What the latest GDPR sanctions on Facebook (Meta) could mean to your organization?

Background?

The General Data Protection Regulation (GDPR) was enacted in 2016 in response to a lawsuit filed by an Austrian Lawyer, Max Shrems, against Facebook for violating his privacy rights. Shrem's position was that facebook’s use and storage of his personal data within the United States (U.S.) were contrary to the privacy protection/law he was entitled to in the European Union (EU). GDPR imposes strict restrictions on the collection, processing, and use of the personal data of EU & UK residents. GDPR has global implications because it applies not only to businesses that operate in the EU & UK but also to any business around the world that targets (even unintentionally) EU residents or users. One of the requirements of GDPR is that organizations must store within the EU. The Shrems I ruling invalidated the EU-US Safe Harbour treaty, which allowed personal data to be lawfully transferred from the UK & EU to the United States. Once GDPR went into effect in 2018, personal data could only be transferred from the EU & UK if one of the following transfer mechanisms was utilized:?

• Adequacy Decision - this is where the third country (outside of the EU or UK) is deemed to have adequate privacy protections.?
• Standard Contractual Clauses (SCC)- SCCs are standard templated documents created by the EU data protection authorities to ensure that the parties agree to appropriate data protection safeguards when transferring personal data from the EU & the UK to third countries (ones without adequacy decisions. SCCs are usually incorporated into Data Processing Agreements (DPAs).
• Binding Corporate Rules (BCRs)- BCRs are data protection policies implemented by multinational corporate groups engaged in joint economic activity and are used to transfer personal data outside of the EU & UK to related entities in third countries (with no adequacy decision).
• Privacy Shield - was the US-EU treaty enacted in 2020 to replace Safe Harbour, which provided a mechanism to comply with data protection requirements when transferring personal data from the EU. In 2020, an EU court (CJEU) in the Shrems II case declared the Privacy Shield illegal because of invasive US surveillance programs within the U.S., again citing Facebook as the key example.?

Meta’s EU operations are at risk?

In 2022, The Irish Data Protection Commission (DPC) fined Meta, who owns Facebook, 400 million euros for data processing violations. EU regulators, led by Ireland's DPC, are finalizing a ban on facebook's use of SCC to transfer European personal data because of concerns about U.S. surveillance activities. The effect of the latter part of the Irish DPC’s action, if successful, is that Meta will no longer be able to rely on SCCs to transfer data to the U.S., leaving it without a transfer mechanism. These actions could cause Meta more reputation and financial harm if they are forced to shut down their core applications (instagram, facebook and whatsapp) in the EU.

Transferring personal data out of the EU may become a lot more difficult?

As previously mentioned, Safe Harbor and Privacy Shield were invalidated as transfer mechanisms. The EU Commission has been discussing and negotiating with the US on a new proposed data protection framework between the EU and the U.S. for years. As recently as February, the EU Data Protection Board issued a draft and comments to the EU-US Data Privacy Framework, which will replace Privacy Shield once approved. A deadline has not been set, nor is one in sight, so it is prudent to assume it may not happen this year; with the Privacy Framework nowhere near finalization, unrelated companies are left with SCCs as their only means for transfers.?

In my opinion, the validity and availability of SCC hinge on the final decision the ban Meta’s use of this mechanism. As always, EU authorities' actions against Meta have far-reaching implications and may likely cause SCC to be unavailable to other businesses caught violating GDPR. I expect the data protection authorities to start doing this if they are successful with this precedent with Facebook.

How businesses should prepare

I have a checklist of items that businesses can do to prepare :?

• Organized your personal data - where is it stored ;
• Classify your personal data (customers, employees) and determine if any of that personal data is sensitive;
• Have a running list of vendors/suppliers/processors that your company employs to process personal data;?
• Generate an internal report or Record of processing that captures the steps above;
• Secure the personal data that you store and collect; the last thing you want is a data breach;
• Review your customer, marketing, and employee privacy notices - ensure that users know how their personal data is processed, spell out what rights they have and how to contact your organization (Data Protection Officer or Privacy Officer ) and?
• Take a look at the contracts you have with your customers and vendors. In addition to using SCC, ensure your core agreements contain additional data protection provisions against misuse and support data security.

Privacy is not new, nor is it going away. The enactment of GDPR had a dominio effect that sparked the enactment and/or amendment of privacy laws globally (Canada, Brazil, China, California). The best practices described in this article can be applied universally to foster compliance with other privacy laws and frameworks.