Irish DPC Meta decision - signalling the end for EU SCCs or transatlantic storm in a teacup?

Like most privacy professionals, I've spent the day speed-reading through all 200+ pages of the DPC's Meta data transfers decision. 

I've pulled together below what to me are the most immediately interesting points and takeaways from the decision. Given the speed at which I've produced this, I'll ask you to be gentle with me if you spot any glaring typos or errors in the below. Feel free to add nuance, corrections or context in the comments!

1. The decision impacts both the old and the new SCCs:  

This latest DPC inquiry into Meta's data transfers began in August 2020, i.e. before the European Commission updated its new SCCs in June 2021. You might therefore have assumed the new SCCs would be out of scope, but not so - the DPC included these within the scope of its decision.  

Further, the new SCCs have provisions expressly dealing with government access to personal data at Clauses 14 and 15, among others - but the DPC determined that: "the 2021 SCCs do not implement any new measure(s) directed to (or compensating for) the specific deficiencies in US law as identified by the CJEU in the Judgment" - ultimately concluding that neither the old (2010) or new (2021) SCCs "compensate for the [data protection] deficiencies in US law" on their own.

Takeaway: Even if you're on the new SCCs, you're not immune from the fallout from this decision.

2. EO 14086 may offer a glimmer of hope - but not yet:  

The DPC also took aim at EO 14086. This is the Executive Order adopted by US President Joe Biden to lay the groundwork for the EU Commission to adopt the EU-US Data Privacy Framework.  

EO 14086 introduces additional controls and protections for US signals intelligence ("sig-int") - notably requiring (among other things) that sig-int activities must be necessary and proportionate to achieve a validated intelligence priority, establishing some level of independent oversight by way of a Civil Liberties Protection Officer (CLPO), and creating an independent redress mechanism in the form of the Data Protection Review Court.

Critically, while EO 14086 was introduced in anticipation of the EU's approval of the EU-US Data Privacy Framework, EO 14086 is intended to apply to all data transfer mechanisms - including the EU SCCs. However, before it can apply, the US needs to take certain implementation measures, including to designate the EU a "qualifying state" whose citizens are entitled to benefit from EO 14086's protections.  

These implementations have not yet happened and, consequently, the DPC determined that the intended protection that EO 14086 will deliver "is not, in fact, operational" (yet). However, once EO 14086 has been fully implemented - independently of whether the EU-US DPF is also approved - this additional protection may serve to enable lawful transfers to the US again.

Takeaway: EO 14086 may offer future hope if the US can implement its requirements promptly and designate the EU a "qualifying state". These implementations are likely to be necessary before the EU Commission can find the DPF to be adequate (or at least be made a condition of a DPF adequacy finding).

3. There's no amount of "supplementary measures" likely to satisfy the EU DPAs when it comes to US transfers:  

In reaching its decision, the DPC reviewed Meta's Transfer Impact Assessment and supplementary measures - concluding that these did not provide "essential equivalence" for transferred EU data. It's worth noting here the level of comprehensive measures the decision says Meta does have in place - including:

• organisational measures - such as a Disclosure Policy, Disproportionate Requests Policy, Notification Policy, Data Access Policy, Law Enforcement Guidelines, Facebook Transparency Reports; Data Sharing Policies, and a People Security Policy - in addition to various oversight and notification measures in place between Meta US and Meta Ireland, 
• technical measures - such as a comprehensive Information Security Program, industry standard encryption algorithms and protocols (such as Transport Layer Security and Advanced Encryption Standard), shared infrastructure between Meta US and Meta Ireland, asset management controls, arrangements for the management of Facebook employee mobile devices, the implementation of encryption on Facebook laptops, the deployment of cryptographic protection of passwords and third party security policies and much, much more, and
• legal measures - such as enforceable third party rights for data subjects under the SCCs, processes for challenging requests received for disclosure of personal data which Meta US believes to be unlawful, lobbying to change laws and advocates for its users’ rights, and transparency reporting.

According to the DPC, though, these are not enough because: "Ultimately, if the US Government makes a request which falls within the scope of Section 702 FISA, Meta US is required to disclose its users’ personal data." 

Which begs the question, if all this is not good enough, can anything ever be? Almost certainly no - meaning the only solution that will suffice here is a political one, not an organisational one.

Takeaway: If you are transferring data to the US, short of encrypting the data in the EU before transfer and ensuring the data importer has no possibility of access to the encryption key, there is little to nothing you can do to satisfy EU regulators that your "supplementary measures" are sufficient.

4. s.702 FISA and PRISM were the main concerns:  

In a particularly interesting point for the more surveillance-nerdy, the DPC focussed its decision on surveillance concerns arising under s.702 FISA and the PRISM program - not UPSTREAM or Executive Order 12333.  

In simple terms, s.702 is the legal basis under which two key US surveillance programs are operated - PRISM (which enables US govt to access data sitting on tech companies servers) and UPSTREAM (which enables US govt to intercept communications sent over the Internet backbone - ie. Internet cables, switches and routers). In addition to these programs, EO 12333 authorises the NSA to conduct secret surveillance activities that include tapping into underwater cables to access Internet traffic.

The principal differentiator here is that data access by the US government through UPSTREAM and EO 12333 programs is essentially access to data "in transit" - which companies can protect against through the use of end-to-end encryption ("E2EE") - whereas PRISM enables government access to data "at rest". 

In this case, Meta seems to have argued that its use of E2EE negated risk from UPSTREAM and EO 12333 - seemingly with the result that the DPC did not consider these risks further in its decision and focussed solely on PRISM (although the DPC did reserve its position on UPSTREAM and EO 12333 - saying that, given it had identified a lack of essential equivalence due to PRISM, it did not need to consider UPSTREAM or EO 12333 risks further).  

Takeaway: If you don't already, you must use E2EE going forward to negate UPSTREAM and EO 12333 risk.

5. Risk-based approaches to data transfers thrown out the window?  

The DPC seems to have reinforced the point that the standard expected for data transfers is that exporters must "ensure" essentially equivalent protection for transferred data by "compensating" for any lack of data protection in the recipient country (citing Recital 108 GDPR). Meta had noted that its measures "addressed" and "mitigated" these risks, which the DPC comprehensively rejected as an acceptable standard.  

Takeaway:  Don't assume a risk-based approach to data transfers that "mitigates" or "addresses" US surveillance risk will satisfy EU regulators. It won't.

6. Art 49 derogations thrown under the bus?  

In a further interesting twist, Meta indicated that if it was found unable to rely on the SCCs for data transfers, it might instead seek to rely on Article 49 derogations - i.e. the "exceptions" to adequacy or appropriate safeguard requirements. Here, again, it was unlucky. 

The DPC said that while it is possible to rely on derogations to enable data transfers, derogations must not be used for routine transfers of data and must respect the "essence" of the right to data protection (citing Art 52(1) of the EU Charter of Fundamental Rights).  The DPC then went on to explain that because there is no effective means of redress for EU citizens subject to surveillance in the US (as required by Art 47 of the Charter), it followed that EU to US transfers - even when made in reliance on derogations - would not respect the "essence" of the right to data protection and so could not be relied upon.

The DPC did suggest that consent might be possible, but only if a data subjects is informed: "(i) that the data will not be subject to equivalent protection to that afforded by Article 7 and Article 8 of the Charter, (ii) that identified laws in the United States interfere with the essence of Article 47 Charter rights with respect to that data, and (iii) of the possible risks of the proposed transfer to the data subject". And how many data exporters do that?

Takeaway:  If you were thinking that Art 49 derogations could be your "get out of jail free" card for US data transfers, then guess again.

So what now?

The DPC and EDPB have left data exporters very little room for manoeuvre - in this single decision, rejecting: 

• any suggestion that the new SCCs can be sufficient on their own for EU-US transfers, 
• that even comprehensive "supplementary measures" to protect data will not suffice if, ultimately, the US recipient can still be required to hand over data to the US government (even if rare in practice), and 
• that Art 49 derogations may offer a way forward for US data transfers.

The DPC did, however, offer a slight glimmer of hope with respect to EO 14086 - potentially suggesting that, once implemented, it might serve as a basis for (re-)enabling data transfers under the SCCs and providing a path forward to approve the EU-US Data Privacy Framework. 

All eyes will be on the progress made here over the coming months.

Phil Lee

Managing Director, Digiphile