A potential path forward after the Irish Data Protection Commission enforcement decision regarding Meta Ireland

22 May 2023 

The Irish Data Protection Commission (DPC) has determined that Meta Ireland infringed Article 46(1) of the GDPR when it “continued to transfer personal data from the EU/EEA to the USA following the delivery of the CJEU’s judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.” (Press release) The Irish DPC’s decision was taken with the acknowledgement that Meta Ireland “effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland…” (Press release) The Irish DPC found that the Standard Contractual Clause arrangements “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.” (Press release)

The 216-page Irish DPC decision is extremely clear in its reasoning; in essence, the use of Standard Contractual Clauses (SCCs) for the purposes of EU-U.S. data transfers, even those SCCs adopted by the European Commission itself in 2021, do not pass muster due to the Schrems II court decision. Therefore, there was not much room for the Irish DPC to do anything other than write an extremely clear decision saying precisely this. There are some other elements to the decision, however, the arguments around the invalidation of the use of Standard Contractual Clauses comprise a core aspect.

The DPC has given Meta Ireland 6 months to find a solution. This 6-months’ gap is just enough time to create the possibility of a road forward; a possibility which is contained primarily in the effective implementation of proposed European – U.S. Data Privacy Framework on the part of the U.S. and the EU.

In October 2022, The Biden White House issued Executive Order 14086, which formalized the U.S. proposal for the new European Union – U.S. Data Privacy Framework. The proposed framework specifically responds to the problems outlined in the Schrems II decision. For example, Schrems II critiqued the U.S. for a lack of substantive redress for Europeans, a problem the proposed Privacy Framework specifically addresses. The new proposal also binds the U.S. intelligence community to do much more to protect EU individuals than many other countries currently require. The proposed framework contains additional elements, such as robust new requirements for procedural and other documentation. These and other elements in the U.S. proposal were crafted in direct response to the significant challenges the Schrems II decision has created for cross-border data transfers.

If the proposed European Union – U.S. Privacy Framework is fully implemented —and — if the framework is also deemed adequate by the Europeans within 6 months, then these actions taken together could potentially lead to a successful resolution within the Irish DPC’s time frame. This being said, it is still difficult to imagine that Max Schrems will not legally challenge the new European Union – U.S. Privacy Framework. The ultimate question will then rest on what the Court would find in a possible Schrems III decision.

Until that question is finally settled, cross-border data flows will likely remain unsettled. Indications that the U.S. is planning to implement the new Framework within 6 months, and signs that the European Union is seriously considering an adequacy decision will be important signposts to watch for going forward.

— Pam Dixon

Sources and Related Documents:

  • Irish DPC news release: https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland

  • European Data Protection Authority: Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service ( Art. 65 GDPR) https://edpb.europa.eu/our-work-tools/consistency-findings/register-decisions/2023/decision-data-protection-commission_en

  • WPF’s White House Briefing Outtakes on the New European Union – US Data Privacy Framework, 7 October 2022: https://www.worldprivacyforum.org/2022/10/white-house-briefing-outtakes-on-the-new-european-union-us-data-privacy-framework/

  • Executive Order 14086 of October 7 2022, Enhancing Safeguards for the United States Signals Intelligence Activities: https://www.federalregister.gov/documents/2022/10/14/2022-22531/enhancing-safeguards-for-united-states-signals-intelligence-activities

  • Fact Sheet: President Biden signs Executive Order to Implement the European Union – U.S. Data Privacy Framework, 07 October 2022. https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/