Top of the inglorious ranking: On May 12, 2023, the Irish data protection authority imposed a fine of EUR 1.2 billion on Facebook parent company Meta. This set a new European record for data protection fines. Amazon was overtaken and Meta now clearly dominates the top ten European fines with a total of over 2.5 billion euros.
The subject of the allegations was the processing in the form of the transfer of personal data to the USA. As there is still a lack of an “adequate level of protection” in the relationship between the EU and the USA, the Irish Data Protection Commission (DPC) has classified countless processing operations by Meta as unlawful and imposed the fine.
We will explain the background to the decision, current German constellations and the resulting practical relevance for your company.
Initial situation
Most of the global players in the IT sector come from the USA. Despite having European branches, user data is also transferred to the USA and processed accordingly. In the case of processing outside the European Union, it is always problematic that Art. 44 et seq. GDPR, an adequate level of data protection must be guaranteed in the recipient country.
Meta initially relied on the EU Commission’s adequacy decisions based on the “Safe Harbor” and “Privacy Shield” agreements to prove this. Both bilateral agreements were overturned by the ECJ due to inadequate levels of protection. Meta took this as an opportunity to rely on so-called “standard contractual clauses”, which are intended to guarantee an adequate level of data protection between the two companies.
In view of the two “Schrems decisions” of the ECJ, it is problematic that the parties involved are also required to guarantee a secure level of data protection in individual cases. However, due to various assessments by European authorities, this is not currently feasible due to access rights of US authorities. According to the DPC decision, additional measures by Meta are also not suitable for guaranteeing the European level of protection.
As a result, Meta was ordered to ensure compliance with the requirements of the GDPR and to cease transfers to the USA in this respect. However, Meta was given a deadline of six months to do so.
The DPC’s decision also includes a fine of EUR 1.2 billion. Art. 83 GDPR links the basis of assessment to the total annual turnover achieved worldwide, which explains the enormous amount of the fine. However, Meta has announced that it will seek a judicial review of the decision. It will be years before the ECJ clarifies the matter.
Germany: Telekom is also not allowed to transmit to Google USA
Similar constellations also affect German companies: Verbraucherzentale NRW recently successfully sued Telekom Deutschland GmbH before the Regional Court of Cologne to stop the transfer of personal data to Google LLC (USA).
Accordingly, consumer data may not be transferred to the USA for analysis and marketing purposes. This affected IP addresses that had been transmitted to the USA with insufficient consent, contrary to the “Schrems II” decision. The company had used the “Google Ads” service. However, the ruling is not yet final and is not binding on other courts.
However, other German companies face the threat of similar decisions being made against them.
Practical recommendation: Data processing abroad
It is not without reason that we have frequently raised the issue of the transfer of personal data to the USA in our newsletters:
Almost every company is affected by these decisions. Many IT services run on US servers and are therefore problematic. It is not always possible to justify the fact that the IT service is handled by a European branch of the global player.
Data transfers to (unsafe) non-EU countries are illegal according to these recent decisions. The USA, China and Russia are particularly affected. In its latest assessment, the European Data Protection Board (EDPB) comes to the conclusion that data transfer to these countries can hardly be justified. This is because the authorities there have access rights without cause that are not compatible with European data protection law.
This applies to the USA at least until the EU has issued a new adequacy decision and as long as the ECJ does not overturn the corresponding agreement. In any case, an adequacy decision is not expected before the end of the year.
Until then, the safest measure is to refrain from using services that lead to data processing in non-EU countries. Anyone who considers this impracticable for good reasons and trusts in a quick political decision will have to live with a certain risk of warnings and fines in the meantime.
Conclusion
Data transfer to non-EU countries that are insecure under data protection law is still one of the biggest problems between data protection law and IT progress. Currently, processing in countries such as the USA or China appears to be prohibited. As far as possible, the use of such services should therefore be avoided or an expert risk assessment carried out.
