Ireland’s Data Protection Commission has fined Meta €1.2 billion.

What, however, did the commission say in the case about using Art 49 derogations for transfers to the U.S.?

An overview:

  • Derogations are permissible only where they: “first, are ‘provided for by law’, secondly, respect the ‘essence’ of that freedom and, thirdly, respect the principle of proportionality.”
  • Per the CJEU: legislation (like in the U.S.) not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.
  • A derogation cannot become “the rule” in practice
  • Neither the contractual necessity nor the public interest derogation can be relied on to justify the systematic, bulk, repetitive and ongoing transfers to the U.S. comprised within the Data Transfers because it interferes with the essence of a fundamental right; or even if not: it can be for occasional (not bulk) transfers only.
  • It may be possible for reliance to be placed on the consent derogation. You need to disclose: the information that would be provided for ‘normal’ consent, inter alia: (i) that the data will not be subject to equivalent protection to that afforded by Article 7 and Article 8 of the Charter, (ii) that identified laws in the United States interfere with the essence of Article 47 Charter rights with respect to that data, and (iii) of the possible risks of the proposed transfer to the data subject
  • It is unclear how, on a practical level, Meta Ireland could justify all of the Data Transfers based on consent GDPR in the event that it sought to put in place a scheme by which the explicit consent of EU/EEA Users to any proposed transfer of their personal data to the United States was obtained, sufficient to meet the requirements laid down in Article 49(1)(a) GDPR and elsewhere in the GDPR.
  • A single consent by an EU/EEA data subject could not be sufficient to justify any and all future transfers of that user’s personal data to the U.S.

I will discuss the Meta decision further on Thursday, June 1 in a OneTrust webinar titled, EU-US Data Transfers: Breaking Down DPC’s Meta Decision.