International data transfers: €1.2 billion fine should focus the minds of all businesses

As news broke of Meta Platform Ireland Limited’s (“Meta”) latest setback in relation to its Facebook operations – a record breaking fine in the sum of €1.2 billion by the Irish Data Protection Commission (“DPC”) together with an order to cease the transfer of Facebook users’ personal data to the US – the potential implications for UK businesses cannot be ignored.

The background to this development in relation to international data transfers stems from the “Schrems II” case which led the CJEU to declare that the EU-US Privacy Shield was invalid. This decision prompted data exporters to utilise the EU Standard Contractual Clauses (“SCCs”) as an alternative. However, the CJEU had further decided that in addition to the use of the SCCs in data sharing arrangements, data exporters should also assess the effectiveness of such SCCs in relation to the protection of such personal data (i.e. requiring the parties to consider the laws and practices of the recipient country and how, if at all, they may undermine the effectiveness of the SCCs). If so, the relevant supplementary measures should be applied to ensure that essentially equivalent protection (as required by the GDPR) is afforded to the transferred data.

Fast forward a few years, the DPC is of the view that Meta’s applied supplementary measures in relation to transfers to the US did not go far enough and should compensate for any deficiencies in US law – some might say a herculean task given the potential impact of certain US laws relating government access to personal data, hence the record fine of €1.2 billion together with an order to cease transferring personal data to the US (to take effect within five months) and to cease processing EU Facebook users’ personal data in the US (within six months).

Unsurprisingly, such a development will have a major impact upon Meta’s operations and it has announced that it will appeal this decision.

Ok, post-Brexit, what does this mean in relation to transfers of personal data from the UK to US? Well, unfortunately this is unclear at present – Schrems II, which DPC based its decision upon, is still binding on the UK as it was delivered during the Brexit transition period.

Therefore, it is possible that the ICO could follow the same logic as DPC in relation to the use of SCCs, the UK’s Addendum and or the UK International Data Transfer Agreement, and enforce in a similar manner. It is hoped that this is unlikely given the ICO’s historical stance. However, given this development, businesses should ensure that any international data transfers are considered carefully beforehand – including, if appropriate, reference to the ICO’s Transfer Risk Assessment Tool (“TRA”) and relevant contractual transfer mechanisms.

This potential data regulator shot across the bows should not be ignored – particularly if you process personal data of EU citizens. Ensure your international data transfer models are compliant and, if appropriate, the TRA is utilised prior to transfer. Repent at leisure.