Miscellaneous

Interesting Data Privacy Case – Transfers of Personal Data, the EU versus the US.

Meta has been fined a record €1.2bn by the Irish Data Protection Commission for not complying with the EU’s General Data Protection Regulation (GDPR) when transferring personal data of European Facebook users to the US. The Irish Regulator holds that Meta failed to provide sufficient protection of these data from Washington’s data surveillance practices. Meta was furthermore told not to transfer European users’ data to the US in future. The case is very interesting insofar as the Irish argument rests on Meta’s use of a legal instrument known as standard contractual clauses (SCCs) to move data to the US, which according to the Irish judgement, does “not address the risks to the fundamental rights and freedoms” of Facebook’s European users.

SCCs were developed by the International Chamber of Commerce in the 2000s as a way to assist companies to transfer the personal data they collect in the EU to no-EU countries. Your author was in fact one of the drafters of the SCC at the time. However, in 2020 the European Court of Justice ruled against an EU-US data flows agreement known as the Privacy Shield over fears of US intelligence services’ surveillance practices. In the same judgment, the EU court also tightened requirements to use SCCs. The Irish case seems to throw out any future use of SCCs. The question is whether this is simply an EU/US issue or if SCCs in general have passed their useful date? Personally, I feel that SCCs remain a very useful tool for transferring personal data within Africa, for example. It would be, in my humble opinion, a shame to throw out the baby with the bathwater.