A potential path forward after the Irish Data Protection Commission enforcement decision regarding Meta Ireland

22 May 2023

The Irish Data Protection Commission (DPC) has determined that Meta Ireland infringed Article 46(1) of the GDPR when it “continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.” (Press release) The Irish DPC’s decision was taken with the acknowledgement that Meta Ireland “effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland…” (Press release) The Irish DPC found that the Standard Contractual Clause arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.” (Press release)

The 216-page Irish DPC decision is extremely clear in its reasoning; in essence, the use of Standard Contractual Clauses (SCCs) for the purposes of EU-U.S. data transfers, even those SCCs adopted by the European Commission itself in 2021, do not pass muster due to the Schrems II court decision. Therefore, there was not much room for the Irish DPC to do anything other than write an extremely clear decision saying precisely this. There are some other elements to the decision, however, the arguments around the invalidation of the use of Standard Contractual Clauses comprise a core aspect.

The DPC has given Meta Ireland 6 months to find a solution. This 6-months’ gap is just enough time to create the possibility of a road forward; a possibility which is contained primarily in the effective implementation of proposed European – U.S. Data Privacy Framework on the part of the U.S. and the EU.

In October 2022, The Biden White House issued Executive Order 14086, which formalized the U.S. proposal for the new European Union – U.S. Data Privacy Framework. The proposed framework specifically responds to the problems outlined in the Schrems II decision. For example, Schrems II critiqued the U.S. for a lack of substantive redress for Europeans, a problem the proposed Privacy Framework specifically addresses. The new proposal also binds the U.S. intelligence community to do much more to protect EU individuals than many other countries currently require. The proposed framework contains additional elements, such as robust new requirements for procedural and other documentation. These and other elements in the U.S. proposal were crafted in direct response to the significant challenges the Schrems II decision has created for cross-border data transfers.

If the proposed European Union – U.S. Privacy Framework is fully implemented —and — if the framework is also deemed adequate by the Europeans within 6 months, then these actions taken together could potentially lead to a successful resolution within the Irish DPC’s time frame. This being said, it is still difficult to imagine that Max Schrems will not legally challenge the new European Union – U.S. Privacy Framework. The ultimate question will then rest on what the Court would find in a possible Schrems III decision.

Until that question is finally settled, cross-border data flows will likely remain unsettled. Indications that the U.S. is planning to implement the new Framework within 6 months, and signs that the European Union is seriously considering an adequacy decision will be important signposts to watch for going forward.

— Pam Dixon

Sources and Related Documents:

Irish DPC news release: https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland
European Data Protection Authority: Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service ( Art. 65 GDPR) https://edpb.europa.eu/our-work-tools/consistency-findings/register-decisions/2023/decision-data-protection-commission_en
WPF’s White House Briefing Outtakes on the New European Union – US Data Privacy Framework, 7 October 2022: https://www.worldprivacyforum.org/2022/10/white-house-briefing-outtakes-on-the-new-european-union-us-data-privacy-framework/
Executive Order 14086 of October 7 2022, Enhancing Safeguards for the United States Signals Intelligence Activities: https://www.federalregister.gov/documents/2022/10/14/2022-22531/enhancing-safeguards-for-united-states-signals-intelligence-activities
Fact Sheet: President Biden signs Executive Order to Implement the European Union – U.S. Data Privacy Framework, 07 October 2022. https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/

Posted May 22, 2023 in EDPS, EU - US Data Privacy Framework, Regulatory
Tags: Executive Order 14086 of October 7 2022, Irish Data Protection Commission, Schrems II

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.

A potential path forward after the Irish Data Protection Commission enforcement decision regarding Meta Ireland

Sources and Related Documents:

Irish DPC news release: https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland

WPF’s White House Briefing Outtakes on the New European Union – US Data Privacy Framework, 7 October 2022: https://www.worldprivacyforum.org/2022/10/white-house-briefing-outtakes-on-the-new-european-union-us-data-privacy-framework/

Executive Order 14086 of October 7 2022, Enhancing Safeguards for the United States Signals Intelligence Activities: https://www.federalregister.gov/documents/2022/10/14/2022-22531/enhancing-safeguards-for-united-states-signals-intelligence-activities