferring data from the EU or the UK to the US? For transfers out of the EU, companies can continue to rely on the latest set of SCCs so long as they ensure that in the context, those SCCs adequately protect the data being transferred. It is not simply a case of signing the latest SCC’s without further thought as to the levels of protection available to data subjects, given the US governments ability to conduct large scale surveillance. The issue that the Irish DPC found with Meta was not that their SCCs were inadequate but that the ‘supplementary measures’ did not compensate for privacy ‘deficiencies’ in US law. There is likely to be a lot of Data Protection Officers looking at their SCC processes in the light of the Meta decision.
The landscape might become easier to navigate going forwards if the EU and US can put in place the Data Privacy Framework. The question is partly about how quickly the EU and US can get this in place but also about how long it will survive contact with privacy campaigners like Schrems.
The UK does have bases for transferring data such as the UK International Data Transfer Agreement (IDTA), to be used mostly where companies operating solely in the UK need to transfer data to third countries. Alternatively, for companies with presence in the EU there has been the UK Addendum to the EU SCCs, allowing for transfers to third countries (therefore the same concerns with the current state of the EU SCC process applies to UK organisations using the UK Addendum approach). The UK has Data Bridge proposals lined up to bolt-on to the EU arrangements but until the EU Data Privacy Framework is in place these are unlikely to be rolled out.
In the meantime, EU organisations exporting data to the US (and UK data exporters dealing with EU personal data) are essentially left to operate the SCC mechanism which has been significantly challenged in the Meta case. Much more attention will need to be placed around supplementary measures that organisations can put in place to plug any gaps in US privacy law before the new transfer regimes are in place.
For more information on the issues raised in this note or for any of your IT or data legal issues please get in touch with us:
Codified Legal 17 April 2023
7 Stratford Place
0845 351 9092