In May 2023 Meta, the company that owns Facebook, was fined £1.2 billon by Ireland’s Data Protection Commission (DPC) for mishandling people’s data when transferring it between Europe and the United States.
You might be thinking, ‘why do UK businesses have to worry about a dispute between an Irish regulator and a US company?’
Good question. Let’s get into it.
Why has Meta been fined?
The General Data Protection Regulation (GDPR) is an EU law that sets out the rules on collecting and processing the data of EU residents. Post-Brexit, the UK has put in place its own version of this law, called UK GDPR. The UK version is broadly in the same as the EU version.
Companies often use something called ‘standard contractual clauses’ (SCCs) to move personal data from the EU to the US in a way that complies with GDPR. They use SCCs to justify transferring, for example, email addresses, financial information, phone numbers and other information from which individuals can be identified.
The DPC argued that Meta’s use of SCCs did not protect data from possible surveillance by the US government.
Meta’s security saga
Meta does not have a good reputation for security. The DPC fine is the latest blow.
Here is a timeline of key events so far:
-
In 2013, Edward Snowden disclosed that American authorities access personal information through companies like Facebook and Google
-
In 2015, the Court of Justice of the European Union (CJEU) agreed with a claim from Max Schrems, an Australian national. He challenged the adequacy of the Safe Harbour Framework (SHF), which was the mechanism Facebook used at that time to protect data it transferred into the US, but Schrems argued that the US government was able to get around the SHF. This led to the creation of the Privacy Shield Framework (PSF), a data sharing agreement between the EU and US
-
In 2020, Schrems brought an up-to-date case to the CJEU. He argued the PSF also did not provide enough protection. The court agreed and invalidated the PSF. The CJEU did not ban SCCs outright. Instead, the CJEU has argued data sharing decisions should be made on a case-by-case basis.
-
From the second Schrems decision, companies started to rely on SCCs, which is at the crux of Meta’s record fine.
Next steps for UK companies
In a post-Brexit world, the UK does not have to follow the CJEU’s rulings. Similarly, it is not subject to the oversight of Ireland’s DPC. However, these organisations might be on to something. A signal has been sent. Shots have been fired.
UK companies would be wise to be wary when sending personal data to the US and act with due diligence. They should: .
-
map all personal data transfers to third countries to ensure they receive an essentially equivalent level of protection.
-
verify transfer tools. If the third country has not been deemed adequate, they can rely on transfer mechanisms in Article 46 or the derogations in Article 49 but must use these on a case-by-case basis.
-
examine relevant legislation and practices in the third country to ensure the effectiveness of the chosen transfer tool and, if there are issues, suspend the transfer or implement supplementary measures.
-
identify and adopt measures to bring the level of protection in line with EU standards, if their assessment reveals any deficiencies.
-
continuously assess the level of protection and re-evaluate any developments that may affect the transfer.
-
follow formal procedures such as conducting transfer impact assessments and seek guidance from supervisory authorities if necessary. The Information Commissioner’s Office, which is the UK’s supervisory authority, has issued a useful International Data Transfer Agreement template which UK companies may use.
Our team is on hand to help – contact us if you need support.