On 22 May 2023, the Irish data protection regulator (DPC) announced that it had issued a record-breaking €1.2 billion fine in a decision relating to non-compliant EU-to-U.S. data transfers under the GDPR. This fine imposed by the DPC substantially overshadows the previous record of €746 million under the GDPR, and raises several concerns for organisations transferring personal data from the EU to the U.S.
Summary of the decision
The DPC’s finalised decision, which incorporates the European Data Protection Board’s (EDPB) decision, found that the service provider had carried out data transfers in breach of the GDPR as the service provider’s use of the SCCs and supplementary measures did not adequately “compensate for the deficiencies in U.S. law”, nor was the service provider entitled to rely on derogations to effect data transfers. The decision imposed: (i) an administrative fine of €1.2 billion; (ii) an order requiring the service provider to suspend any future transfer of personal data to the U.S. within five months from the date the decision; and (iii) an order requiring the service provider to cease its unlawful processing, including storage, in the U.S. of personal data of EEA users transferred in violation of the GDPR (i.e. to delete or repatriate such data) within six months.
High standard for data transfers made under the SCCs. The DPC found that the service provider’s use of SCCs “did not address the risks to the fundamental rights and freedoms of data subjects” arising from a transfer to the U.S. Notably, this was despite the service provider’s implementation of supplemental measures aimed at protecting personal data. It reiterated the EDPB’s position that such supplementary measures “must not merely mitigate” the deficiencies in the law of the importing country, but ensure that data subjects receive a level of protection “essentially equivalent” to EU law.
For organisations, this presents difficulties as it is unclear what supplementary measures would suffice to meet this standard. The DPC noted that while supplementary measures can be adopted based on a the level of risk arising from the proposed transfer, a risk-based approach will nevertheless not be applicable where the transfer poses an irremediable interference with EU rights. This is indicative of a very low risk threshold; the service provider had implemented an extensive series of technical, organisational and legal measures, and yet to the EDPB the service provider had acted with the “highest degree of negligence”.
A large number of data transfers are potentially within scope. The DPC noted that its decision “exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights” when transferring personal data subject to the GDPR to the U.S. This is a very broad scope, as it includes any company that provides users the ability to send or receive electronic communications. In addition, the SCCs are one of the most commonly used data transfer mechanisms to transfer personal data to the U.S, with thousands of organisations relying on such clauses.
This means that most, if not all, organisations that rely on SCCs to transfer personal data subject to the GDPR to the U.S. may potentially fall within the scope of future enforcement action, unless they can demonstrate that the relevant transfers are sufficiently low-risk to not require supplementary measures at all.
To that end, previous guidance from the EDPB only indicates that transfers outside the scope of FISA may not require supplementary measures. The UK data protection regulator’s transfer guidance is more illustrative and indicates that such low risk transfers may comprise of low-volume transfers involving low risk personal data (such as name, address and age) that has not been designated as confidential, relates to a child or vulnerable person, or where special category personal data can be inferred from such information, although it is not clear whether other European regulators will follow this approach.
Derogations remain subject to restrictive interpretation. The DPC rejected the service provider’s submissions that it was entitled to rely on derogations in the GDPR to transfer personal data. In particular, the service provider was not entitled to rely on explicit consent, public interest, or contractual necessity as derogations to the general rule to only transfer personal data subject to appropriate safeguards (such as the SCCs).
Although the DPC was open in principle to transfers made on the basis of explicit consent, it required individuals to be informed of (among others): (i) the lack of EU-level protection over their data; (ii) the identified laws in the U.S. that interfere with EU rights; and (iii) the possible risks of the proposed transfer to the individual. This was not something that the service provider had achieved, and regardless, the DPC took the view that a single consent provided by an individual could not justify any and all future transfers of that individual’s personal data to the U.S.
For organisations, it is clear that, in the absence of an adequacy decision, derogations remain as exceptions to the general requirement to implement appropriate safeguards for data transfers, and they should not be relied for systemic and/or repetitive data transfers.
A new era for fines/deterrents? The administrative fine and the order requiring the service provider to cease its unlawful processing were not initially proposed by the DPC, but were only included at the EDPB’s direction. In coming to this decision, certain data protection regulators (in particular the Austrian, French and German regulators) emphasised the importance of the administrative fine’s dissuasive effect. Conversely, a previous decision by the Austrian data protection regulator regarding a service provider’s non-compliant transfer of data to the U.S. did not result in such penalties or orders (see our previous post here).
As the EDPB comprises of data protection regulators from across the EU, this position may be indicative of a shift towards a harder line of enforcement. However, it is less clear whether data transfer non-compliance by other organisations will also lead to massive administrative fines. The service provider’s size and scale of non-compliant transfers (i.e. personal data, including sensitive personal data, of potentially 255 million individuals were unlawfully transferred over several years) were significant factors in the EDPB’s decision to impose a fine, with several aggravating factors (i.e. the service provider’s degree of responsibility and financial benefits attributable to the transfers) at play that increased the quantum of the fine. This means that although enforcement action may be more likely with regards to non-compliant data transfers, the size of the present fine is likely to remain an outlier.
Commercial pressure on the Transatlantic Data Privacy Framework. Organisations that rely on the SCCs to transfer personal data to the U.S. will increasingly be looking towards the upcoming Transatlantic Data Privacy Framework (DPF). Once finalised, participating organisations will no longer need to rely on the SCCs to transfer personal data to the U.S., and the European Commission (EC) has stated that the guarantees that have been negotiated with the U.S. government will apply to “all transatlantic data transfers irrespective of the mechanism that is used to facilitate that transfer”. In a comment on this decision, the EC has further reiterated that the DPF is still on track to come into force in the summer of 2023.
While the EC’s comments will bring much relief to organisations, concerns regarding the DPF’s durability remain (for more information, see our previous posts here and here), and it is unclear whether the existing form of the DPF will be subject to additional negotiations that may potentially delay or even prevent its implementation.
Although the decision does not change the existing legal framework, nor does it invalidate existing data transfer mechanisms such as the SCCs, it raises fresh scrutiny over EU-U.S. data transfers, and highlights the high bar for compliance required to effect such transfers in the absence of a data transfer framework such as the DPF.
Organisations will undoubtedly be concerned by both the wide net cast by the scope of this decision and the potential to be subject to a significant fine for transfer non-compliance, and may increasingly look towards data localisation solutions, unless the DPF comes into and remains in force.