A(nother) Roadblock for EU-U.S. Data Transfers – How to Proceed After the Irish DPC’s Decision

Cross-border data transfers have made headline news again as the Irish Data Protection Commission (DPC) issued a record-breaking €1.2 billion GDPR fine for cross-border transfers, while also suspending future transfers of personal information by the company as of five months after the date of the decision.

While it only binds the company in question (Meta), this decision has broader ramifications, because the DPC makes a number of observations to support it that impact every company that transfers personal information from the EU to the U.S., notably with respect to U.S. government surveillance powers. The key question remains: how do we proceed from here? We lay out below how we got here and possible ways forward.

How Did We Get Here?

The DPC’s decision (the Decision) is the latest step in what is now a long saga of conflict between EU data protection law and U.S. surveillance powers in which the European Court of Justice (CJEU) and EU data protection authorities (DPAs) have considered the two to be at odds with each other (see our previous Client Alert for more details).

Since the CJEU’s decision in the Schrems II case in 2020, it has been challenging relying on standard contractual clauses (or any other transfer mechanism) to transfer personal information subject to the GDPR to a controller or processor in a country that the EU regards as lacking adequate privacy protections—including the U.S. Where such transfers are made, companies are required to determine whether there are sufficient safeguards against any residual risks to individuals’ rights that may arise in the destination country and that are not adequately eliminated by the transfer mechanism. The Schrems II decision specifically looked at risks arising from the U.S. government’s surveillance powers under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, which are also the focus of the Decision.

As part of a company’s risk transfer impact assessment (see our previous Client Alert on the differences between EU and UK approaches to transfer impact assessments), companies are required to implement “supplementary measures” if necessary to ensure that the level of protection applied to personal information is “essentially equivalent” to that provided for by EU Law.

In the Decision, the DPC found that it was not enough for a company to “mitigate” the risks posed by the U.S. government’s surveillance powers through supplementary measures; rather, any lack of protection of personal information should be “compensate[d]” for. This led to the DPC holding that the specific supplementary measures that were used by the company were not enough to make the data transfers to the U.S. lawful. Specifically, the DPC found that encryption in transit could not protect against surveillance powers available to the U.S. government under Section 702 FISA PRISM (which regards the collection of information from electronic communications service providers). The DPC did not make a finding on Executive Order 12333 and the powers that the U.S. government has to intercept data “in transit” (i.e., the collection of information from internet backbones) because the data was encrypted.

What Other Options Are There?

The DPC considered whether the derogations set out in Article 49 of the GDPR, which permit restricted transfers in certain situations (such as where individuals provide explicit consent, where the transfer is necessary for important reasons of public interest, or where the transfer is necessary for the performance of a contract between the individual and the controller), would be sufficient. Derogations by definition are an exception to the evaluation regarding the level of protection awarded by the destination country and are thus not subject to the requirement of putting supplementary measures in place. However, the DPC found that derogations must be treated as true exceptions, and that derogations would not be suitable for systematic, bulk, repetitive, or ongoing transfers. The DPC did find that a restricted transfer to a country could take place on the basis of derogations where the “essence” of EU law has not been interfered with, provided that a balancing exercise is undertaken considering the public interests relied upon.

The DPC did leave open the option of obtaining explicit consent from individuals as a potential means of lawfully carrying out the transfer, but also commented that the consent would need to be sufficiently specific in order to meet the GDPR’s requirements, and that a single consent could not suffice to justify all transfers going forward. Specifically, the DPC stated that, in addition to the usual requirements for consent under the GDPR, the consent would need to inform individuals:

• that the information would not be subject to equivalent protection to that provided in the EU;
• that identified laws in the U.S. interfere with EU rights; and
• that there are possible risks of the transfer to the individual and what those risks are.

The DPC and European Data Protection Board (EDPB) made clear that the scale and duration of the data transfers impact the analysis and so it is possible that transfers of data that are infrequent or intermittent, or proportionately smaller, may be treated differently by the DPAs and the EDPB in the future. The DPC and the EDPB also confirmed that there is room for a risk-based approach in considering the impact of third country legislation, albeit that in the case at hand this was held not to legitimize the transfers.

Although this was not considered in the Decision, collecting personal information directly from the individual will not be considered a transfer under the GDPR, according to the European Data Protection Board in its guidelines on the interplay between Article 3 and Chapter V of the GDPR, even where the personal information is being transferred from the EU to the U.S.

Looking to a Political Solution

In practice, we do not expect to see businesses immediately stopping their data transfers to the U.S. anytime soon, and the consequences of doing so would be substantial for both European and U.S.-based businesses. The Decision was issued against the backdrop of the negotiations on the EU-U.S. Data Privacy Framework (DPF), which has faced some scrutiny from the European Parliament and the EDPB in recent months. In the Decision, the DPC also took issue with the measures implemented by the U.S. government as part of the DPF under Executive Order 14086 and associated regulations (see our previous Client Alert), stating that the activities or practices of U.S. intelligence agencies cannot be said to have materially changed.

We anticipate that the European Commission will move quickly on the DPF following the Decision. But even when we have a finalized DPF, some questions will remain on how the DPF will practically impact transfers in practice, for example, whether all transfers to the U.S. will need to be based on the adequacy decision, which requires that receiving entities in the U.S. formally certify under the DPF, or whether transfers made on the basis of other transfer mechanisms—such as standard contractual clauses or binding corporate rules—can also benefit from the DPF.

Unfortunately, the DPF will not be relevant for the analysis of cross-border transfers from the EU to any country other than the U.S., and thus it is difficult to predict how the DPC’s decision will impact such transfers.

In any event, approval and implementation of the DPF seem to be the best next step in finding a way forward for transfers to the U.S. What is clear is that this space will continue to be in a state of flux for some time, and businesses may want to take stock before doing anything drastic.