Home > News > The Irish Data Protection Commission's new draft decision prohibits Meta from transferring personal data from Europe to the United States.
Print pageprint Stay Informedprint

NEWS

The Irish Data Protection Commission's new draft decision prohibits Meta from transferring personal data from Europe to the United States.

calendar_new
14/07/2022

 

On 7 July 2022, the Irish Data Protection Commission (Irish DPC) issued a draft decision to prohibit Facebook owner Meta from transferring personal data from Europe to the United States.

That draft decision was issued further to an “own volition” inquiry initiated by the Irish DPC regarding Meta’s transfer of personal data to the U.S.

Pursuant to the GDPR, data exporters shall put in place appropriate safeguards for transfers of personal data to countries or international organisations located outside the EEA.

Such a transfer of personal data may take place where the European Commission has decided that the third country or the international organisation in question ensures an adequate level of protection, by issuing an adequacy decision. In such cases, transfers of personal data to that third country or international organisation may take place without the need to implement any further measures1.

In case no adequacy decision has been issued, data exporters may rely on another mechanism provided by the GDPR to transfer the personal data, such as the Standard Contractual Clauses adopted by the European Commission (SCCs), binding corporate rules or an approved certification mechanism together with binding and enforceable commitments2.

Until 2015, the transfer of personal data from the EEA to the U.S. was allowed pursuant to the Safe Harbor adequacy decision. This has been invalidated by the Court of Justice of the European Union (CJEU) in its well-known Schrems I decision.

In 2016, the Safe Harbor was replaced by the Privacy Shield, a self-certification mechanism for companies in the U.S. The Privacy Shield was subsequently also invalidated in 2020 by the CJEU in its Schrems II decision.

In the Schrems II decision, the CJEU ruled that the standard data protection clauses adopted by the European Commission regarding data transfers from controllers in the EEA to processors established outside the EEA are not capable of binding public authorities of third countries (since they are not party to the contract). As a consequence, data exporters will, on a case-by-case basis, need to take supplementary measures (such as contractual obligations, empowerment of data subjects to exercise their rights, audits, compliant data encryption, data pseudonymisation, etc.) to ensure compliance with the level of protection required under EU law in a particular third country3.

The recent draft decision of the Irish DPC means that Meta will be forced to cease relying on SCCs only and will be required to implement supplementary measures to ensure that any transfer to the U.S. complies with the EU level of protection of personal data.

On 25 March 2022, the European Commission and the U.S. announced that they have agreed “in principle” on a new Trans-Atlantic Data Privacy Framework for the transfer of personal data from the EEA to the U.S. This agreement, if finalised, will be translated into legal texts that will form the basis of a draft adequacy decision to be proposed by the European Commission4. Should an adequacy decision be formally issued, Meta will be able to rely thereon for its future transfers of personal data to the U.S.

In the meantime, the Irish DPC sent its draft decision to the other European data protection authorities for their opinion in accordance with article 60 GDPR. The national data protection authorities will now have a period of four weeks’ time to provide their opinion, including any objection they might have.

Shall none of the other supervisory authorities has objected to the draft decision in due time, the Irish DPC and the supervisory authorities will be deemed to be in agreement with that draft decision and shall be bound by it. However, although the Irish DPC triggered the application of article 60 GDPR by sending the draft decision to its European counterparts, any final decision could take longer than four weeks. 

According to the Irish DPC, the abovementioned draft decision should be published soon.

We remain at your disposal for any questions.

 
 
 
 
 

1 So far, the European Commission has adopted adequacy decisions with respect to the following countries: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom and Uruguay.

2 In that respect, the EDPB published its draft Guidelines 07/2022 on certification as a tool for transfers on 16 June 2022. These Guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification.

3 For more examples of additional measures that can be implemented, see the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, available here

4 For more information, see https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087.