It is almost impossible to do business today without processing and sharing personal data with other companies. Transferring data to a web analytics software provider, uploading information to cloud storage, CRM - all this is personal data processing by a third party. And whether you are a controller, processor, sub-processor or joint controller, you must enter into a data processing agreement with the party involved in the processing of the personal data. This task is considerably more complicated if personal data are transferred from within the European Union (EU) to outside it, and in particular the United States of America (USA).  

Below REVERA lawyers will describe why this problem has arisen now, what rules regarding cross-border transfers the EU General Data Protection Regulation (GDPR) sets out, and what to expect in regulation in the near future.

Record fine for GDPR breaches: who became a record-breaker and why?

On the eve of the five-year anniversary of GDPR's entry into force, the highest-ever fine of €1.2 billion was imposed on a major personal data controller, Meta. The fine was imposed for violating the rules on the cross-border transfer of personal data into the US. Moreover, the supervisory authority required Meta to suspend future transfers of personal data to the US within five months and to bring its processing operations, in particular personal data transfer operations, into compliance with GDPR requirements. 

What rules does the GDPR set out in relation to cross-border transfers?

The transfer of personal data outside the EU may only proceed unhindered if the European Commission has determined that an adequate level of personal data protection is provided in such a state. The list of such states includes, for example, Switzerland, Israel, Korea, Japan, etc. 

Where a controller intends to transfer personal data to the territory of a foreign state which is not included in the specified list, the GDPR (Article 46) provides the following rule:

In the absence of an adequacy decision, the controller or processor may transfer personal data to a third country only if the controller or processor provides appropriate safeguards and provided that enforceable rights and effective remedies are available to the data subjects.

Standard Contractual Clauses (SCC), developed and adapted by the European Commission, have traditionally been used as such safeguards.

Important background

Previously, there was an agreement between the EU and the US on the transfer of personal data known as the Privacy Shield. This agreement was used as the basis for cross-border transfers, and the US was considered to have an adequate level of protection for personal data under the agreement.

However, after the European Court of Justice ruling in 2020, Privacy Shield was abolished due to concerns about US intelligence agencies' access practices to the personal data of EU citizens. After the repeal of Privacy Shield, all actors involved in processing personal data and transferring personal data to the US began to use the SCC as the basis for cross-border transfers.

However, it is worth noting that in the same judgment, the European Court has tightened the requirements for the use of SCC as well. With regard to the assessment of safeguards for personal data subjects under Article 46 of the GDPR, the European Court of Justice pointed out:

To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.

Thus, following the European Court of Justice's 2020 judgment, when using the SCC as the basis for a cross-border transfer, not only the provisions of the treaties themselves (SCC) had to be considered, but also the level of personal data protection in the territory of the state where the data are transferred had to be assessed. This assessment is known as the Data Transfer Impact Assessment and its rules were established in recommendations of the main EU supervisory authority for personal data protection - EDPB. The same recommendation set out additional measures that companies could use to compensate for inadequate levels of personal data protection.

What obligation under the GDPR has Meta breached? 

Meta invoked the SCC together with additional measures as the basis for the cross-border transfer. However, the US domestic regulation on the protection of subjects' personal data at that time led to the conclusion that this approach was not fully consistent with the level of protection afforded within the EU and it was not possible to compensate for this inconsistency with additional measures. 

And in fact, after the decision of the European Court of Justice, the only possibility with the current regulation to remain "data protection compliant" was to move the servers storing the personal data of users from the EU directly to the EU territory in order to exclude the cross-border transfer. However, Meta did not do this and, from 2020 onwards, Meta continued to transfer personal data to the US, relying on the SCC and additional protection measures.

As a result, in May 2023, the Irish regulatory authority (DPC) concluded that Meta was in breach of Article 46 of the GDPR and had been unlawfully transferring personal data across borders since 2020.

What other findings did the DPC make and how will they affect business?

In addition to deciding that Meta was in breach of cross-border data transmission requirements, the supervisory authority reached the following conclusions:

  1. US law does not provide a level of protection equivalent to that provided by EU law,
  2. The SCC cannot compensate for the insufficient protection afforded by US law,
  3. Meta has no additional measures that compensate for the insufficient protection afforded by US law,
  4. Meta cannot rely on derogations under Article 49(1) GDPR, or any of them, for the cross-border transfer of personal data.

Paragraphs two and four are particularly noteworthy and less expected than the others because, when interpreted, one could conclude that the SCC, combined with the additional protections adopted by Meta following the European Court of Justice's 2020 judgment, do not meet the GDPR standard of substantive equivalence. 

Such a conclusion for companies could mean that whatever additional protections a company may have put in place for personal data cannot be transmitted across borders into the US.

How will the decision on Meta affect the rest of the business and what to expect in regulation?

To date, there is no official interpretation of the regulator's findings: the question of whether or not they will affect other controllers remains unresolved. However, for several years now, the EU and the US have been working on a new agreement on the transfer of personal data to the US, which would effectively replace Privacy Shield and be used as the basis for cross-border transfers. 

It is expected to be concluded between July and October 2023 and should resolve the current problems in regulating cross-border data transfers from the EU to the US.

Dear journalists, use of material from the REVERA website in publications is only possible with our written permission. 

To approve material, please contact or Telegram: