Meta's data-transfer ban is historic for GDPR, but legal fight will be long and fierce

It's quite a birthday: The week of the General Data Protection Regulation's fifth anniversary has seen the most consequential enforcement decision so far. Meta Platforms has been told by the Irish data watchdog that its social-media unit Facebook must suspend its transfers of personal data from the EU to the US.

It speaks to the significance of the finding that it overshadows the 1.2 billion-euro ($1.3 billion) fine that comes with it — by far the largest penalty issued so far under the GDPR, well over the previous record of 746 million euros against Amazon in Luxembourg.

And, in a novel and controversial finding, Meta has also been ordered to delete data that it transferred unlawfully from the EU to the US, confirming earlier reporting by MLex.

The decision has been nearly a decade in the making, with multiple outings to the EU’s top court as well as Irish domestic courts — during which time two EU-US data flow deals have been knocked down, while a third has now nearly been put in place.

It also required the input of all EU data protection authorities, going through the GDPR’s “dispute resolution procedure,” the mechanism used when EU data protection authorities can’t agree on a cross-border enforcement decision. In cases such as this, the European Data Protection Board — the grouping of all EU data watchdogs — makes the final decision.

The question at the heart of the case, and the EU-US pacts, is how to protect EU citizens’ data to the same standard outside of the EU as in it. The GDPR would be toothless if its rules don't apply once data leaves the EU’s borders — as it often does, with many of the world’s largest technology and cloud companies based in the US.

Shockwaves

Although the case concerns Facebook, it is expected to send a shockwave through the market, because many thousands of companies also transfer data to the US. And the vast majority of those rely on standard contractual clauses (SCC), the legal mechanism that the Irish Data Protection Commission today said Facebook must not use.

For Facebook, the decision will not have an immediate effect. The transfer suspension and data-deletion orders come with five- and six-month grace periods respectively, and Meta has said it will appeal and seek a stay in the Irish courts. In a statement today, Meta's Nick Clegg and chief legal officer Jennifer Newstead described the fine as "unjustified and unnecessary."

"This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US," they said.

That appeal came as no surprise, given the significance of the finding; the firm has said in the past that it might be forced to shut down some of its services in Europe in the absence of a legal way of transferring data to the US, though it has softened that line in recent months.

But, much like the “Schrems II” decision of July 2020, the decision casts serious doubts on whether companies can use SCCs.

Because the new EU-US data flows deal is not yet in place, SCCs are the only viable way that companies can legally transfer data across the Atlantic. And without being able to do that, EU-US commerce could in theory grind to a halt — though experience has shown that companies are likely to continue their transfers, regardless of the legal complexities, because they are simply so essential.

Deadlines and timelines

The decision will, however, pile pressure on the European Commission to approve the EU-US Data Privacy Framework, the third attempt at a deal to allow data to flow freely from the EU to the US without companies needing to rely on SCCs.

The commission is undoubtedly keen to do so, but it has to consider non-binding submissions from the European Data Protection Board and the European Parliament and, most importantly, it also has to wait for US officials to finish setting up a new Data Protection Review Court. That court will allow EU citizens to complain about how US surveillance authorities process their data, the complaint at the heart of the case.

A crucial element of the transfer-suspension and data-deletion orders is that they are about Meta’s legal basis for transfers and storage. The Irish DPC has found that Meta does not have a legal basis for these activities, but if and when it does, it can in theory resume those activities. Notwithstanding appeals and stays, that legal basis will almost certainly be the new EU-US data flow deal.

If the deal comes in before the five- and six-month deadlines are up, Meta is largely in the clear. If not, its application for a stay in the Irish High Court will become crucial, because any appeal it makes does not automatically suspend those orders.

The outcome of the application for a stay is by no means a foregone conclusion, as the bar to persuade the court to stay such an order is high. It will be the first time that Meta has sought a stay; it has appealed almost all of the Irish watchdog's enforcement so far, but has nonetheless complied with the orders it has been given and not sought a stay.

Litigation target

The first billion-euro GDPR fine and data-deletion order are no small matters, either. Meta may be inclined to litigate on this point; the Irish watchdog did not want to impose these punishments, but was forced to through the dispute resolution procedure. Meta may argue that the introduction of major new elements to the case at a late stage breached its procedural rights, as it has done in other cases.

Clegg and Newstead indicated in their statement today that they take issue with the procedure. The finding "raises serious questions about a regulatory process that enables the [European Data Protection Board] to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard."

Here, there are signs of the internal discord between regulators that has characterized major Irish Big Tech enforcement.

The Irish regulator said in a statement today that it disagreed with other regulators on whether to impose a fine and data-deletion order, "reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being 'appropriate, proportionate and necessary.' " It was ultimately overruled, however.

Five years after the GDPR came into force and two days before a new chair takes the reins of the European Data Protection Board — the most senior EU data protection regulator — this is the most keenly awaited enforcement so far, with a price tag that amounts to about a third of all GDPR fines until now.

Whatever the final outcome of the case, today marks an inflection point for EU, and by extension, global data protection.