DPC - Décision n° IN-20-8-1 du 12 mai 2023 concernant la société META PLATFORMS IRELAND LIMITED

In the matter of the General Data Protection Regulation

DPC Inquiry Reference: IN-20-8-1

In the matter of Meta Platforms Ireland Limited (previously known as Facebook Ireland Limited)

Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation

Further to an own-volition inquiry under Section 110 of the Data Protection Act 2018

DECISION

Decision-Maker for the Commission: Helen Dixon, Commissioner for Data Protection

Dated the 12th day of May 2023

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, Ireland

LIST OF ABBREVIATIONS

The following abbreviations appear in this Decision:

Abbreviation: Used to Denote:

the 2018 Act: The Data Protection Act, 2018

The Article 60 Process: The cooperation procedure set out in Article 60 GDPR

The Article 65 Decision: The EDPB Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art. 65 GDPR), adopted 13 April 2023

The Article 65 Submissions: Meta Ireland’s submissions, dated 2 November 2022, on the material that the DPC proposed to put before the EDPB for the purpose of the Article 65 Process

the Board: The European Data Protection Board

the Charter: Charter of Fundamental Rights of the European Union

the CJEU: Court of Justice of the European Union

the DPC: Data Protection Commission (previously the Data Protection Commissioner prior to the entry into application of the Data Protection Act, 2018)

the Commissioner: Data Protection Commissioner established pursuant to the Data Protection Acts, 1988–2003

the Complaint: Complaint filed by Mr Maximillian Schrems on 25 June 2013 as reformulated and resubmitted on 1 December 2015, and as re- scoped in the context of the settlement of the judicial review proceedings referenced at paragraph 2.45 below.

the CSAs: the supervisory authorities concerned, as defined by Article 4(22) GDPR

the Data Policy: Meta Ireland’s Data Policy (available at: https://www.facebook.com/policy.php)

the Data Transfers: EU-US transfers of personal data relating to Users, made between Meta Ireland and Meta US

the Directive: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

the Draft Decision: the draft version of this decision that was circulated to the CSAs for their views, in accordance with Article 60(3) GDPR

2015 DTPA: Meta US’s Data Transfer and Processing Agreement, dated 20 November 2015

2018 DTPA: Meta US’s Data Transfer and Processing Agreement, dated 25 May 2018

2021 DTPA: Meta US’s Data Transfer and Processing Agreement, dated 27 August 2021

the EDPB: The European Data Protection Board

EO 12333: Executive Order 12333

The Final Submissions: Meta Ireland’s submissions dated 8 May 2023 in relation to any matters in relation to which the DPC was required to make a final determination or, otherwise, exercise its own discretion, arising from the Article 65 Decision.

FISA: Foreign Intelligence Surveillance Act, 1978

FISC: Foreign Intelligence Surveillance Court

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

the High Court Judgment: Judgment of the High Court delivered on 3 October 2017 (slightly revised 12 April 2018) ([2017] IEHC 545)

the High Court Proceedings: Proceedings commenced by way of plenary summons on 31 May 2016 under High Court Record No. 2016/4809 P

the Inquiry: The inquiry commenced by the Preliminary Draft Decision pursuant to Section 110 of the 2018 Act

the Judgment: Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems EU:C:2020:559

the Judicial Review: The application for judicial review brought by Meta Ireland in respect of the PDD, issued on 10 September 2020 (Record No: 2020/617 JR)

Meta Ireland: Meta Platforms Ireland Limited (formerly Facebook Ireland Limited)

Meta US: Meta Platforms, Inc. (formerly Facebook, Inc.)

NSA: US National Security Agency

the PDD: The Preliminary Draft Decision delivered by the DPC herein on 28 August 2020

PPD-28: Presidential Policy Direction-28

the Prior Draft Decision: A draft decision issued by the DPC on 24 May 2016, prior to the commencement of the High Court Proceedings

Privacy Shield Decision: Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46 on the adequacy of the protection provided by the EU-US Privacy Shield ([2016] OJ L207/1)

the RPDD: The Revised Preliminary Draft Decision delivered by the DPC herein on 21 February 2022

Safe Harbour Decision: Decision 520/2000/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441)

SCCs: Standard contractual clauses

the 2010 SCCs: Standard contractual clauses contained in the Annex to Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 ([2010] OJ 2010 L39/5), (subsequently amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 ([2016] OJ L344/100)) the 2010 SCC Decision Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 ([2010] OJ 2010 L39/5), (subsequently amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 ([2016] OJ L344/100))

the 2021 SCCs: The standard contractual clauses contained in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

the 2021 SCC Decision: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

the SRR Meta: US’s Statement of Rights and Responsibilities (available at: https://www.facebook.com/legal/terms/previous

the Transparency Report: Meta US’s Transparency Report (available at: https://transparency.fb.com/data/government-data-requests/country/US/ )

TIA: Transfers Impact Assessment (Version 3.0) dated 31 August 2021 prepared by or on behalf of Meta Ireland and Meta US under and in accordance with Clause 14 of the 2021 SCCs.

US: The United States of America

USG: United States Government

Users: Individuals who are in the European Union/ European Economic Area who visit, access, use or otherwise interact with products and services provided by Meta Ireland, each of whom is a “data subject” for the purposes of Article 4(1) GDPR to the extent that their personal data is processed by Meta Ireland

Preliminary Matters

Change of Name, Facebook Ireland Limited and Facebook, Inc.

1.1 On 11 January 2022, the DPC was notified that, effective from 5 January 2022, Facebook Ireland Limited, being the Respondent to the within inquiry, had changed its name to Meta Platforms Ireland Limited (“Meta Ireland”). In the circumstances, and for ease of reference, this decision refers to the Data Controller as “Meta Ireland” rather than Facebook Ireland Limited or FB-I, even where, at the relevant point in time, the Respondent’s name was Facebook Ireland Limited. That is to say, references to “Meta Ireland” are to be taken to mean Facebook Ireland Limited where the context or timing of the matters to which reference is made so requires.

1.2 Facebook, Inc., being Meta Ireland’s ultimate parent company and the recipient and/or importer of the personal data the subject of the data transfers under examination in the within inquiry, likewise changed its name, to Meta Platforms, Inc. Throughout this decision, I refer to this particular entity as “Meta US”. In the circumstances, references to “Meta US” are to be taken to mean Facebook, Inc. where the context or timing of the matters to which reference is made so requires.

Purpose of this Document

1.3 This document is a decision (“Decision”) of the Data Protection Commission (“the DPC”), delivered in the context of an own-volition inquiry (“the Inquiry”), commenced by the DPC pursuant to Section 110 of the Data Protection Act, 2018 (“the 2018 Act”) to consider the following two issues:

(1) Whether Meta Ireland is acting lawfully, and in particular, compatibly with Article 46(1) GDPR, in making transfers (“the Data Transfers”) of personal data relating to individuals who are in the European Union/ European Economic Area who visit, access, use or otherwise interact with products and services provided by Meta Ireland, each of whom is a “data subject” for the purposes of Article 4(1) GDPR (“Users”) to Meta US pursuant to standard contractual clauses (“the 2010 SCCs”) based on the clauses set out in the Annex to Commission Decision 2010/87/EU^[1] (“the 2010 SCC Decision”), following the judgment of the Court of Justice of the European Union (“the CJEU”), delivered on 16 July 2020, in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems EU:C:2020:559 (“the Judgment”); and

(2) Whether and/or which corrective power should be exercised by the DPC pursuant to Article 58(2) GDPR in the event that the conclusion is reached that Meta Ireland is acting unlawfully and infringing Article 46(1) GDPR.

1.4 It should be noted that, subsequent to the commencement of the inquiry, the 2010 SCC Decision was repealed by the 2021 SCC Decision, whereupon the 2010 SCCs were replaced by the 2021 SCCs. As will be apparent from the terms of this Decision, the DPC’s analysis herein has regard to both the 2010 SCCs and the 2021 SCCs. It also has regard to the 2021 DTPA, being an agreement entered into between Meta Ireland and Meta US, grounding the Data Transfers on the 2021 SCCs in place of the 2010 SCCs with effect from 31 August 2021.

Progression of the decision-making process

1.5 In circumstances where the processing under examination by way of the within inquiry constitutes “cross-border processing” for the purpose of Article 4(23) GDPR, the DPC was required, by Article 56(1) GDPR, to conclude this Decision in accordance with the procedure set out in Article 60 GDPR (“the Article 60 Process”). The Article 60 Process provides for a cooperation procedure, the purpose of which is to facilitate the conclusion of decisions on the basis of consensus between the lead supervisory authority (“the LSA”) (in this case, the DPC) and any supervisory authorities concerned (as defined by Article 4(22) GDPR) (“the CSAs”). The Article 60 Process enables the CSAs to share their views with the LSA, including by way of a “relevant and reasoned objection”. Where such an objection is raised to the LSA’s draft decision during the Article 60 consultation period, the LSA must, if it does not “follow” the objection or is of the opinion that it is not relevant and reasoned, submit the matter to the European Data Protection Board (the “Board” or, otherwise, the “EDPB”) for determination pursuant to the Article 65 GDPR dispute resolution process.

1.6 During the course of the within Inquiry, a preliminary draft decision (“the PDD”), and subsequently a revised preliminary draft decision (“the RPDD”) were provided to Meta Ireland, Mr. Maximilian Schrems (“Mr. Schrems”) and the Government of the United States of America (“the USG”) for the purpose of allowing them to make submissions in relation to my provisional findings. The DPC considered the submissions so made and, where necessary, made amendments to take account of these prior to the finalisation of a draft decision which was circulated to the CSAs, for the purpose of the Article 60 Process, on 6 July 2022 (“the Draft Decision”).

1.7 The cross-border processing under examination was such that all other EU/EEA supervisory authorities (“SAs”, each one being an “SA”) were engaged as CSAs for the purpose of the Article 60 Process. Following the circulation of the Draft Decision to the CSAs for the purpose of enabling them to express their views, in accordance with Article 60(3) GDPR, objections were raised by the SAs of Austria, France, Hamburg (acting on behalf of all German SAs) and Spain. A number of comments were also exchanged by various CSAs.

1.8 Having considered the matters raised, the DPC, by way of a composite response memorandum dated 28 September 2022, set out its responses to the various objections and comments. Ultimately, it was not possible to reach consensus with the CSAs on the subject-matter of the objections and, accordingly, the DPC determined that it would not follow them and/or that they were not relevant and reasoned. In the circumstances, the DPC referred the objections to the EDPB for determination pursuant to the Article 65(1)(a) dispute resolution mechanism. In advance of doing so, the DPC invited Meta Ireland to exercise its right to be heard in relation the matters to be determined by the EDPB. Meta Ireland exercised its right to be heard by way of its submissions dated 2 November 2022 (“the Article 65 Submissions”).

1.9 The EDPB determined the merits of the objections that were referred to it by way of a decision that it adopted on 13 April 2023. The EDPB notified its decision to the DPC all other CSAs on the same date. Further to Article 65(2) GDPR, the EDPB’s decision is binding upon the DPC and all CSAs. Article 65(6) GDPR required the DPC to adopt its final decision “on the basis of” the EDPB’s decision within one month after notification of the EDPB’s decision. As part of the finalisation process, Meta Ireland was invited to exercise its right to be heard in relation to any matters in relation to which the DPC was required to make a final determination or, otherwise, exercise its own discretion. Meta Ireland exercised its right to be heard by way of its submissions furnished under cover of letter dated 8 May 2023 (“the Final Submissions”), which have been taken into account in this Decision.

1.10 Accordingly, this Decision further reflects the binding decision that was adopted by the EDPB on 13 April 2023 pursuant to Article 65(2) GDPR^[2] (“the Article 65 Decision”), which directed that changes be made to certain of the positions reflected in the Draft Decision, as detailed further below. The Article 65 Decision will be published on the website of the Board, in accordance with Article 65(5) GDPR, and a copy of same is attached as the Schedule to this Decision.

Context of the Decision

1.11 Whilst issued in the context of the Inquiry, the Decision addresses issues arising in the context of the Judgment, and more particularly, in the context of the lengthy proceedings leading to the Judgment, which were commenced in the High Court on 31 May 2016 (“the High Court Proceedings”), and in which multiple parties participated, voluminous factual and expert evidence was adduced, and extensive legal submissions were made. Reference is also made in this connection to a judicial review application^[3] issued by Meta Ireland (“the Judicial Review”) challenging a Preliminary Draft Decision delivered by the DPC on 28 August 2020 (“the PDD”).

Scope of the Inquiry

1.12 On 2 July 2021, Meta Ireland made certain observations in its written response to the PDD (“the Response to the PDD”) regarding the scope of the Inquiry.^[4]

1.13 For the avoidance of doubt, the DPC reiterates that Meta Ireland is correct in its understanding of the scope of the Inquiry. As such, it is correct that:

(1) the Inquiry, and this Decision, relate to the Facebook Service only (as defined by Meta Ireland in the Response to the PDD);

(2) the geographical scope of the Inquiry is limited to Users of the Facebook Service in the EU/EEA;

(3) the substantive scope of the Inquiry relates to transfers pursuant to the 2010 SCC Decision and 2010 SCCs, and to transfers now taking place pursuant to the 2021 SCC Decision and the 2021 SCCs.

Summary

1.14 For the reasons set out below, and having carefully considered the submissions made by Meta Ireland, Mr. Schrems and the USG, respectively, in response to the PDD, and in response to the Revised Preliminary Draft Decision of 21 February 2022 (“the RPDD”), it is my view that, given the findings of the CJEU in the Judgment and all of the circumstances of which the DPC is aware:

(1) The Data Transfers are made in circumstances which fail to guarantee a level of protection to data subjects that is essentially equivalent to that provided by EU law, and in particular, by the GDPR read in light of the Charter of Fundamental Rights of the European Union (“the Charter”), and, accordingly, in making the Data Transfers, Meta Ireland is infringing Article 46(1) GDPR;

(2) Meta Ireland is not entitled to rely on any derogation under Article 49(1) GDPR in respect of the Data Transfers;

(3) It is both necessary and appropriate that I would order that the Data Transfers be suspended, pursuant to the DPC’s powers under Article 58(2)(j) GDPR;

(4) Further to the determination of the EDPB set out at paragraph 267 of the Article 65 Decision, and as detailed further at Section 9 below, I will also, by way of this Decision, order Meta Ireland to bring its processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR; and

(5) Further to the determination of the EDPB set out at paragraph 142 of the Article 65 Decision, and detailed further at Section 9 below, I will also, by way of this Decision, impose an administrative fine in the amount of €1.2 billion on Meta Ireland in respect of the finding of infringement of Article 46(1) GDPR.

Sources

1.15 In formulating the views expressed in this Decision, and in making the findings contained herein, I have had regard to a range of material.

The Judgment

1.16 I have paid careful and close attention to the findings in the Judgment, which are binding on the DPC.

Submissions in response to the PDD

1.17 I have also paid careful and close attention to (i) the lengthy and detailed submissions made by Meta Ireland in its Response to the PDD; and (ii) its supplemental submissions dated 1 September 2021 and 20 September 2021 (together referred to as “the Supplemental Response to the PDD”), as well as the multiple Annexures accompanying same.

1.18 The Annexures to the Response to the PDD comprise the following:

(1) Transfer Impact Assessment Summary;

(2) Factors Assessment;

(3) Meta Ireland’s Essential Equivalence Assessment of US Laws and Practice version 3.0 (draft);

(4) Meta Ireland’s Record of Safeguards, including supplementary measures, version 3.0 (draft);

(5) Meta Ireland’s Data Transfers Report dated 2 July 2021;

(6) Expert report of Professor Goldfarb dated 2 July 2021;

(7) Expert opinion of Geoffrey Robertson QC dated 2 July 2021;

(8) Relevant extracts from:

(a) Judicial Review, Statement of Opposition

(b) Judicial Review, Meta Ireland Replying Affidavit

(c) Judicial Review, DPC Replying Affidavit

(d) Judicial Review, DPC Response

(e) Judicial Review, Judgment

(9) Data Transfer and Processing Agreement between Meta Ireland and Meta US;

(10) US Government White Paper;

(11) Letter from the ICO to the SEC dated 11 September 2020;

(12) DPC letter to the LIBE Committee dated 9 February 2021;

(13) DPC letter to the LIBE Committee dated 12 March 2021;

(14) Deloitte Report;

(15) Copenhagen Report;

(16) SMB Surveys;

(17) May 2021 Transparency Update;

(18) November 2020 Transparency Update;

(19) Transfers Blog Post;

(20) Government Requests and Transfers FAQs;

(21) Kearney Report;

(22) Analysis Group Report.

1.19 The Annexures to the Supplemental Response to the PDD comprise:

(1) Data Transfer and Processing Agreement dated 31 August 2021;

(2) Redacted version of the Data Transfer and Processing Agreement dated 31 August 2021;

(3) Transfer Impact Assessment Summary (version 3.0);

(4) Factors Assessment (version 3.0);

(5) Equivalence Assessment (version 3.0);

(6) Record of Safeguards (version 3.0); and

(7) Modified Record of Safeguards identifying information requested by the DPC.

1.20 I have also had regard to the submissions filed by Mr. Schrems in response to the PDD, dated 15 August 2021 (“Schrems’ Submissions on the PDD”) and the submissions of the USG, likewise directed to the PDD, dated 20 September 2021.

1.21 I have also had regard to the expert report entitled ‘Technical Report on Why EU-US Transfers Are Necessary to Provide the Facebook Service; Expert Report of Jason Nieh’ dated 24 September 2021 which was submitted by Meta Ireland as part of its reply to Schrems’ Submissions on the PDD, received by the DPC on 24 September 2021. The full set of documents submitted by Meta Ireland along with its reply to the Schrems’ Submissions on the PDD comprised the following:

(1) Annex 1 - Supplemental FIL Data Transfers Report;

(2) Annex 2 - Expert Report of Jason Nieh - September 24 2021;

(3) Appendix 1 - CV of Professor Jason Nieh;

(4) Appendix 2 - Shalita 2016 _ Social Hash an Assignment Framework for Optimizing Distributed Systems Operations on Social Networks;

(5) Appendix 3 - Bronson 2013_TAO Facebooks Distributed Data Store for the Social Graph;

(6) Appendix 4 - Shi 2020_FlightTracker Consistency across Read-Optimized Online Stores at Facebook;

(7) Appendix 5 - Large-scale graph partitioning with Apache Giraph - Facebook Engineering; and

(8) Appendix 6 - Annamalai 2018 _ Sharding the Shards Managing Datastore Locality at Scale with Akkio.

Submissions in response to the RPDD

1.22 I have also paid careful and close attention to the following submissions made by each of Mr Schrems, the USG, and Meta Ireland in response to the RPDD:

(1) Mr Schrems’ submissions in response to the RPDD, received on 21 March 2022 (“Schrems’ Submissions on the RPDD”);

(2) The USG’s submissions in response to the RPDD, received on 4 April 2022 (“the USG’s Response to the RPDD”); and,

(3) Meta Ireland’s submissions in response to the RPDD, received on 29 April 2022 (“the Response to the RPDD”).

1.23 I have additionally taken account, when finalising this Decision, of the determinations made by the EDPB in the Article 65 Decision as well as Meta Ireland’s Article 65 Submissions and Final Submissions.

Section 111 of the 2018 Act

1.24 I note that Meta Ireland refers to Section 111 of the 2018 Act and asserts that a decision “can only be reached on the basis of ‘information obtained in the inquiry’”.^[5] As will be apparent from the contents of this Decision, I can confirm that, in terms of factual information, I have had regard only to factual information advanced by Meta Ireland in the Response to the PDD, the Supplemental Response to the PDD, the Response to the RPD, the Article 65 Submissions and the Final Submissions. Insofar as reference is made to any factual information not derived from the Inquiry, any such information does not appear to be in dispute. However, for the avoidance of doubt, I do not read Section 111 of the 2018 Act as precluding the DPC from having regard to the jurisprudence of the CJEU. Nor indeed could it so preclude the DPC.

Structure

1.25 In this Decision, I address the following in turn:

(1) A summary of the factual and procedural background to the Judgment;

(2) The functions and powers of the DPC relevant to the Inquiry;

(3) The DPC’s position as the lead supervisory authority;

(4) The legal provisions regulating the Data Transfers;

(5) The current factual position regarding the Data Transfers;

(6) My findings on the question as to whether or not the Data Transfers give rise to one or more infringements of relevant provisions of the GDPR;

(7) My findings on whether Meta Ireland is entitled to rely on any of the derogations provided for by Article 49 GDPR; and

(8) My findings on whether and which corrective powers should be exercised.

2.1 The factual and procedural background to the Judgment is complex and lengthy and will only be summarised here.

EU-US Data Transfers

2.2 On 26 July 2000, the European Commission adopted Decision 520/2000/EC (“the Safe Harbour Decision”),^[6] establishing the so-called “safe harbour” arrangements for EU-US data transfers.

2.3 While the Safe Harbour Decision did not recognise the US as a third country which ensured “an adequate level of protection” for the purposes of Article 25(6) of Directive 95/46/EC (“the Directive”),^[7] it nonetheless provided that EU-US transfers were permissible under its terms, provided the entity to whom the data was being transferred self-certified that it complied with: the safe harbour privacy principles; and a set of “frequently asked questions”, both published by the US Department of Commerce and incorporated into the Safe Harbour Decision at Annexes 1 and 2 thereof.

2.4 Over time, the safe harbour arrangements became the primary mechanism by which data controllers established in the EU sought to legitimise data transfers to the US.

Snowden Document Disclosure

2.5 In June 2013, Edward Snowden, a contractor engaged through a third party to undertake work for the US National Security Agency (“NSA”), disclosed documents revealing the existence of one or more programmes operated by the NSA under which internet and telecommunications systems operated by some of the world’s largest technology companies, including, by way of example, Microsoft, Apple, Meta US, and others, were the subject of surveillance programmes.

The Complaint

2.6 On 25 June 2013, Mr Schrems filed the Complaint with the Data Protection Commissioner (“the Commissioner”). In essence, the Complaint contended that, in light of the Snowden document disclosure, the transfer of personal data relating to (Meta US’s European Users) by Meta Ireland to its US parent, Meta US, was unlawful under both national and EU data protection law. In practical terms, the Complaint sought to mount a full-frontal challenge to the Safe Harbour Decision.

2.7 On receipt of the Complaint, the (then) Commissioner took the view that, in circumstances in which the European Commission had adopted the Safe Harbour Decision establishing and/or endorsing the safe harbour arrangements, the Commissioner was bound to accept that decision as binding upon him in light of Article 25(6) of the Directive and Section 11(2) of the Data Protection Acts, 1988 and 2003. Accordingly, the Commissioner declined to investigate the Complaint, deeming it unsustainable in law.

2.8 That position was challenged by Mr Schrems by way of an application for judicial review commenced on 21 October 2013. In that application, orders were sought that would quash the Commissioner’s refusal to investigate and to direct the Commissioner to investigate and decide the Complaint on its merits.

European Commission Response to the Snowden Document Disclosure

2.9 In response to concerns expressed by the European Commission arising from the Snowden document disclosure, the US agreed to participate in an ad hoc EU/US Working Group established in July 2013 to facilitate a fact-finding exercise by the European Commission under which the European Commission would be afforded an opportunity to seek clarifications on the scope of the programmes revealed by Mr Snowden, the volume of data collected, the existence of judicial and administrative oversight mechanisms and their availability to individuals in the EU, and the different levels of protection and procedural safeguards that apply to persons in the US and EU/EEA respectively.

2.10 On 27 November 2013, the European Commission published a report setting out the findings of the EU Co-Chairs of the ad hoc EU/US Working Group. Among other things, the report noted that, in the course of the Working Group’s discussions, the US had confirmed the existence of the PRISM programme, identifying it as a programme authorised and/or operated under Section 702 of the Foreign Intelligence Surveillance Act 1978 (“FISA”).

2.11 More specifically, the US was recorded as having confirmed that, on the basis of Section 702 FISA, electronically stored data, including content data, was collected “by means of directives addressed to the main US internet service providers and technology companies providing online services, including, according to classified documents disclosed in the press but not confirmed by the US, Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Apple, Skype and YouTube.”

2.12 The report proceeded to make the following points:

(1) “The US also confirmed that Section 702 provides the legal basis for so-called ‘upstream collection’; this is understood to be the interception of Internet communications by the NSA as they transit through the US (e.g. through cables, at transmission points). Section 702 does not require the government to identify particular targets or give the Foreign Intelligence Surveillance Court (hereafter ’FISC’) a rationale for individual targeting. Section 702 states that a specific warrant for each target is not necessary”;^[8]

(2) “The US stated that no blanket or bulk collection of data is carried out under Section 702, because collection of data takes place only for a specified foreign intelligence purpose.”^[9]

2.13 Under the heading “Summary of Main Findings”, the report identified a number of concerns regarding US law, including the following:

(1) Under US law, “a number of legal bases allow large-scale collection and processing, for foreign intelligence purposes, including counter-terrorism, of personal data that has been transferred to the US or is processed by US companies”;^[10]

(2) There are differences in the safeguards applicable to EU data subjects compared to US data subjects, including that targeting and minimisation procedures approved by the Foreign Intelligence Surveillance Court (“FISC”) are aimed at reducing the collection, retention and dissemination of personal data of or concerning US persons and do not apply to the personal data of individuals in the EU, even when they have no connection with terrorism, crime or any other unlawful or dangerous activity, while US persons benefit from constitutional protections, such as the Fourth Amendment, that do not apply to EU citizens not residing in the US;

(3) Under US surveillance programmes, different levels of data protection apply to different types of data (Meta US-data versus content data) and different stages of data processing (initial acquisition versus further processing/analysis);

(4) There is a lack of clarity as the use of other legal bases and the applicable limitative conditions, especially regarding Executive Order 12333 (“EO 12333”); and,

(5) There were no avenues for either EU or US data subjects to be informed of whether their personal data was being collected or further processed, and no opportunities to obtain access, rectification, or erasure of data.

2.14 On the same date, the European Commission published a separate document titled “Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU.” ^[11]

2.15 The document made 13 specific recommendations in relation to changes the European Commission considered would need to be made to the safe harbour arrangements in the context of ongoing negotiations with the US.

Judgments in the Application for Judicial Review

2.16 On 29 April 2014, Mr Schrems’ application for judicial review came on for hearing in the High Court.

2.17 On 18 June 2014, judgment was delivered by The Hon. Mr. Justice Gerard Hogan. While the High Court found that, in coming to the view that he was bound to apply the Safe Harbour Decision, the (then) Commissioner had steadfastly applied the law as it existed at that point, Mr. Justice Hogan nonetheless determined that it would be appropriate to refer a number of questions to the CJEU so that the CJEU could in turn determine, in particular, whether the Commissioner was bound, absolutely, by the Safe Harbour Decision having regard to Articles 7, 8 and 47 of the Charter, the provisions of Article 25(6) of the Directive notwithstanding.

2.18 On 6 October 2015, the CJEU delivered its judgment (Case C-362/14 Schrems v Data Protection Commissioner EU:C:2015:650) (“the Judgment in Case C-362/14”). While noting that the CJEU alone has jurisdiction to declare an EU act invalid, and that, until such time as the Safe Harbour Decision was declared invalid by the Court, the Commissioner was not at liberty to adopt any measure contrary to its terms, the CJEU nonetheless found that, as a matter of EU law, the Safe Harbour Decision did not preclude the conduct of an investigation into EU-US data transfers by the Commissioner so that the Commissioner ought properly to have investigated the Complaint with all due diligence.

2.19 The CJEU also concluded that, as a matter of EU law, the Safe Harbour Decision was invalid.

2.20 Mr Schrems’ application for judicial review came back before the High Court, and on 20 October 2015, an Order was made by Mr. Justice Hogan quashing the Commissioner’s refusal to investigate the Complaint and remitting the Complaint back to this Office for investigation.

Post-Litigation Investigation of the Complaint

2.21 Immediately thereafter, the Commissioner opened an investigation into the Complaint.

2.22 In circumstances in which there was by now no question but that EU-US transfers of Users’ personal data could no longer be undertaken under the Safe Harbour Decision, the investigation sought to establish whether, following the demise of the Safe Harbour Decision, the transfer of personal data relating to Users by Meta Ireland to Meta US was lawful. To that end, the Commissioner set out to examine (by reference to the Complaint as it relates to interferences on national security grounds with citizen’s data privacy rights):

(1) Whether, by reference to the adequacy criteria identified in Article 25(2) of the Directive, the US ensured adequate protection for the data protection rights of EU citizens; and,

(2) If and to the extent that the US does not ensure adequate protection, whether it was open to Meta Ireland to rely on one or more of the derogations provided for at Article 26 of the Directive to legitimise the transfer of Users’ personal data to the US, if indeed, such transfers continue to take place.

2.23 By letter dated 3 November 2015, the Office of the Commissioner notified Meta Ireland of the commencement of the investigation.

2.24 Separately, Mr Schrems was invited to reformulate the Complaint so as to focus, not on the (now defunct) safe harbour arrangements, but on such derogations (if any) as may be relied on by Meta Ireland to legitimise data transfers to Meta US post-6 October 2015.

2.25 On 1 December 2015, Mr Schrems duly submitted his reformulated Complaint. Having secured access in the interim to one or more of the data processing agreements to which Meta Ireland and Meta US are party, the Complaint referred to the nature and extent of those parties’ reliance on the 2010 SCC Decision. In particular, Mr Schrems made the following complaints:

2.26 As the Judgment notes,^[12] in the course of the Commissioner’s investigation, Meta Ireland also confirmed that a large volume of Users’ personal data was transferred to Meta US pursuant to the 2010 SCCs set out in the Annex to the 2010 SCC Decision.

Prior Draft Decision

2.27 On 24 May 2016, the Commissioner issued a “draft decision” (“the Prior Draft Decision”) summarising the provisional findings of her investigation.

2.28 In the Prior Draft Decision, the Commissioner took the provisional view that the personal data of EU citizens transferred to the US were likely to be consulted and processed by the US authorities in a manner incompatible with Articles 7 and 8 of the Charter and that US law did not provide those citizens with legal remedies compatible with Article 47 of the Charter. The Commissioner also expressed a preliminary view that the 2010 SCCs in the Annex to the 2010 SCC Decision were not capable of remedying that defect, since they confer only contractual rights on data subjects against the data exporter and importer, without, however, binding the US authorities.

High Court Proceedings

2.29 Taking the view that, in those circumstances, the Complaint raised the issue of the validity of the 2010 SCC Decision in the context of the transfer of personal data from the EU/EEA to the US, the Commissioner issued proceedings in the High Court on 31 May 2016, relying on paragraph 65 of the Judgment in Case C-362/14, in order for the High Court to refer a question on that issue to the CJEU.

2.30 There followed complex and lengthy plenary proceedings before the High Court.

2.31 The detailed steps in the High Court Proceedings are too many to be reproduced in this Decision but an analysis of the evidence and submissions adduced in the High Court Proceedings can be found in the judgment of the High Court, delivered on 3 October 2017.

2.32 By way of very brief summary, the High Court Proceedings involved:

(1) Extensive participation by both Meta Ireland and Mr Schrems;

(2) Extensive participation of four amici curiae joined to the High Court Proceedings, namely, Business Software Alliance, Digital Europe, Electronic Privacy Information Centre, and the US;

(3) Voluminous factual and expert evidence, both oral and written;

(4) An exchange of 22 Affidavits, with a total of 60 tabbed exhibits/appendices;

(5) Evidence from five experts in US law, who were called and gave evidence over seven days in the High Court;

(6) Two Joint Expert Reports (with the second of the Joint Expert Reports being furnished following the conclusion of the High Court hearing and dealing with new developments in US law);

(7) Extensive oral and written legal submissions, with seven sets of legal submissions filed in advance of the High Court hearing and further speaking notes prepared and handed in to the Court during the course of the hearing;

(8) A substantive hearing which lasted 21 days;

(9) A further hearing on 1 June 2017 following conclusion of the substantive hearing, dealing with new developments in US law;

(10) Delivery of the High Court Judgment on 3 October 2017 ([2017] IEHC 545);

(11) A further detailed hearing on certain of the factual findings in the High Court Judgment and on the formulation of the reference questions, heard over 4 days, on 1 December 2017 and from 16-18 January 2018; and

(12) Issue of a very slightly revised version of the High Court Judgment on 12 April 2018.

2.33 Ultimately, by order of 4 May 2018, the High Court made a reference for a preliminary ruling to the CJEU, having refused an application by Meta Ireland to stay such order pending the appeal referred to below.

Supreme Court Appeal

2.34 On 11 May 2018, Meta Ireland appealed the High Court Judgment to the Supreme Court.

2.35 The hearing of the appeal took place over two and a half days on 21–23 January 2019.

2.36 On 31 May 2019, the Supreme Court issued its judgment, concluding that, while it had jurisdiction to overturn the findings of fact made in the High Court Judgment, there was no basis for doing so, despite Meta Ireland arguing the contrary.

2.37 Thus, the findings of fact in the High Court Judgment were fully endorsed by the Supreme Court.

CJEU Hearing and Judgment

2.38 The hearing before the CJEU took place on 9 July 2019, and involved the participation of:

(1) The Commissioner;

(2) Meta Ireland;

(3) Mr Schrems;

(4) British Software Alliance;

(5) Electronic Privacy Information Centre;

(6) Digital Europe;

(7) The US;

(8) Ireland;

(9) The Belgian Government;

(10) The Czech Government;

(11) The German Government;

(12) The French Government;

(13) The Netherlands Government;

(14) The Austrian Government;

(15) The Polish Government;

(16) The Portuguese Government;

(17) The United Kingdom Government;

(18) The European Parliament;

(19) The European Commission; and

(20) The EDPB.

2.39 As noted above, the Judgment was delivered on 16 July 2020.

PDD

2.40 Following review and careful consideration of the Judgment, the DPC commenced the Inquiry and issued the PDD to Meta Ireland under cover of letter on 28 August 2020.

2.41 The PDD notified Meta Ireland of the fact that the DPC was opening the Inquiry and outlined the DPC’s preliminary views on the Data Transfers.

Judicial Review

2.42 On 10 September 2020, Meta Ireland commenced the Judicial Review against the DPC, following which a stay was put on the Inquiry by Order of the High Court (Meenan J.) made on 14 September 2020.

2.43 Following a hearing in December 2020, The Hon Mr. Justice Barniville issued judgment in the Judicial Review on 14 May 2021, dismissing the application. An Order lifting the stay on the Inquiry was subsequently made on 20 May 2021.

2.44 The DPC subsequently wrote to Meta Ireland on 21 May 2021 informing it that the Inquiry would now be reviewed and inviting it to make such submissions as it wished to make in response to the PDD no later than 2 July 2021.

Schrems’ Judicial Review

2.45 Mr. Schrems also brought a separate application for judicial review against the DPC. Those proceedings^[13] were struck out by Order of the Court made on 13 January 2021, settlement terms having been agreed between the parties pursuant to which, amongst other things, Mr Schrems agreed, firstly, that the investigation of the Complaint would be conducted separately and solely by reference to applicable provisions of the GDPR (to the exclusion of any consideration of the Complaint by reference to the Directive) and, secondly, that the temporal scope of the Complaint would be further revised so as to take 25 May 2018 as its starting point. (Prior to settlement, the DPC had already indicated to Mr Schrems that he would be afforded an opportunity to make submissions in the Inquiry)^[14].

Submissions in response to the PDD

2.46 Meta Ireland submitted its Response to the PDD on 2 July 2021. As already set out above, those submissions were lengthy and detailed and included multiple appendices.

2.47 Schrems’ Submissions on the PDD were received on 15 August 2021.

2.48 Following preliminary consideration of Meta Ireland’s Response to the PDD, in correspondence dated 18 August 2021, the DPC raised a number of queries with Meta Ireland in relation to the Inquiry.

2.49 Meta Ireland initially responded in correspondence dated 18 August 2021, and subsequently submitted its Supplemental Response to the PDD on 1 September 2021 (with certain of the Appendices to the Supplemental Response being re-submitted on 24 September 2021).

2.50 The USG’s Response to the PDD was received on 20 September 2021.

2.51 Meta Ireland replied to Schrems’ Submissions on the PDD on 24 September 2021.

The RPDD

2.52 Having carefully considered the submissions received in response to the PDD, the DPC prepared and delivered its Revised Preliminary Draft Decision, or RPDD, on 21 February 2022.

2.53 Mr Schrems delivered his Submissions in response to the RPDD on 21 March 2022.

2.54 The USG delivered its Response to the RPDD on 4 April 2022.

2.55 Meta Ireland Limited delivered its Response to the RPDD on 29 April 2022.

Other Matters

2.56 On 7 October 2022, the President of the United States signed Executive Order 14086 entitled “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities” (“EO 14086”). On the same date, the US Attorney General signed Rule / Regulations 28 CFR 201, establishing, within the US Department of Justice, a “Data Protection Review Court” (“the Regulations”).

2.57 In the context of the within Inquiry, the above events occurred at a point in time when the DPC had already determined it necessary to refer the objections that were raised by the CSAs during the Article 60 Process to the EDPB for determination.

2.58 Following the signing of EO 14086, Meta Ireland wrote to the DPC to request confirmation that the DPC would afford it a right to be heard in respect of the changes to US law and practice that were brought about by EO 14086 and the Regulations. It also requested the DPC to consider whether it was necessary to revise the Draft Decision, before making any referral to the Article 65 process, in light of the “material development” that had occurred.

2.59 For the purpose of considering Meta Ireland’s requests, the DPC undertook an examination of EO 14086 and the Regulations, limited in its scope to an examination of the question as to whether and/or to what extent the new form of redress scheme contemplated by those documents had, in fact, come into operation.

2.60 By way of high level summary of the outcome of the DPC’s examination, it appeared to the DPC that, pursuant to EO 14086 and the Regulations:

(1) Complaints will be received and reviewed under the new redress mechanism introduced by EO 14086 and the Regulations only where they originate in a designated “qualifying state”.

(2) In this respect:

a. Sec. 3(a) of EO 14086 explains that the purpose of the section is to establish “a redress mechanism to review qualifying complaints transmitted by the appropriate public authority in a qualifying state concerning United States signals intelligence activities for any covered violation of United States law and, if necessary, appropriate remediation”,^[15]

b. An element of the definition of “qualifying complaint” is that it must come from a “qualifying state” (see Sec. 4 (k)(i));

c. Sec. 3(f) deals with designation of a qualifying state, and in particular, Sec. 3(f)(i) provides:

d. For its part, §201.1 of the Regulations provides:

e. §201.2 provides that:

(3) It is apparent from these provisions that the new redress mechanism can only be engaged by a “qualifying complaint”, which, in turn, must originate in a state that has been designated as a “qualifying state”. Critically, however, to date the EU has not been designated as a “qualifying state” (and indeed, to the DPC’s knowledge, no designations at all have yet been made under Sec. 3(f) of EO 14086). On that basis, it is clear that the new redress mechanism introduced by EO 14086 and the Regulations is not accessible by EU citizens at this point in time.

(4) Even if all the other elements of the redress mechanism envisaged by EO 14086 and the Regulations had been fully and completely implemented (and for the reasons set out below, this does not appear to be the case), in the absence of designation of the EU as a “qualifying state”, the new redress system is not capable of being invoked by an EU citizen.

(5) In any event, it appears that the other elements of the redress mechanism envisaged by EO 14086 and the Regulations have not in fact been fully and completely implemented. In this regard:

a. the redress scheme contemplated by EO 14086 and the Regulations is entirely self-contained and will operate by reference to the particular procedures and/or arrangements laid down in those documents. The DPC notes that Sec. 5(h) of EO 14086 delineates the scope and range of its application in the following terms:

b. A provision similar to Sec. 5(h) is contained in the Regulations, described as a “disclaimer” and expressed in the following terms:

c. Sec. 3(b) of EO 14086 provides that, within 60 days of the date of its signing, a process for the submission of qualifying complaints will be established. It is unclear if such procedures have been adopted at this point.

d. Separately, Sec. 3(c)(i) of EO 14086 provides that “the Director [of National Intelligence], in consultation with the Attorney General, shall establish a process that authorizes the CLPO to investigate, review, and, as necessary, order appropriate remediation for qualifying complaints…”. Noting that no timeline appears to be fixed for its establishment, the DPC understands that this process has not in fact been established at this point.

e. Likewise, the guidance referred to at Sec. 5(f) of EO 14086 has not yet been adopted, being guidance intended to address “the scope of application” of the Executive Order with respect to individual elements of the US Intelligence Community, and which is intended to be “authoritative and binding” on, inter alia, the Data Protection Review Court.

f. Additionally, the DPC notes that policies and procedures previously issued by each individual element of the US Intelligence Community under Presidential Policy Directive 28 (PPD-28) are to be updated, by means of a consultative procedure involving the US Attorney General, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence and the Privacy and Civil Liberties Oversight Board, in order to implement the particular safeguards for which provision is intended to be made in EO 14086. Under the terms of Sec. 2(c)(iv)(B) of EO 14086, that exercise is to be completed within a period of one year of the date of EO 14086. The DPC understands that it has not been completed to date. In the circumstances, the status quo ante remains intact, a point expressly affirmed at Section 2(c)(iv)(A) of the EO 14086.

g. No judges have yet been appointed to the new Data Protection Review Court in accordance with §201.3 of the Regulations (and Sec. 3(d)(i)(A) of EO 14086); it follows that the rules of procedure referenced at §201.3(d) of the Regulations have likewise not yet been adopted.

h. The “special advocates” referenced §201.4 of the Regulations (and Sec. 3(d)(i)(C) of EO 14086) have not yet been appointed.

2.61 The DPC’s position – as outlined above (and as set out in a letter issued to Meta Ireland’s legal advisors on 13 December 2022) – having been disputed by Meta Ireland, the DPC wrote again to Meta Ireland by letter dated 19 January 2023, reiterating its view that there had been no material change to the remedial scheme considered by the DPC in the Draft Decision. The DPC’s letter also disputed the suggestion that EO 14086 and associated Regulations were effective and binding immediately upon the issuance of same. The DPC made the point that, on its terms, EO 14086 is directed to, and governs actions by, the US Intelligence Agencies. In circumstances where subsection 2(c)(iv)(A) explicitly provides that the Intelligence Agencies “shall continue to use the policies and procedures issued pursuant to Presidential Policy Directive 28 of January 17, 2014 (Signals Intelligence Activities)(PPD-28), until they are updated pursuant to subsection (c)(iv)(B) of this section”, and where subsection 2(c)(iv)(B) requires the Intelligence Agencies, over the course of one year, to consult with a range of third parties before completing the updating exercises to which reference is made, it could not credibly be said that the activities and/or practices of the Intelligence Agencies are to be treated as having changed, materially, and immediately, on 7 October 2022; nor could it be said that the updating exercise demanded by the terms of the Executive Order itself is to be viewed as little more than an administrative tidy-up

2.62 The DPC also noted that the privacy and civil liberties safeguards introduced by EO 14086 do not appear to be intended to apply retrospectively, a point supported by the contents of the Implementation Procedures adopted by the Office of the Director of National Intelligence for the Signals Intelligence Redress Mechanism under Executive Order 14086 (Intelligence Community Directive 126, dated 6 December 2022.

2.63 In the circumstances, and fully reserving the DPC’s position on the question as to whether, upon its full implementation, the remedial scheme contemplated by EO 14086 satisfies the requirements of Article 47 of the EU Charter on Fundamental Rights, it appears to the DPC that the scheme in question (both at the time the DPC carried out the review described above and at the date of adoption of this Decision) is not, in fact, operational. More particularly, and as explained above, in the absence of designation of the EU as a “qualifying state”, the new scheme is not operational at all for EU citizens.

2.64 Against the background of the above, and having given careful consideration to the matters raised by Meta Ireland in its correspondence, the DPC concluded that:

a. At the time when the DPC carried out its review, the remedial scheme contemplated by EO 14086 was not, in fact, operational (this remains the case as at the date of adoption of this Decision). Nor had the activities and/or practices of the Intelligence Agencies changed, immediately upon signing of EO 14086, in a manner, or to such an extent, that it could be said that the analysis contained in the Draft Decision as it relates to Articles 7 and/or 8 of the Charter had been overtaken by events and is not inaccurate and/or incomplete. (Again, I am satisfied that that remains the case as of the date of this Decision).

b. Accordingly, the risk to the fundamental rights and freedoms of EU citizens pursuant to Article 47 of the Charter, as identified and discussed by the CJEU in the Judgment, has not yet been addressed.

c. While it is possible that the remedial scheme may yet become fully operational in the future, such that the deficiencies identified and discussed by the CJEU in the Judgment might yet be addressed, the DPC is under an obligation to give effect to the law as it currently stands.

2.65 Accordingly, the DPC referred the CSA objections to the EDPB for determination pursuant to the Article 65 dispute resolution mechanism on 19 January 2023.

3.1 I now turn to the functions and powers of the DPC relevant to the Inquiry.

Charter

3.2 Under Article 8(3) of the Charter, compliance with Article 8 shall be subject to control by an independent authority.

GDPR

3.3 Under Article 51(1) GDPR, each Member State is required to provide for the establishment of one or more independent public authorities to be responsible for monitoring the application of the GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union, known as a “supervisory authority”.

3.4 Pursuant to Article 55(1) GDPR, “each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with [the GDPR] on the territory of its own Member State”.

3.5 Article 56(1) GDPR provides that, without prejudice to Article 55 GDPR, the supervisory authority “of the main establishment or of the single establishment of the controller or processor” shall be competent to act as “lead supervisory authority for the cross-border processing” carried out by that controller or processor in accordance with the procedure provided in Article 60 GDPR (emphasis added).

3.6 According to Article 57(1) GDPR, without prejudice to the other tasks set out in the GDPR, each supervisory authority shall, on its territory, in particular:

(1) “monitor and enforce the application” of the GDPR (Article 57(1)(a));

(2) “cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of” of the GDPR (Article 57(1)(g));

(3) “conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority” (Article 57(1)(h));

(4) “monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices” (Article 57(1)(i)); and

(5) “fulfil any other tasks related to the protection of personal data” (Article 57(1)(v)).

3.7 Article 58(2) GDPR provides that each supervisory authority shall have all of the following corrective powers:

3.8 Meanwhile, Article 60 GDPR provides for a system of cooperation between the lead supervisory authority and the other supervisory authorities concerned.

3.9 Article 60(1) GDPR provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with Article 60 GDPR in an endeavour to reach consensus and that the lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

3.10 Article 60(2) GDPR provides that the lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 GDPR and may conduct joint operations pursuant to Article 62 GDPR, in particular, for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3.11 Article 60(3) GDPR provides that the lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned and that it shall, without delay, submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

3.12 Article 60(4) GDPR provides that where any of the other supervisory authorities concerned within a period of 4 weeks after having been consulted in accordance with Article 60(3) GDPR, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63 GDPR.

3.13 Article 63 GDPR imposes an obligation on supervisory authorities to cooperate with each other, and where relevant, with the European Commission.

3.14 Article 65 GDPR provides that the EDPB may engage in dispute resolution, and in particular, pursuant to Article 65(1)(a) GDPR, that it may adopt a binding decision in a case referred to in Article 60(4) GDPR.

The 2018 Act

3.15 The 2018 Act was commenced on 25 May 2018. This legislation established, under Section 10, the DPC as the data protection supervisory authority in Ireland for the purposes of the GDPR.

3.16 Pursuant to Section 110 of the 2018 Act, the DPC may, “of its own volition, in order to ascertain whether an infringement has occurred or is occurring, cause such inquiry as it thinks fit to be conducted for that purpose”.

3.17 Section 111 of the 2018 Act deals with the outcomes of an own volition inquiry under Section 110, and provides as follows:

3.18 The application of Sections 110 and 111 of the 2018 Act in the context of the present inquiry is, of course, subject to Article 60 GDPR, in circumstances where, for the reasons set out below, it is my view that the processing at issue in the Inquiry constitutes cross-border processing, within the meaning of that term as defined at Article 4(23), GDPR.

3.19 Section 115(1) of the 2018 Act provides that, for the purposes of exercising a corrective power under Section 111, 112 or 113 of the 2018 Act, the DPC may do either or both of the following:

(1) Subject to Chapter 6, decide to impose an administrative fine on the controller or processor concerned (Section 115(1)(a));

(2) Exercise any other corrective power specified in Article 58(2) GDPR (Section 115(1)(b)).

3.20 Section 107 defines the term “corrective power” for the purpose of these provisions as “a power conferred by Article 58(2)” of the GDPR, to which reference has already been made above.

The CJEU Consideration of the Functions of National Supervisory Authorities

3.21 It is also important to note that the relevant functions and powers of the DPC as a statutory body were considered in the Judgment.

3.22 The CJEU noted^[17] that, in accordance with Article 8(3) of the Charter and Articles 51(1) and 57(1)(a) GDPR, the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data.

3.23 It further noted^[18] that each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in the GDPR.

3.24 The CJEU added that it follows from those provisions that:

4.1 For the reasons that follow, I find that:

(1) In effecting the Data Transfers at issue, Meta Ireland, being a controller in the EU having establishments in more than one Member State, processes Users’ personal data, and, further, that such processing constitutes “cross-border processing”, as defined in Article 4(23) GDPR;

(2) In circumstances where the Data Transfers involve cross-border processing, it follows that the supervisory authority being competent to act as lead supervisory authority in respect of such processing for the purposes of Article 60 GDPR falls to be determined by reference to Article 56 GDPR; and,

(3) Having regard to the provisions of Article 56(1) GDPR, and in circumstances where Meta Ireland has its main establishment in Ireland, the DPC is properly to be considered the “lead supervisory authority” in respect of the Data Transfers.

Controller

4.2 It is not disputed that, in its provision of products and services, and in effecting the Data Transfers, Meta Ireland processes Users’ personal data qua controller.

4.3 In its Response to the PDD, Meta Ireland notes that it “is the provider of the Facebook service … and the controller of the processing of personal data for the purposes described in [Meta Ireland’s] data policy … for users in the European region”.^[20]

Personal Data

4.4 The 2018 DTPA identifies - in Appendix 1, Part A, to the 2010 SCCs outlined in Schedule 1 thereto - the nature and extent of the personal data of Users that is in fact the subject of the Data Transfers. This includes the following categories of personal data:

4.5 The 2021 DTPA identifies the data transferred in similar terms.

Processing

4.6 In the Judgment, the CJEU held that the operation of having personal data transferred from a Member State to a third country constitutes, in itself, processing of personal data within the meaning of Article 4(2) GDPR, carried out in a Member State, and that it falls within the scope of the GDPR under Article 2(1) thereof.^[21]

4.7 There is no dispute that Meta Ireland makes the Data Transfers to Meta US. Meta Ireland notes in its Response to the PDD:

4.8 As such, the Data Transfers between Meta Ireland and Meta US clearly involve transfers of personal data to a third country, the US, giving rise to “processing” within the meaning of the GDPR, in accordance with the Judgment.

Cross-Border Processing

4.9 The concept of “cross-border processing” is defined in Article 4(23) GDPR as either:

4.10 While it does not appear to be explicitly addressed in any one or more of the Response to the PDD, the Supplemental Response to the PDD, or the Response to the RPDD, it is not disputed that the processing at issue here is cross-border processing.

4.11 Meta Ireland has notified the DPC that Ireland is its place of main establishment in the EU.^[23] Whilst the issue of Meta Ireland’s “main establishment” is dealt with separately below, I find that the “processing” of personal data undertaken by Meta Ireland in connection with the Data Transfers is “cross-border processing” within the meaning of Article 4(23)(a) GDPR in circumstances where all such Meta US products and services as are provided to Users in the EU/EEA are provided by Meta Ireland, being a controller in the EU which, whilst understood to have a number of establishments within the EU, has its place of central administration in the EU in Ireland, where decisions on the purposes and means of the processing of Users’ personal data are taken.

4.12 Alternatively, and if I am incorrect in my understanding that Meta Ireland has other establishments in the EU, it appears that the processing which Meta Ireland undertakes substantially affects or is likely to substantially affect data subjects in more than one Member State within the meaning of Article 4(23)(b) GDPR. In this regard, I note that in her Affidavit, Ms Cunnane averred that while, for those individuals based in the US and Canada, the Facebook Service is provided by Meta US, critically, “for individuals in the rest of the world, including in the EU, the Facebook Service is provided by [Meta Ireland]”.^[24] This indicates that the Facebook Service is provided to EU data subjects by Meta Ireland, and as such, processing undertaken in that context substantially affects or is likely to substantially affect data subjects in more than one Member State.

Lead Supervisory Authority

4.13 In circumstances where the Data Transfers involve cross-border processing of Users’ personal data, it follows that the supervisory authority being competent to act as lead supervisory authority in respect of such processing for the purposes of Article 60 GDPR falls to be determined by reference to Article 56 GDPR. In that context, Article 56(1) GDPR provides that the supervisory authority “of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.”

4.14 As noted above, Meta Ireland previously notified the DPC that it has its “main establishment” in Ireland.

4.15 “Main establishment” is defined at Article 4(16)(a) GDPR to mean, as regards a controller with establishments in more than one Member State:

4.16 It appears to be clear that Ireland is the place of Meta Ireland’s “central administration” in the EU, where “decisions on the purposes and means of the processing of personal data are taken.”

4.17 Quite apart from the fact that Meta Ireland itself has notified the DPC that Ireland is its place of main establishment in the EU, it is noted that, in the High Court Proceedings, Ms Cunnane averred that Meta Ireland is a limited liability company, established under Irish law, with its registered office and principal place of business in Dublin, and that it is part of the Meta group of companies.^[25]

4.18 Ms Cunnane further averred that the “Facebook Service” is a popular social network service, provided via the website and platform www.facebook.com, as well as via applications for mobile telephones and other devices. As noted above, for those individuals based in the US and Canada, the Facebook Service is provided by Meta US. However, critically, “for individuals in the rest of the world, including in the EU, the Facebook Service is provided by [Meta Ireland]”.^[26]

Summary

4.19 I find that in circumstances where Meta Ireland has its main establishment in Ireland, the DPC is competent to act as lead supervisory authority, within the meaning of Article 56(1) GDPR, in respect of the Data Transfers, the conduct of which constitutes cross-border processing.

4.20 This further means that the onus fell on the DPC to prepare the Draft Decision required pursuant to Article 60(3) GDPR in connection with the particular issues under consideration in the context of the within Inquiry.

5.1 All EU-US data transfers–including the Data Transfers–are regulated by a range of legal provisions.

Charter

5.2 Article 7 of the Charter states that everyone has the right to respect for his or her private and family life, home and communications.

5.3 Article 8(1) of the Charter confers on everyone the right to the protection of personal data concerning him or her.

5.4 Article 8(2) of the Charter provides that such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. It provides that everyone has a right of access to data which has been collected concerning him or her and the right to have it rectified.

5.5 Meanwhile, Article 47 of the Charter provides that everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in Article 47 of the Charter. These include a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law.

5.6 Article 52 of the Charter recognises that the rights and freedoms recognised by the Charter may be limited, but any such limitation must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, the limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others.

GDPR

5.7 Article 44 GDPR provides as follows:

5.8 Article 45 GDPR makes provision for “Transfers on the basis of an adequacy decision”.

5.9 Article 45(1) GDPR provides that a transfer of personal data to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. It further provides that such a transfer “shall not require any specific organisation”.

5.10 Article 45(2) GDPR provides that, when assessing the adequacy of the level of protection, the European Commission shall, in particular, take account of the following elements:

5.11 Article 45(3) GDPR provides that the European Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of Article 45(2) GDPR. As at the date of adoption of this Decision, no adequacy decision is in place in respect of the transfers of personal data from the EU/EEA to the United States.

5.12 Meanwhile, Article 46 GDPR deals with “Transfers subject to appropriate safeguards”.

5.13 Article 46(1) GDPR provides that in the absence of a decision pursuant to Article 45(3) GDPR, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor “has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.

5.14 Article 46(2) GDPR provides that the “appropriate safeguards” may be provided for, without requiring any specific authorisation from a supervisory authority, by the following:

(1) A legally binding and enforceable instrument between public authorities or bodies (Article 46(2)(a));

(2) Binding corporate rules in accordance with Article 47 (Article 46(2)(b));

(3) Standard data protection clauses adopted by the European Commission in accordance with the examination procedure referred to in Article 93(2) (Article 46(2)(c));

(4) Standard data protection clauses adopted by a supervisory authority and approved by the European Commission pursuant to the examination procedure referred to in Article 93(2) (Article 46(2)(d));

(5) An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (Article 46(2)(e)); or

(6) An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (Article 46(2)(f)).

5.15 Meanwhile, Article 49(1) GDPR provides for “Derogations for specific situations”, and states that in the absence of an adequacy decision pursuant to Article 45(3) GDPR or of “appropriate safeguards” pursuant to Article 46 GDPR, transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(1) The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards (Article 49(1)(a));

(2) The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request (Article 49(1)(b));

(3) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (Article 49(1)(c));

(4) The transfer is necessary for important reasons of public interest (Article 49(1)(d));

(5) The transfer is necessary for the establishment, exercise or defence of legal claims (Article 49(1)(e));

(6) The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (Article 49(1)(f));

(7) The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case (Article 49(1)(g)).

5.16 Article 49(1) GDPR further provides that where a transfer could not be based on a provision in Article 45 or Article 46 GDPR, and none of the derogations for a specific situation in Article 49(1) GDPR is applicable, a transfer to a third country or an international organisation may take place only if:

(1) The transfer is not repetitive;

(2) The transfer concerns only a limited number of data subjects;

(3) The transfer is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject;

(4) The controller has assessed all the circumstances surrounding the data transfer;

(5) The controller has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data;

(6) The controller has informed the supervisory authority of the transfer;

(7) The controller has, in addition to providing the information referred to in Articles 13 and 14, informed the data subject of the transfer and of the compelling legitimate interests pursued.

The SCC Decisions

5.17 As is clear from the provisions set out above, SCCs adopted by the European Commission comprise one method of providing “appropriate safeguards” in the absence of an adequacy decision pursuant to Article 46(2)(c) GDPR.

5.18 The 2010 SCC Decision was adopted pursuant to Article 26(4) of the Directive, and, pursuant to Article 46(5) GDPR, was stated to remain in effect until amended, replaced or repealed by a Commission Decision adopted in accordance with Article 46(2) GDPR.

5.19 The 2021 SCC Decision was adopted on 4 June 2021, repealing the 2010 SCC Decision with effect from 27 September 2021, and setting out new SCCs (the 2021 SCCs) which came into effect on 27 June 2021.

5.20 Having regard to the temporal scope of the Inquiry (and subject to what I say in Section 6 of this Decision), relevant provisions of both the 2010 SCC Decision and the 2021 SCC Decision are set out below.

The 2010 SCC Decision

5.21 Recital 11 of the 2010 SCC Decision reads as follows:

5.22 Article 1 of the 2010 SCC Decision states:

5.23 Article 2 of the 2010 SCC Decision provides that the 2010 SCC Decision “shall apply to the transfer of personal data by controllers established in the European Union to recipients established outside the territory of the European Union who act only as data processors”.

5.24 Article 3 of the 2010 SCC Decision provides that, for the purpose of the 2010 SCC Decision, the following definitions apply:

(1) “data exporter” means the controller who transfers the personal data (Article 3(a));

(2) “data importer” means the processor established in a third country who agrees to receive from the data exporter personal data intended for processing on the data exporter’s behalf after the transfer in accordance with his instructions and the terms of the 2010 SCC Decision and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of the Directive (Article 3(b)); and

(3) “applicable data protection law” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established (Article 3(f)).

5.25 Article 4 of the 2010 SCC Decision–as amended by Implementing Decision 2016/2297– provides:

The 2010 SCCs

5.26 The Annex to the 2010 SCC Decision, under the heading “Standard Contractual Clauses (Processors)”, is comprised of 12 SCCs.

5.27 Clause 3, under the heading “Third-party beneficiary clause”, provides in Clause 3(1) that:

5.28 Omitted from the third-party beneficiary clause are Clauses 4(a), 4(j) and 5(f).

5.29 Clause 3(2) provides that:

5.30 Clause 4 (a) provides that the data exporter agrees and warrants:

5.31 Clause 4(j) provides that the data exporter warrants that it will ensure compliance with Clause 4(a)–(i).

5.32 Meanwhile, as the CJEU observed in the Judgment, it is clear from the 2010 SCCs (Clauses 4(a), 4(b), 5(a), 9 and 11(1)), that the data exporter and data importer confirm that they will comply with the applicable data protection law, namely, the GDPR, read in the light of the Charter.^[27]

5.33 Clauses 5(a) and (b) confer on the data exporter the right to suspend the transfer and/or to terminate the contract, and the data exporter is obliged to suspend the data transfer and to terminate the contract where the data importer is not, or is no longer, able to comply with the 2010 SCCs.^[28]

5.34 Thus, Clause 4(a) and Clause 5(a) and (b) oblige the data exporter and the data importer to satisfy themselves that the legislation of the third country of destination enables the recipient to comply with the 2010 SCCs in the Annex to the 2010 SCC Decision, before transferring personal data to that third country.^[29]

5.35 In particular, according to the footnote to Clause 5, the data exporter and data importer must consider whether or not “mandatory requirements of [the third country’s legislation] … go beyond what is necessary in a democratic society to safeguard, inter alia, national security, defence and public security”. Compliance by the data importer with a mandatory requirement which goes beyond what is necessary for these purposes “must be treated as a breach of those clauses”.^[30]

5.36 The data importer is, where appropriate, under an obligation, under Clause 5(b), to inform the controller of any inability to comply with those clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract.^[31]

The 2021 SCC Decision

5.37 Also relevant are the 2021 SCC Decision and the 2021 SCCs. The DPC agrees with Meta Ireland’s submissions regarding the relevance of these provisions.^[32]

5.38 On 4 June 2021, the European Commission adopted Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“the 2021 SCC Decision”), containing new standard contractual clauses in the Annex to the 2021 SCC Decision (including the clauses set out in Module Two), under Article 46(2)(c) GDPR (“the 2021 SCCs”). The 2021 SCCs came into effect on 27 June 2021.

5.39 As Meta Ireland observe,^[33] the European Commission has noted that the 2021 SCCs,

5.40 Article 1(1) of the 2021 SCC Decision states as follows:

5.41 Article 2 provides that:

The 2021 SCCs

5.42 The 2021 SCCs – as set out in the Annex to the 2021 SCC Decision - contain 18 discrete clauses, with certain of the clauses in turn containing a series of “modules”, with the precise content of each such module being adjusted to facilitate its application to the following categories of transfers, being controller to controller (Module 1); controller to processor (Module 2), processor to processor (Module 3) and processor to controller (Module 4).

5.43 Clause 1(a) sets out the purpose of the 2021 SCCs in the following terms:

5.44 Clause 2 (headed “Effect and invariability of the Clauses”) provides (at sub-paragraph (a)) that,

5.45 Clause 3 establishes a right in favour of data subjects to “invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer”, subject to the exceptions listed therein.

5.46 At Clause 8 (headed “Data protection safeguards”), the data exporter warrants that “it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.” From there, the clause identifies the parties’ respective obligations under a series of headings, to include headings referable to the principles relating to the processing of personal data as set out at Article 5 GDPR.

5.47 Under the heading “Local laws and practices affecting compliance with the Clauses”, Clause 14 contains a series of detailed provisions – applicable across all four modules – laying down specific procedural steps required of the exporting and importing parties in connection with data transfers, underpinned by a number of warranties and declarations. It provides as follows:

5.48 Clause 15 in turn identifies certain specific obligations to which the importing party is subject (across all four modules) “in case of access by public authorities”. It provides as follows:

5.49 Clause 16 is headed “Non-compliance with the Clauses and termination” and provides as follows:

6.1 Meta Ireland accepts that at the material times for the purpose of the Inquiry, it has made the Data Transfers pursuant to the 2010 SCCs and now pursuant to the 2021 SCCs.^[35]

6.2 Meta Ireland has recently implemented the 2021 SCCs as evidenced by the 2021 DTPA.

The 2015 DTPA and the 2018 DTPA

6.3 I am also aware from evidence adduced by Meta Ireland during the High Court Proceedings that the Data Transfers were, at that time, subject to intra-group agreements between Meta Ireland and Meta US, being the 2015 DTPA and the 2018 DTPA.^[36]

6.4 As Ms Cunnane averred of the 2015 DTPA, “[t]he DTPA is based on the [2010] SCCs for the transfer of personal data to processors established in third countries” approved by the European Commission in the 2010 SCC Decision, and which have already been outlined above.^[37]

6.5 On 10 December 2018, Meta Ireland, through their solicitors, notified the DPC that Meta Ireland and Meta US had entered into the 2018 DTPA, effective from 25 May 2018. A copy of the 2018 DTPA was also made available to the DPC. I have reviewed both the 2015 DTPA and the 2018 DTPA (together referred to hereinafter as “the Agreements”).

6.6 It is apparent that the 2018 DTPA (like the 2015 DTPA) served at least two distinct purposes. Firstly, and by reference to the requirements of Article 28(2) GDPR, it regulated such processing of personal data as was then being carried out by Meta US, as processor, for and on behalf of Meta Ireland, as controller. Secondly, and separately, it identified the legal basis upon which (and the transfer mechanism by which) identified categories of personal data, including but not limited to Users’ personal data, were subject to the Data Transfers. In the latter regard, the 2018 DTPA recorded that transfers of Users’ personal data were made under and by reference to the form of SCCs for which provision was made in the 2010 SCC Decision, being the particular form of 2010 SCCs developed for controller to processor transfers.^[38]

6.7 It is not apparent to me that there were any material distinctions between the Agreements (or either of them) and the 2010 SCCs. In particular, and as noted above, it is apparent that the 2018 DTPA incorporated the particular form of the 2010 SCCs for which provision was made in the Annex to the 2010 SCC Decision.

2021 DTPA

6.8 On 31 August 2021, Meta Ireland entered into a new transfer and processing agreement with Meta US, being the 2021 DTPA. In broad terms, this agreement serves a similar purpose to the previous 2018 DTPA. Importantly, however, the agreement incorporates the 2021 SCCs pursuant to the 2021 SCCs Decision. That is to say, as and from 31 August 2021, the Data Transfers are grounded in the 2021 SCCs Decision and the 2021 SCCs.

Assessment under Clause 14 of the 2021 SCCs

6.9 On or before entering into the 2021 DTPA, Meta Ireland and Meta US undertook (and documented) the form of assessment called for at Clause 14(b) of the 2021 SCCs, a copy of which was provided to the DPC (in its finalised form) on 1 September 2021. That document (referred to by Meta Ireland as a “Transfers Impact Assessment”, or “TIA”) comprises the following elements:

(1) Transfer Impact Assessment – Summary.

(2) A “factors assessment”.

At paragraph 1.6 of this document, Meta Ireland describes the purpose this particular assessment in the following terms:

(3) An “equivalence assessment”.

At internal paragraph 1.3, the assessment (which is said to have been conducted between Meta Ireland and Meta US, and endorsed by their external legal advisors) is described in the following terms:

(4) A “Record of Safeguards”, i.e. record of the “measures and safeguards” deployed by Meta Ireland and/or Meta US “to comply with and supplement the measures under the 2021 SCCs to further ensure that an adequate level of protection continues to apply to User Data transferred from [Meta Ireland] to [Meta US]. This table documents such organisational, technical, and legal measures and safeguards.”

6.10 I will consider the 2021 DTPA below, along with the TIA. I will also have regard to Meta Ireland’s Data Policy and Meta US’s Transparency Report which demonstrate that Meta US complies with US law in respect of access requests.

Meta US’s Compliance with US Law

6.11 It is clear that Meta US is subject to and acts in accordance with US law. Meta US’s compliance with US law can be derived from (inter alia) Meta Ireland’s Data Policy which notes that Meta Ireland may:

6.12 It is also apparent from the Affidavit of Ms Andrea Scheley in the High Court Proceedings that Meta US has a framework in place to review law enforcement requests for data and where it believes that the requests are inconsistent with applicable law and/or its policies, it can and does challenge those requests.

6.13 However, no evidence was adduced in the High Court Proceedings to suggest that Meta US would ever act contrary to US law and/or that it would ever refuse a request for access to Users’ personal data that was lawful under US law.

6.14 I have also reviewed the Transparency Report, which provides information regarding Government Requests for User Data made to Meta US, and which includes statistical information regarding such requests. This information appears to be provided up to the second half of 2021. (I understand that such information is subject to a six-month reporting delay).

Summary

6.15 In summary, therefore, as a matter of fact, it appears that:

(1) Meta Ireland makes the Data Transfers pursuant to the 2021 SCCs and by reference to the assessments contained or comprised in the TIA;

(2) Meta US complies with US law, and this includes complying with access requests made by the US government when such access requests are made in accordance with US law.

7.1 Turning to the lawfulness of the Data Transfers, a number of the findings in the Judgment are critical both in respect of the framework that I must adopt when assessing the lawfulness of the Data Transfers and in respect of the substance of that assessment itself.

Framework for the Assessment

7.2 Regarding the framework for the assessment, it is necessary to carefully scrutinise the Judgment. Meta Ireland suggests that the DPC’s interpretation of the Judgment (as first reflected in the PDD and later restated in the RPDD) is “incorrect in a number of important respects”.^[39] This is not accepted.

7.3 First, the Judgment makes clear^[40] that, in the absence of an adequacy decision, transfers to a third country are permissible only if:

(1) The controller or processor has provided “appropriate safeguards”;

(2) Data subjects have “enforceable rights”; and

(3) Data subjects have “effective legal remedies”.

7.4 Clearly, this directly reflects the express terms of Article 46(1) GDPR, set out above.

7.5 Second, while Article 46 GDPR does not specify the nature of the requirements flowing from the reference to “appropriate safeguards”, “enforceable rights” and “effective legal remedies”, regardless of which transfer mechanism is relied upon, a level of protection essentially equivalent to that which is guaranteed within the EU is required.^[41]

7.6 Third, the level of protection required must be assessed on the basis of the provisions of the GDPR, read in light of the fundamental rights enshrined in the Charter.^[42]

7.7 Fourth, if transfers are conducted under Article 46(1) GDPR, “the appropriate safeguards” to be implemented must compensate for any lack of data protection in the third country in order to ensure compliance with data protection requirements and data subjects’ rights appropriate to processing within the EU.^[43]

7.8 Fifth, and following from this, when assessing whether there are appropriate safeguards, enforceable rights and effective legal remedies, it is necessary to consider both:

(1) The contractual clauses agreed between the controller or processor established in the EU and the recipient of the transfer established in the third country; and,

(2) As regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country.

7.9 As regards the latter, the factors to be taken into consideration in the context of Article 46 GDPR correspond to those set out, in a non-exhaustive manner, in Article 45(2) GDPR, set out above.^[44]

7.10 Sixth, as noted above, SCCs may comprise a particular form of “appropriate safeguards” for the purpose of data transfers to third countries.^[45] This is envisaged by Article 46(2) GDPR also set out above.

7.11 Seventh, however, as the CJEU found,^[46] while SCCs are binding on a controller established in the EU and the transfer recipient in the third country, “it is common ground that those clauses are not capable of binding the authorities of that third country, since they are not party to the contract”.

7.12 Consequently, while there are situations in which, depending on the law and practices in force in the third country concerned, the transfer recipient is in a position to guarantee the necessary protection of the data solely on the basis of SCCs, there are others in which the content of the SCCs may not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned.^[47]

7.13 Critically, in this respect, the CJEU held that:

7.14 Eighth, if the SCCs fail to provide the required level of protection and to compensate for any lack of data protection in the third country, it will be necessary to consider whether there are any supplemental measures in place which could compensate for inadequate protection in the third country.

7.15 In this regard, the CJEU held that Article 46 GDPR does not require that “all safeguards” must necessarily be provided for in a Commission decision.^[49]

7.16 Rather, “…. it may prove necessary to supplement the guarantees contained in [the] standard data protection clauses” by providing “other clauses of additional safeguards” to “supplement” the SCCs.^[50]

7.17 Moreover, “depending on the prevailing position in a particular third country”, “supplementary measures” may need to be adopted by the controller to ensure compliance with the level of protection available within the EU.^[51]

7.18 Thus, the controller or processor must:

7.19 Ninth, where the controller or a processor established in the EU is not able to take adequate additional measures to guarantee the requisite protection, the controller or processor, or failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned.

7.20 Significantly, the CJEU added:

7.21 This last point is important. While Meta Ireland is correct to note that the CJEU did not invalidate the 2010 SCC Decision—and SCCs generally—“despite the fact that SCCs cannot bind the public authorities of a third country”,^[54] it is clear that the CJEU took the view that where public authorities in the third country have access to data, there is a particular risk that no adequate additional measures to guarantee the requisite protection can be taken and that the controller, processor or competent supervisory authority must suspend or end such data transfers. Indeed, Meta Ireland acknowledges this in its reference to paragraph 126 of the Judgment. However, as will be clear from its contents, referenced above, paragraph 135 of the Judgment goes further than paragraph 126 in identifying the risk that SCCs and supplementary measures will be inadequate where public authorities have access to data.

7.22 In summary, therefore, arising from these findings in the Judgment, I am satisfied that I must consider:

(1) Whether US law provides a level of protection that is essentially equivalent to that provided by the GDPR, read in light of the fundamental rights in the Charter;

(2) If not, whether the 2010 SCCs and/or the 2021 SCCs can compensate for any inadequacies in the protection afforded by US law; and (3) If not, whether there are any supplemental measures in place which can compensate for any inadequacies in the protection afforded by US law.

7.23 While Meta Ireland seems to suggest that its interpretation of the assessment required by the Judgment differs from that identified by the DPC, in reality, that does not seem to be the case and Meta Ireland’s approach appears to reflect the tripartite structure adopted by the DPC and just identified.^[55]

Meta Ireland’s Response on the Interpretation of the Judgment

7.24 It is apparent from its Response to the PDD that Meta Ireland takes issue with my interpretation of the Judgment in a number of respects. Whilst I engaged with those objections in the context of the RPDD and explained why I do not accept them, substantially the same objections were largely repeated in Meta Ireland’s Response to the RPDD. (Certain of these objections are also referenced in the USG’s Response to the RPDD).

7.25 First, throughout the Response to the PDD, and largely repeated, albeit in summary form, in its Response to the RPDD, Meta Ireland seems to identify its own test for determining suitability of supplemental measures by lowering the standard to include measures that can “address” or “mitigate” any “relevant remaining” inadequacies in the protections offered by US law and practice and the SCCs.^[56] In particular, Meta Ireland has suggested (in its Response to the PDD) that the second part of the assessment requires considering, if there is no essential equivalence:

7.26 Similarly, it has suggested that the third part of the framework should be formulated in the following terms:

7.27 However, the terms “mitigate” and “address” cannot be found in either the Judgment or the GDPR.

7.28 By contrast, Recital (108) to the GDPR on transfers in the absence of an adequacy decision refers to the requirement for controllers and processors to take measures to “compensate” for the lack of data protection in a third country by way of appropriate safeguards. The DPC is therefore concerned that Meta Ireland is seeking to promote a lower standard for the objective of SCCs and supplemental measures than is permitted by the Judgment and the GDPR. The DPC is also concerned that this proposed standard ignores the essence of paragraphs 132 and 133 of the Judgment—to which reference has already been made above— which emphasise that one of the reasons that supplementary measures may be required is because of the fact that SCCs cannot provide guarantees beyond a contractual obligation and do not bind public authorities of third countries.

7.29 Accordingly, and taking account of Recital (108) to the GDPR, it is the DPC’s view that the requirement on a controller is to take measures which “compensate” for the lack of data protection in the third country, and not those which alternatively “address” or “mitigate” the deficiencies.

7.30 Second, it is notable that in its Responses to the PDD and the RPDD, respectively, Meta Ireland appears to seek to re-open a debate—which was considered at length in the High Court Proceedings and unequivocally resolved by the CJEU—in respect of whether a distinction must be drawn between the operation of Articles 45 and 46 GDPR (and corresponding Recitals (104) and (108)).^[59]

7.31 For example, Meta Ireland claims^[60] that “[t]he CJEU’s consideration of US law was therefore in the context of Article 45 GDPR, not Article 46 GDPR. A different assessment is required under Article 46 GDPR”.

7.32 The DPC accepts Meta Ireland’s submission^[61] that in the context of Article 46 GDPR, the relevant protections do not need to be provided “solely by virtue of the laws and practices of the third country but can instead be provided in the EU or in the third country”.^[62]

7.33 However, the DPC does not accept the submission that a “different assessment”—less still a “materially different” assessment^[63]—is required under Articles 45 and 46 GDPR. The position of the CJEU was clear regarding the relationship between Articles 45 and 46 GDPR. In this regard also, the statement of the EDPB quoted by Meta Ireland^[64] that “[t]he reasons for the invalidation of the Privacy Shield [Decision] also have consequences on other transfer tools” is entirely correct.

7.34 In particular, the Judgment is clear that, regardless of which part of Chapter V is used to underpin transfers, Article 44 GDPR requires “essential equivalence” of protection to be reached in each case,^[65] to ensure that the level of protection guaranteed by the GDPR is not undermined.

7.35 The DPC is bound by these findings, and it is not open to the DPC to conclude that the CJEU’s analysis was incorrect.

7.36 It is also the case that Meta Ireland’s position ignores the fact that identical factual matrices— insofar as the State surveillance regime and the ability of US State authorities to request access to data—apply to transfers to the US regardless of the transfer mechanism at issue. In this regard, the CJEU’s assessment of the nature and effect of US law with regard to the standards required under EU law is equally applicable to data which was transferred to the US under the Privacy Shield as it now is to data currently being transferred pursuant to the 2021 SCCs.

7.37 It is also relevant to note here that, in the context of the Data Transfers, nothing turns on the fact that the form of assessment referenced at Article 46 GDPR calls for a consideration of the remedies available to Users within the EU as well as such remedies as may be available in the United States. In that regard, Meta Ireland fails to acknowledge that the particular remedies it says are available in the EU (and to which it is said regard must be had when conducting an assessment under Article 46 GDPR) are not such as would satisfy the requirements articulated at paragraph 187 of the Judgment. There, the CJEU recalled (by reference to its earlier judgment in Case C-362/14, Schrems), that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.” On no assessment could it be said that any of the remedies available to Users within the EU (to include those listed at Part E, paragraph 4.29, of the Response to the PDD) is capable of providing an effective remedy, consistent with the requirements of paragraph 187 of the Judgment, where, for example, a US public authority accesses a User’s data, post-transfer, without notice to the User, and in a manner incompatible with the requirements of EU law.

7.38 This reality was recognised by the CJEU at paragraph 189 of the Judgment where it noted that,

7.39 Accordingly, Meta Ireland is incorrect when it says (as it says at Part B, paragraphs 1.5 through 1.7 of its Response to the RPDD) that “[t]he DPC has failed to appreciate or engage with the difference in the nature of the assessment to be carried out under Articles 45 and 46 GDPR”. The true position is Meta Ireland’s contentions to the effect that, in the context of the Data Transfers, there is some material difference between the assessments called for by Articles 45 and 46 GRPR, is not sustainable.

7.40 Third, in its Response to the PDD, and again in its Response to the RPDD, Meta Ireland engages in an extensive discussion of various data retention and other CJEU and ECtHR cases.^[66] However, having carefully considered the submissions made by or on behalf of Meta Ireland, I am satisfied that Meta Ireland’s discussion of this case law does not undermine the DPC’s analysis of the Judgment and the standards required. The DPC does not therefore regard it as necessary to respond in detail to this case law.

7.41 In particular, in this regard, in Part D of the Response to the PDD, Meta Ireland engages in an extensive discussion of the fundamental rights and freedoms engaged by its services. For the reasons discussed in Sections 8 and 9 below, however, the DPC does not accept that the rights and freedoms engaged are of relevance to its assessment of the first question under consideration in this particular Inquiry, namely, whether Meta Ireland is acting lawfully, and in particular, compatibly with Article 46(1) GDPR, in making the Data Transfers. As such, I do not consider the engaged rights and freedoms further for the purpose of this part of my analysis.

7.42 Fourth, and more generally, regarding the ECtHR case law on which Meta Ireland relies, it is clear from paragraphs 98 and 99 of the Judgment that the ECHR does not constitute – as long as the EU has not acceded to it – a legal instrument formally incorporated into EU law. Therefore as already set out above,^[67] the interpretation of EU law must be undertaken in light of the fundamental rights guaranteed by the Charter, not the ECHR.

7.43 It is of course accepted that the CJEU stated in La Quadrature du Net that Article 52(3) of the Charter “is intended to ensure the necessary consistency between the rights contained in the Charter and the corresponding rights guaranteed in the ECHR, without adversely affecting the autonomy of EU law and that of the Court of Justice of the European Union. Account must therefore be taken of the corresponding rights of the ECHR for the purpose of interpreting the Charter, as the minimum threshold of protection”.^[68]

7.44 However, ultimately, the relevant standard to be applied is that of the Charter.

7.45 Fifth, it is notable that, in the Response to the PDD, Part E, in which Meta Ireland undertakes its consideration of the Data Transfers, Meta Ireland does not follow the framework of assessment identified by the CJEU. At times, this has rendered it difficult to consider Meta Ireland’s submissions, given that it is not always clear to which particular aspect of the assessment the relevant submission is addressed. However, in the discussion below, I have had full regard to Meta Ireland’s submissions (to include those received in response to the RPDD) and have sought to address them in accordance with my views on their relevance to each of the elements of the assessment.

Whether US Law Provides an Essentially Equivalent Level of Protection

7.46 I now turn to the first part of the inquiry required by the Judgment, namely, whether US law provides an essentially equivalent level of protection.

7.47 In this regard, the Judgment makes a number of findings that are binding on me in my assessment.

7.48 In particular, it is apparent from the Judgment that US law does not–in itself–provide an essentially equivalent level of protection to that provided by the GDPR, read in light of Articles 7, 8 and 47 of the Charter.

7.49 This position was underpinned by the findings of fact as to US law made in the High Court Judgment (endorsed by the Supreme Court and accepted by the CJEU) and made by the European Commission in Commission Implementing Decision (EU) 2016/1250 (“the Privacy Shield Decision”).^[69]

Aspects of US Law Considered in the Judgment

7.50 A number of particular aspects of US law were relied on by the CJEU in the Judgment. (Whilst noting the USG’s contention made at paragraph 7.4 of its Response to the RPDD - to the effect that the DPC is not bound by findings of fact made by the CJEU, to include findings in relation to matters of US law which are properly to be treated as being concerned with issues of fact - the critical point is that neither Meta Ireland nor the USG has pointed to any such factual matter, the import of which would be to displace any of the key findings made by the CJEU, details of which are set out in more detail below).

7.51 The US authorities’ intelligence activities concerning the personal data transferred to the US are based, inter alia, on Section 702 FISA and on EO 12333. ^[70]

7.52 Section 702 FISA permits the Attorney General and the Director of National Intelligence to authorise jointly, following FISC approval, the surveillance of individuals who are not US citizens located outside the US in order to obtain “foreign intelligence information”, and provides, inter alia, the basis for the PRISM and UPSTREAM surveillance programmes.^[71]

7.53 In the context of the PRISM programme, Internet service providers are required to supply the NSA with all communications to and from a “selector”, some of which are also transmitted to the Federal Bureau of Investigation and the Central Intelligence Agency.^[72]

7.54 As regards the UPSTREAM programme, telecommunications undertakings operating the “backbone” of the Internet–that is to say, the network of cables, switches and routers–are required to allow the NSA to copy and filter Internet traffic flows in order to acquire communications from, to or about a non-US national associated with a “selector”. Under that programme, the NSA has access both to the Meta US data and to the content of the communications concerned.^[73]

7.55 EO 12333 allows the NSA to access data “in transit” to the US, by accessing underwater cables on the floor of the Atlantic, and to collect and retain such data before arriving in the United States and being subject there to the FISA. Activities conducted pursuant to EO 12333 are not governed by statute.^[74]

Assessment–Articles 7 and 8 of the Charter

7.56 With respect to Articles 7 and 8 of the Charter, the CJEU observed that:

7.57 It also observed that:

7.58 While Articles 7 and 8 of the Charter are not absolute,^[77] any limitation must be provided for by law and respect the essence of those rights and freedoms and, subject to the principle of proportionality, limitations may be made to those rights only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedom of others.^[78]

7.59 The CJEU referred to the fact that, as regards the surveillance programmes based on Section 702 FISA, the European Commission found, in Recital (109) of the Privacy Shield Decision that, according to Section 702 FISA, “the FISC does not authorise individual surveillance measures; rather, it authorises surveillance programs (like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence (DNI)”.^[79]

7.60 The CJEU further found that it was clear from Recital (109) of the Privacy Shield Decision that the supervisory role of the FISC is thus designed to verify whether those surveillance programmes relate to the objective of acquiring foreign intelligence information, but it does not cover the issue of whether “individuals are properly targeted to acquire foreign intelligence information”.^[80]

7.61 Crucially, the CJEU found that:

7.62 Regarding the requirement for enforceable rights, the CJEU observed that, according to the findings in the Privacy Shield Decision, the implementation of the surveillance programmes based on Section 702 FISA is subject to the requirements of Presidential Policy Direction‑28 (“PPD-28”). However, although the European Commission stated, in Recitals (69) and (77) of the Privacy Shield Decision, that such requirements are binding on the US intelligence authorities, the US Government accepted, in reply to a question put by the CJEU, that PPD‑28 does not grant data subjects actionable rights before the courts against the US authorities.^[82]

7.63 The CJEU further found that “ … [a]s regards the monitoring programmes based on E.O. 12333, it is clear from the file before the Court that that order does not confer rights which are enforceable against the US authorities in the courts either.”^[83]

7.64 The CJEU added that PPD-28, with which the application of the PRISM and UPSTREAM must comply, allows for “‘bulk’ collection … of a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community cannot use an identifier associated with a specific target … to focus the collection”, as stated in a letter from the Office of the Director of National Intelligence to the US Department of Commerce and to the International Trade Administration from 21 June 2016, set out in Annex VI to the Privacy Shield Decision.

7.65 That possibility, which allows, in the context of the surveillance programmes based on EO 12333, access to data in transit to the US without that access being subject to any judicial review, does not delimit in a sufficiently clear and precise manner the scope of such bulk collection of personal data.^[84]

7.66 Consequently, the CJEU concluded that neither Section 702 FISA nor EO 12333, read in conjunction with PPD‑28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.^[85]

7.67 It also held that the limitations on the protection of personal data arising from the domestic law of the US on the access and use by US public authorities of data transferred to the EU “are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law, by the second sentence of Article 52(1) of the Charter”.^[86]

Assessment–Article 47 of the Charter

7.68 Regarding Article 47 of the Charter, as already set out and as the CJEU held, this provision requires everyone whose rights and freedoms guaranteed by the law of the Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. Article 47 of the Charter provides that everyone is entitled to a hearing by an independent and impartial tribunal.^[87]

7.69 The CJEU held that the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law. Thus, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.^[88]

7.70 As the CJEU observed, the European Commission had found in Recital (115) of the Privacy Shield Decision, that:

7.71 Thus, as regards EO 12333, the European Commission emphasised, in Recital (115) to the Privacy Shield Decision, the lack of any redress mechanism.

7.72 The CJEU therefore held that the existence of such a lacuna in judicial protection in respect of interferences with intelligence programmes based on that presidential decree made it impossible to conclude that US law ensures a level of protection essentially equivalent to that guaranteed by Article 47 of the Charter.

7.73 The CJEU reiterated that, as regards both the surveillance programmes based on Section 702 FISA and those based on EO 12333, neither PPD‑28 nor EO 12333 grants data subjects rights actionable in the courts against the US authorities. From this, it followed that “data subjects have no right to an effective remedy.”^[90]

Aspects of US Law Relevant for Present Purposes

7.74 In the Judgment, the CJEU had regard to Section 702 FISA, including the PRISM programme, Section 702 FISA UPSTREAM, and EO 12333 in considering whether US law provides essentially equivalent protection for data subjects to that provided under EU law. I will consider these in turn.

Section 702 FISA PRISM

7.75 Section 702 FISA applies to both the UPSTREAM and PRISM programmes. Whilst reserving the DPC’s position on the CJEU’s engagement with, and treatment of, Section 702 FISA UPSTREAM and EO 12333, for the purpose of this section of the Decision, I focus on the PRISM programme under Section 702 FISA (“PRISM”).

7.76 The Judgment is clear that, in a number of respects, PRISM results in US law not providing a standard of protection that is essentially equivalent to that provided by the GDPR, read in light of Articles 7, 8 and 47 of the Charter. In this regard, the DPC places particular reliance on paragraphs 180, 184, 185 and 192 of the Judgment, as referred to above.

7.77 In addition, I am satisfied that PRISM does not satisfy the requirements of Article 52(1) of the Charter.

7.78 First, Section 702 FISA fails to fulfil the requirement in Article 52(1) of the Charter that “[a]ny limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law”.^[91]

7.79 Section 702 FISA limits Charter rights without such limitations being provided for by law, given that the legal basis permitting the interference does not define the scope of the limitation on the exercise of the right concerned. This can be derived from paragraphs 179 and 180 of the Judgment to the effect that Section 702 FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence.

7.80 Paragraph 183 of the Judgment is also relevant in this regard, with the CJEU noting:

7.81 Second, Section 702 FISA does not satisfy the requirement in Article 52(1) of the Charter that any limitations on Charter rights must be “necessary”, i.e. the legislation providing for the interference must impose minimum safeguards so that the persons whose data has been transferred have sufficient guarantees to effectively protect their personal data against the risk of abuse. In this regard, it is significant that the CJEU found (at paragraph 180 of the Judgment) that “Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes”.

7.82 Overall, therefore, even limiting my focus for present purposes to PRISM, it is apparent that the standard of protection secured by US law is not essentially equivalent to that conferred by EU law. I am satisfied that nothing in the Responses to the PDD and RPDD received from Meta Ireland and the USG, respectively, changes that.

Section 702 FISA UPSTREAM

7.83 As discussed above, Section 702 FISA UPSTREAM applies to data in transit. I note that Meta Ireland has asked the DPC not to have regard to Section 702 FISA UPSTREAM, on the basis that Users’ data is protected from collection pursuant to Section 702 FISA UPSTREAM requests.^[92]

7.84 While I have noted the comments of the CJEU on Section 702 FISA UPSTREAM, on the basis of the conclusions I have reached in relation to PRISM, in my view it is not necessary for me to consider Section 702 UPSTREAM for the purposes of this Decision. However, that is not to say that I agree with Meta Ireland when it says that that there is no need to have regard to Section 702 FISA UPSTREAM simply by virtue of the measures Meta has imposed in order to protect Users’ data from collection to include (most notably), encryption. For present purposes, however, I am satisfied that there is no need for me to interrogate those measures given the view I have reached in relation to PRISM.

EO 12333

7.85 Meta Ireland has also submitted that the DPC should not have regard to EO 12333, on the basis that this Executive Order is “not relevant to the assessment the [DPC] is required to carry out in the context of the [Meta Ireland] Data Transfers in the Inquiry”.^[93] Meta Ireland contends that this is because the Data Transfers are end-to-end encrypted in transit and EO 12333 does not provide the USG with legal authority to compel providers such as Meta Ireland to produce data or decryption keys.

7.86 While I have noted the CJEU’s comments on EO 12333 above, it is not necessary for me to consider EO 12333 or the reliability of the end-to-end encryption in my analysis in light of the conclusions I have reached in relation to PRISM. As noted above, my position on the CJEU’s engagement with, and treatment of EO 12,333 (and UPSTREAM COLLECTION) is reserved.

Recent Developments in the Law of the EU and the US

7.87 One criticism made by Meta Ireland in its Response to the PDD (repeated in its Response to the RPDD) is that the DPC failed to take account of recent developments in US and EU law since the date of the Judgment.^[94]

7.88 This criticism (which, contrary to what is contended for in Meta Ireland’s Response to the RPDD, was in fact engaged with by the DPC in some detail in the RPDD), is not accepted. While the view of the DPC is that the detailed assessment of the CJEU in the Judgment that US law is not essentially equivalent to EU law is binding on it, the DPC is obviously willing to have regard to both developments in EU and US law that post-date the Judgment.

Recent Developments in the Law of the EU

7.89 With respect to developments in EU law, Meta Ireland refers to two cases: La Quadrature du Net^[95] and Privacy International.^[96]

7.90 Meta Ireland also relies on the discussion of these judgments in the EDPB Essential Guarantees Recommendations. However, Meta Ireland’s citation from the EDPB Essential Guarantees Recommendations is incomplete and fails to acknowledge that the EDPB does not regard these judgments as affecting the analysis in the Judgment in Case C-362/14 or in the Judgment. Not only this, but it is clear from the discussion in the EDPB Essential Guarantees Recommendations that the EDPB regards the analysis in the Judgment in Case C-362/14 and the Judgment as remaining good law. This position is apparent from the following paragraphs that follow the section cited by Meta Ireland in the Response to the PDD (internal footnotes removed):

7.91 Thus, it is clear from the EDPB Essential Guarantees Recommendations that La Quadrature du Net and Privacy International are not to be regarded as qualifying or undermining the analysis in the Judgment.

7.92 I agree with this view, and a number of comments are worth making in this regard.

7.93 First, it is accepted, as is pointed out in the EDPB Essential Guarantees Recommendations, in La Quadrature du Net, the CJEU ruled that the objective of safeguarding national security is, due to its importance, capable of justifying measures entailing more serious interferences with fundamental rights than those which might be justified by other objectives such as of combatting crime.^[97] However, it is very clear from the analysis and holdings in La Quadrature that processing to achieve national security objectives is nonetheless subject to significant restrictions.

7.94 Second, in La Quadrature du Net, the CJEU confirmed that legislative measures which provide, as a preventive measure, for the general and indiscriminate retention of traffic and location data, are precluded by the Directive on privacy and electronic communication, read in light of the Charter.^[98] It follows from this that general and indiscriminate processing cannot be justified for preventive purposes. However, it is clear that PRISM is operated for preventative purposes. As set out above, Section 702 FISA permits the Attorney General and the Director of National Intelligence to authorise jointly, following FISC approval, the surveillance of individuals who are not US citizens located outside the US in order to obtain “foreign intelligence information”; it is clearly capable of operating for preventive purposes.

7.95 Third, the CJEU held (paragraph 168) that a number of measures for retention of data could be adopted for safeguarding national security, subject to a number of general preconditions, namely, that the measures “ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse”. Yet the CJEU has already held that Section 702 FISA does not satisfy these general preconditions. In this regard, the CJEU found that Section 702 FISA “does not indicate any limitations on the power it confers” and that as a legal basis it did not itself “define the scope of the limitation on the exercise of the right concerned” or “lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards”.

7.96 Fourth, the CJEU found that provision could be made, for the purpose of safeguarding national security, for the targeted retention of traffic and location data, limited, on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, “for a period that is limited in time to what is strictly necessary, but which may be extended”. However, in the Judgment, the CJEU did not find that Section 702 FISA operated on such a targeted basis; rather, the CJEU concluded that Section 702 FISA “does not indicate any limitations on the power it confers”.

7.97 Fifth, the CJEU found (paragraph 168) that general and indiscriminate retention of IP addresses assigned to the source of an Internet connection for a period “limited in time to what is strictly necessary” could be justified “for the purposes of safeguarding national security”. Again, this is not the basis on which Section 702 FISA operates, as found by the CJEU in the Judgment.

7.98 Sixth, the CJEU held that for the purpose of safeguarding national security, a Member State could have “recourse to an instruction requiring providers of electronic communications services, by means of a decision of the competent authority that is subject to effective judicial review, to undertake, for a specified period of time, the expedited retention of traffic and location data in the possession of those service providers”. For reasons already set out above, PRISM does not satisfy these requirements.

7.99 Consequently, I do not accept that La Quadrature affects the analysis in the Judgment.

7.100 Turning then to Privacy International, at issue was whether Article 15(1) of Directive 2002/58, read in the light of Article 4(2) TEU and Articles 7, 8 and 11 and Article 52(1) of the Charter, was to be interpreted as precluding national legislation enabling a State authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security.^[99] The CJEU held (paragraphs 77—78) in relation to access to personal data provided under a Member State law, that “general access to all retained data, regardless of whether there is any link, at least indirect, with the aim pursued, cannot be regarded as being limited to what is strictly necessary”.

7.101 The CJEU observed as follows:

7.102 At paragraph 67, the CJEU noted as follows:

7.103 The CJEU added (at paragraph 68) that:

7.104 While, as Meta Ireland notes^[100], the CJEU accepted that the objective of safeguarding national security is capable of justifying measures entailing more serious interferences with fundamental rights than those which might be justified by other objectives (paragraph 75), the CJEU added (at paragraph 76) that:

7.105 However, it is clear that PRISM does not satisfy these requirements. As already set out above, the CJEU concluded that Section 702 FISA “does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence”.

7.106 As such, Privacy International does not assist Meta Ireland’s position or suggest that the standards of EU law have been lowered since the Judgment such as to require a revisiting of the CJEU’s assessment of US law.

Developments in US Law

Submissions made by Meta Ireland

7.107 In its TIA and, in particular, its "Essential Equivalence Assessment of Relevant US Laws and Practice", Meta Ireland submits that US law provides an essentially equivalent level of protection to EU data subjects whose personal data is transferred to the US under the 2021 DTPA.

7.108 In support of that proposition, Meta Ireland makes reference to certain developments in US law that post-date the Judgment (or, at least, post-date the hearing conducted before the CJEU) and which are said to bear on its essential equivalence analysis. The developments to which reference is made in this connection include (i) changes to the scope of Section 702 FISA as it operates in practice; (ii) a requirement that the USG memorialise a reasoned, written targeting determination for each individual targeted; and (iii) certain changes in privacy enforcement in the US.

7.109 Having carefully considered the positions contended for, I find these changes fail to remedy the particular gaps or deficiencies in US law, as identified by the CJEU in the Judgment. In particular, and by way of example, I note that they do not address the finding at paragraph 180 of the Judgment that Section 702 FISA does not indicate any limitations on the power it confers to implement surveillance programmes. Nor do they address (much less remedy) the fact that data subjects do not have the possibility of bringing a legal action in the United States before an independent and impartial court, in violation of Article 47 of the Charter.

7.110 It follows that, to the extent that Meta Ireland’s TIA contends that US law has been the subject of changes post-dating the Judgment, such that US law can now be considered to provide essentially equivalent protection for data subjects to that provided under EU law, I disagree.

Submissions made by the USG

7.111 In its submissions in response to the PDD (dated 20 September 2021), the USG outlined certain developments in US law postdating the date of the hearing before the CJEU in Case C-311/18 (9 July 2019). In particular, it referenced:

- targeting procedures approved by the FISC dated 19 October 2020, which define how the government determines which specific persons’ communications may be acquired, and which are said to be binding on the USG.

- assessments of compliance with Procedures and Guidelines issued pursuant to Section 702 of the FISA. (These assessments relate to periods that predated 9 July 2019 but were only authorised for public release on 2 April 2021 and 10 August 2021, respectively).

- Memorandum Opinions and Orders, from 6 December 2019 and 18 November 2020, respectively, in which the FISC granted approval of the certifications and related procedures regarding FISA 702 targeting procedures.

- Annual Statistical Transparency Reports for the years 2019 and 2020, which the Office of the Director of National Intelligence is required by statute to publish.

- FISC-approved NSA Section 702 Querying Procedures dated 19 October 2020.

- Judgments arising in Wikimedia Foundation v. National Security Agency^[101].

7.112 Whilst noting these matters, I am satisfied that they, likewise, do not address the particular deficiencies in US law as identified by the CJEU at paragraphs 179 through 197 of the Judgment and, as such, they do not undermine the conclusions I have reached in relation to US law, as set out above. Noting that, in its subsequent Response to the RPDD, the USG complains that the DPC has failed to engage with the points referenced above, I repeat that the critical point here, in my view, is that none of the matters to which reference is made would operate to displace any of the key findings made by the CJEU, details of which have been set out above. This is not to dismiss the matters to which reference has been made by the USG, summarily or otherwise. Rather, it simply acknowledges that the gaps or deficiencies in US law as identified by the CJEU in the Judgment are not remedied by the matters to which reference is now made. In that regard, I also note, again, that none of the developments cited by the USG addresses the fact that, contrary to the requirements of Article 47 of the Charter, data subjects do not have the possibility of bringing a legal action in the United States before an independent and impartial court.

7.113 In truth, I believe it is clear that the USG’s objections are targeted at the underlying findings made by the CJEU, to include, by way of example, that contained at paragraph 180 of the Judgment, described in the USG’s Response to the RPDD as containing a “sweeping and unfounded generalisation” insofar as it expresses the CJEU’s view that “Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes.” Whilst respecting the fact that the USG disagrees with that assessment (the application of which it appears it would wish to see restricted), neither the matters cited at paragraph 7.111 above, nor those canvassed in the USG’s Response to the RPDD, are such as would provide a basis on which the DPC could look behind the CJEU’s conclusion-also contained in paragraph 180 of the Judgment-that “[Section 702, FISA] cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter … according to which a legal basis which permits interference with fundamental rights must, in order to satisfy the requirements of the principle of proportionality, itself defined the scope of the limitation on the exercise of the right concerned and lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards.”

7.114 It is also relevant to note here that, contrary to what has been contended for by the USG in its Response to the RPDD, the fact that particular elements of the CJEU’s analysis were undertaken by reference to the Privacy Shield does not detract from the general application of the CJEU’s findings, not least where (taking paragraph 180 of the Judgment as a single example) the CJEU engaged with the relevant underlying provisions of US law directly.

Additional Meta Ireland Submissions

7.115 In the Response to the PDD (and again in its Response to the RPDD), Meta Ireland has also challenged my reliance on the findings in the Judgment regarding US law in a number of respects.

7.116 First, Meta Ireland challenges the DPC’s reliance on the CJEU analysis of relevant US law and practices on the basis that the CJEU did not rule on US law specifically in the context of Meta Ireland’s data transfers.^[102]

7.117 However, the DPC has never suggested that the CJEU ruled on US law specifically in relation to the Data Transfers.

7.118 Rather, the CJEU has said that “essential equivalence” must be achieved, whether by means of Articles 45 or 46 GDPR. The starting point of the assessment is, as explained above, an assessment of the third country laws and practices. This assessment was undertaken by the CJEU in the Judgment and the DPC is bound by the findings made by the CJEU in the course of the Judgment. The DPC also relies in this regard on the statement of the European Data Protection Board to which Meta Ireland itself refers that “[t]he reasons for the invalidation of the Privacy Shield [Decision] also have consequences on other transfer tools”.^[103]

7.119 Moreover, Meta Ireland complains that the CJEU’s findings regarding inadequacies of US law generally in respect of personal data transferred from the EU to the US under the Privacy Shield Decision “focusing in particular on the general application of Section 702 FISA and EO 12333, do not relate specifically to the [Meta Ireland] Data Transfers or consider how relevant US law and practice may in fact impact on the [Meta Ireland] Data Transfers”.^[104] However, this statement is not understood given that Meta Ireland accepts that PRISM applies to its activities, and given that the DPC is obviously bound by the findings of the CJEU on Section 702 FISA.

7.120 Second, at times, Meta Ireland’s submissions in the Response to the PDD, in particular, appear to suggest that the DPC should simply ignore the findings in the Judgment.

7.121 For example, Meta Ireland suggests that there is an equivalence of EU remedies in the US.^[105]

7.122 However, this seems to suggest that what is required is a re-examination of the remedies available under US law by reference to the totality of those available in the EU, which cannot be correct.

7.123 This also ignores paragraphs 181, 182 and 192 of the Judgment, with the CJEU observing at paragraph 192 that:

7.124 Third, Meta Ireland suggests that the DPC has placed undue emphasis on the perceived deficiencies in US law without having regard to the specific factual circumstances of the Data Transfers and the extent to which there is interference with Users’ rights in practice in the US.^[106] However, this is not accepted. The first part of the framework of analysis requires consideration of whether there is “essential equivalence” between the laws of the third country and those of the EU.

7.125 It is accepted that at paragraph 126 of the Judgment, the CJEU referred to the possibility of there being situations in which “depending on the law and practice in force in the third country concerned”, the recipient of the data transfer may be in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses.

7.126 However, the focus of the CJEU was on the level of protection provided by reference to the law of the third country. For example, at paragraph 133 of the Judgment, the CJEU noted that the assessment had to take into consideration both the contractual clauses agreed and, as regards access by the public authorities of that third country to the personal data transferred, “the relevant aspects of the legal system of that third country”.

7.127 In any event, even if there is a requirement to assess “essential equivalence” by reference to the practice of the third country, it is not accepted that Meta Ireland has demonstrated that practice in the US is such as to address the deficiencies identified above in the laws of the US.

7.128 Fourth, Meta Ireland suggests that Section 702 FISA does not result in “bulk” collection. For example, Meta Ireland asserts that: “in Meta US Inc’s relevant and documented practical experience, requests from USG agencies in the national security context (which is the focus of the CJEU Judgment) do not amount to anything that could be considered ‘bulk surveillance’ but, on the contrary, are limited in nature to what is necessary and proportionate”.^[107]

7.129 However, regardless of whether Section 702 FISA is characterised as involving “bulk surveillance” or not, I am bound by the findings of the CJEU on Section 702 FISA, as already set out above.

7.130 In particular, I am bound by the finding of the CJEU at paragraph 180 of the Judgment that:

7.131 It is also noted that it is not possible on the basis of the collated data Meta Ireland has provided^[108] to assess the figures for total requests against affected accounts to be able to assess their claim of no bulk collection.

7.132 In any case, the fact remains that there is no dispute that Meta Ireland remains susceptible to bulk collection.

7.133 Fifth, Meta Ireland suggests that I must consider whether US law offers essential equivalence, not by reference to the findings in the Judgment, but rather by reference to “all the circumstances” of the Data Transfer.^[109] The DPC does not dispute its obligation to have regard to all the circumstances of the Data Transfers for the purpose of assessing any supplemental measures adopted. However, the first question—essential equivalence—requires an assessment of US law in circumstances in which the CJEU has already made binding conclusions on US law. It is simply not open to the DPC to ignore these conclusions.

7.134 In any event, the DPC does not accept Meta Ireland’s assertions of a lack of completeness in the assessment undertaken by the DPC of the relevant circumstances.

7.135 In particular, for the purpose of the essential equivalence assessment, the DPC has identified and considered the critical circumstances relevant to this assessment:

(1) As set out above, the DPC has established that Meta Ireland’s transfers at issue are to the US. This factor in turn compels the DPC to have regard to the findings on US laws and practices in the Judgment (as set out above);

(2) The DPC has identified that Meta Ireland is a company that is an electronic communications services provider, subject to Section 702 FISA and to the PRISM programme.

7.136 In its response, Meta Ireland has not disputed that the DPC is correct on both these matters and in fact has confirmed that it is subject to Section 702 FISA. Moreover, Meta Ireland has provided evidence to the DPC concerning the volumes of requests which it receives under Section 702 FISA over a three-year period and showing the number of requests and numbers of accounts affected by the requests.^[110]

7.137 Consequently, the DPC is satisfied that, insofar as relates to the first part of the assessment— the essential equivalence analysis—it properly regards itself as bound by the findings in the Judgment. The DPC does not therefore regard it as necessary to engage in detail with the analysis set out in Annexure 2 to the Response to the PDD.

7.138 Sixth, as regards Meta Ireland’s argument that the DPC should undertake an up-to-date assessment of whether US law and practice is “essentially equivalent”^[111], the DPC of course accepts that it must consider the impact of any developments in US law from the date of the Judgment. However, the DPC does not regard it as appropriate to undertake an entirely new assessment of all of the aspects of US law that were so comprehensively considered by the CJEU in the Judgment. Indeed, it would be contrary to EU law for the DPC to disregard the findings of the CJEU on US law. For example, Meta Ireland makes the submission that:

7.139 However, it is simply not open to the DPC to second-guess the findings of the CJEU on Section 702 FISA.

7.140 Thus, the DPC certainly agrees that it is appropriate to assess legal developments post-dating the Judgment to assess whether they affect any of the findings made by the CJEU in the Judgment. However, apart from such developments, the DPC regards itself as bound by the findings in the Judgment.

7.141 The DPC has had full regard to the specified, recent changes in US law outlined in Meta Ireland’s Response to the PDD^[113], to include the USG’s White Paper, and in its Response to the RPDD. The DPC has also fully considered the submissions made by the US Government, both in respect of the PDD and the RPDD. However, I am satisfied that there is nothing in those materials that undermines the analysis in the Judgment of the deficiencies in protection for EU persons when data is transferred from Meta Ireland to Meta US.

7.142 Seventh, Meta Ireland’s ongoing reliance on the Ombudsperson seems misplaced.^[114] Meta Ireland notes that Annex A to the Privacy Shield Decision extended access to the Privacy Shield Ombudsperson to EU data subjects whose data had been transferred pursuant to SCCs.

7.143 The DPC accepts that Meta Ireland has maintained its certification as part of the Privacy Shield programme, and that the protections afforded to Data Users by the Ombudsperson remain available, including the handling of complaints from Data Users in relation to transfers made pursuant to SCCs.

7.144 However, as Meta Ireland itself concedes, the CJEU concluded that the Ombudsperson mechanism did not provide any cause of action before a body which offers persons whose personal data is transferred to the US guarantees essentially equivalent to those required by Article 47 of the Charter given that:

(1) The Ombudsperson reports directly to the Secretary of State;

(2) The Ombudsperson is appointed by the Secretary of State (an integral part of the US State Department);

(3) There is nothing to indicate that the dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular guarantees or that the Ombudsperson could adopt binding on intelligence services; and

(4) There is no mention of any legal safeguards that would accompany the political commitment on which data subjects could rely.^[115]

7.145 Consequently, it appears to me that Meta Ireland’s reliance on the Ombudsperson is misplaced and I do not accept Meta Ireland’s submission that this is a “further factor that must be taken into account as a safeguard in assessing the level of protection afforded to [Meta Ireland] Users in relation to the [Meta Ireland] Data Transfers”.^[116] Even if I am wrong about this, it is clear that the Ombudsperson does not address the deficiencies in the remedies available in the US such as to achieve “essential equivalence” with the remedies made available under EU law.

7.146 Eighth, the DPC also regards Meta Ireland’s reliance on the EU-UK Adequacy Decision (“UK Adequacy Decision”) as misplaced.^[117]

7.147 The DPC is not required to conduct a thorough comparison of the EU Commission’s adequacy findings on the specifics of the UK regime versus the US.

7.148 However, without prejudice to this, Meta Ireland’s submissions suggesting that the UK Adequacy Decision demonstrates that bulk collection does not, in itself, undermine the essential equivalence of a regime fail to take account of the other elements relating to oversight and enforceable data subject rights and the role of the UK’s Information Commissioner’s Office contained in the UK Adequacy Decision.

Meta Ireland’s Factors Assessment

7.149 I have had full regard to Meta Ireland’s Factors Assessment, as requested by Meta Ireland^[118]. I am satisfied (and I so find) that this assessment does not address the deficiencies identified above and by the CJEU in US law.

7.150 Meta Ireland emphasises that it is transparent regarding government requests for user data.^[119] However, transparency about the fact that data rights are infringed does not actually remedy the relevant infringements.

7.151 Insofar as Meta Ireland contends that requests for Users’ data by the USG in the national security context are limited and proportionate in practice,^[120] these submissions seem to simply ignore the ruling of the CJEU. For example, it is difficult to reconcile Meta Ireland’s “relevant and documented practical experience” that requests from USG agencies “do not amount to anything that could be considered ‘bulk surveillance’ but, on the contrary, are limited in nature to what is necessary and proportionate”,^[121] with the finding of the CJEU that Section 702 FISA “does not indicate any limitation on the power it confers” (paragraph 180).

7.152 It is also difficult to reconcile the statement of Meta Ireland that “[a]ll requests are also subject to the terms of an independent court-approved certification with minimisation requirements and ongoing court supervision”^[122], with the finding of the CJEU that “the FISC does not authorise individual surveillance measures; rather it authorises surveillance programs (like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence (DNI)”.

7.153 Similarly, it is difficult to reconcile Meta Ireland’s contention that “disclosures are limited to what is necessary and proportionate”^[123] with the finding of the CJEU that Section 702 FISA “does not indicate any limitation on the power it confers” (paragraph 180).

7.154 It is noted that Meta Ireland notes that “[i]f the request is unlawful, overly broad, or legally deficient in any way, [Meta Ireland] will challenge or reject the request”.^[124] However, the reality is that the CJEU has found that all requests are overly broad and legally deficient such that compliance with same will result in breach of EU law. Thus, Meta Ireland’s statement that it “reviews the legality of requests… and produces data only in response to valid legal process” (paragraph 3.13) means that, by definition, it is responding to requests that are in breach of EU law.

Whether the SCCs can Remedy the Inadequate Protection Afforded by US Law

7.155 Given my conclusion on US law, I must therefore proceed to consider the second issue, and whether the SCCs can remedy the inadequacies in protection just identified.

7.156 As a preliminary point, I consider it appropriate to focus my analysis on the 2021 SCCs rather than the 2010 SCCs, given that, as at the date of this Decision, the 2010 SCC Decision stands repealed, and Meta Ireland and Meta US have entered into the 2021 DTPA, effective from 31 August 2021, a central purpose of which was (and is) to ground the Data Transfers on the 2021 SCC Decision and the 2021 SCCs. It is also of course the case that the 2021 SCC Decision was adopted (and the 2021 SCCs developed) specifically with a view to implementing the terms of the Judgment.

7.157 Having regard to the temporal scope of the Inquiry, however, I will first set out, briefly, my findings on the question as to whether the 2010 SCCs can remedy the inadequacies in protection just identified.

The 2010 SCCs

7.158 I am satisfied that the issue has already been determined by the CJEU in the Judgment. In that regard, a critical finding of the CJEU is found at paragraph 126 of the Judgment. While I have already set it out above, it is useful to repeat it here. It is as follows:

7.159 The CJEU has clearly found that in circumstances in which the law of a third country allows its public authorities to interfere with the rights of the data subjects to which that data relates, SCCs will not suffice to guarantee the necessary protection of the data.

7.160 Given that the CJEU found that US law interferes with the rights of data subjects under Articles 7, 8 and 47 of the Charter (as already set out above), it necessarily follows that SCCs cannot compensate for the inadequacies in the level of protection afforded by US law.

7.161 Given the clear findings of the CJEU, it does not appear to me that it is necessary to analyse this issue further.

7.162 However, I add that even if the CJEU had not made the finding at paragraph 126 of the Judgment, it is obvious that the 2010 SCCs cannot address inadequacies of the protection afforded by US law.

7.163 The particular deficiencies in protection arising in the context of the US—identified above— relate to US authorities acting in the national security context. As the CJEU observed, “it is common ground that those clauses are not capable of binding the authorities of that third country, since they are not party to the contract”.^[126]

7.164 Given that the 2010 SCCs do not bind the US authorities, they will be incapable of regulating processing undertaken by US authorities or of giving rise to an effective remedy for any interference, actually addressing the injury suffered by the data subject.

7.165 Rather, in light of Clause 5 and the footnote thereto in the 2010 SCCs, it is clear that the mandatory requirements of US law go beyond what is necessary in a democratic society and that compliance with same must be treated as a breach of the 2010 SCCs (as held in the Judgment).^[127]

7.166 It is also important to consider Meta Ireland’s submission that “it cannot follow that any interference with the rights of data subjects necessarily renders SCCs insufficient as a safeguard”.^[128] It is not necessary for me to comment on this submission, given that, for reasons already set out, it is clear that the CJEU was satisfied that the particular interference arising here was not capable of being remedied by the SCCs.

7.167 I also reject Meta Ireland’s suggestion that the DPC’s reasoning appears to disregard “another clear finding in the CJEU Judgment that ‘the mere fact that standard data protection clauses … do not bind the authorities of third countries to which personal data may be transferred cannot affect the validity of [the 2010 SCC Decision]’”.^[129] The DPC’s reasoning does not disregard this finding. However, to reiterate, the fact remains that, in the circumstances arising here, for reasons already outlined, SCCs cannot remedy the deficiencies in US law. The DPC also relies in this regard on the statement of the CJEU at paragraphs 126 and 135 of the Judgment, as already set out above.

7.168 Accordingly, I am satisfied–and I so find–that the 2010 SCCs cannot compensate for the inadequate level of protection provided by US law.

The 2021 SCCs

7.169 The substance of analysis set out above in relation to the 2010 SCCs applies equally to the 2021 SCCs. That is to say, the 2021 SCCs do not implement any new measure(s) directed to (or compensating for) the specific deficiencies in US law as identified by the CJEU in the Judgment. Whilst the arrangements they provide for are unquestionably more developed than the 2010 SCCs, such developments are, in large part, procedural in nature, to include, for example, the requirement at Clause 14 pursuant to which a written assessment must be prepared by the exporting and importing party directed to issues relating to local laws and practices affecting compliance with the Clauses, to include local laws and practices requiring the disclosure of data to public authorities or authorising access by such authorities.

7.170 It remains the case therefore that, in circumstances where the CJEU has found that US law interferes with the rights of data subjects under Articles 7, 8 and 47 of the Charter (as already set out above), the 2021 SCCs cannot compensate for the inadequacies in the level of protection afforded by US law.

7.171 Contrary to what has been contended for by Meta Ireland, provisions in the 2021 SCCs said to impose “more onerous obligations on data importers and exporters, such as in respect of notification to data subjects and handling of legal requests”, whilst important in their own right, do not change this analysis, or the analysis undertaken by the CJEU in the Judgment.

7.172 In particular, nothing in the 2021 SCCs changes the fact that Meta Ireland and/or Meta US is an electronic communications service provider subject at a minimum to the obligations imposed under the FISA 702 PRISM programme.

7.173 It is my view, therefore, that Meta Ireland’s reliance on the 2021 SCCs (which are not, of course, binding on the USG) does not (and cannot) compensate for the deficiencies in US law identified in the Judgment.

Summary

7.174 In short, the position is as follows:

(1) Under the Section 702 FISA’s known “downstream” programme (PRISM), there could be non-court supervised access to a user’s data without their knowing;

(2) Meta Ireland cannot stop this with SCCs, whether it has incorporated the 2010 SCCs or the 2021 SCCs in its DTPA; and,

(3) There is no remedy for an EU data subject who is not informed that they have been the subject of a FISA 702 search.

Whether there are Supplemental Measures that could Address the Inadequate Protection Provided by US Law

7.175 In the Judgment, the CJEU made clear that, where SCCs (in isolation) are unable to provide adequate protection to data subjects, controllers who are making transfers to a third country are required to implement supplementary measures to ensure the level of protection guaranteed by EU law.^[130]

7.176 As has already been discussed, the supplemental measures introduced must not merely “mitigate” the deficiencies in US law, as Meta Ireland contends,^[131] but must ensure that data subjects receive essentially equivalent protection to EU law.

7.177 In its Response to the PDD, Meta Ireland summarises the supplemental measures it has put in place and which it submits, when taken with the protective measures implemented through the 2021 SCCs, provide appropriate safeguards to data subjects.^[132] The supplemental measures are also referred to in the Transfer Impact Assessment Summary. However, as those measures are set out in most detail in the Record of Safeguards and Supplementary Measures (“ROS”), I will focus my analysis on this document.^[133]

7.178 In the ROS, Meta Ireland breaks down the measures it has in place (to include measures supplemental to the 2021 SCCs) into three categories: organisational measures; technical measures; and legal measures. I will adopt the same structure when considering whether these measures, taken in conjunction with the 2021 DTPA, provide appropriate safeguards in the context of data transfers made to the United States.

Organisational measures

7.179 The ROS refers to a number of organisational measures implemented by Meta Ireland and Meta US. The first section of the ROS considers a range of policies and procedures implemented by those parties. These include a Disclosure Policy; a Disproportionate Requests Policy; a Notification Policy; a Data Access Policy; Law Enforcement Guidelines; Facebook Transparency Reports; Data Sharing Policies; and a People Security Policy.

7.180 The ROS also refers to a number of oversight measures Meta US has in place. Under these measures:

(1) Meta US is required to promptly notify Meta Ireland where it receives a legally binding request from a US public authority unless it is prohibited by law from doing so;

(2) Meta US submits detailed reports to Meta Ireland on disclosures made on foot of US legal requests;

(3) Meta US applies certain Quality Assurance arrangements to the body of work undertaken by its Law Enforcement Response Team; (4) Meta US has implemented Operational Compliance policies.

7.181 The ROS also identifies the teams that Meta US has in place to evaluate and review government requests including its Law Enforcement Response Team, its Law Enforcement Outreach Team and its Quality Audit Team.

Technical measures

7.182 The ROS identifies a number of technical measures implemented by Meta US and Meta Ireland.

7.183 It first refers to the Comprehensive Information Security Program (“CISP”) that Meta US has in place. This Program is described as protecting “the confidentiality, [i]ntegrity, and availability of data stored on [Meta US’s] systems, platforms and products.”

7.184 The ROS also details how Meta US has implemented security measures in respect of external safeguards. In particular, it makes reference to measures implemented to ensure the confidentiality of data in transit:

7.185 In addition, the ROS points to other technical measures that have been implemented, including shared infrastructure between Meta US and Meta Ireland, asset management controls, arrangements for the management of Facebook employee mobile devices, the implementation of encryption on Facebook laptops, the deployment of cryptographic protection of passwords and third party security policies.

7.186 The ROS also refers to a number of security measures Meta US has implemented for internal processing including: access controls and audit logs, logging and monitoring policies, secure disclosure practices, configuration management policies, change management policies, vulnerability management policies and white hat programs.

7.187 Other technical measures referenced in the ROS include risk assessments of the Law Enforcement Response Team’s access tools, regular auditing of security measures, and identity verification for Law Enforcement Officials who make requests to Meta US to access personal data. Meta US is also said to have implemented security compliance and risk policies, information security policies and security incident response policies. The ROS notes that Meta US has a security team in place encompassing several hundred individuals.

Legal measures

7.188 The ROS lists a number of legal measures Meta Ireland and Meta US have implemented in respect of the Data Transfers.

7.189 In the first place, the ROS points to the contractual rights conferred on data subjects under the 2021 DTPA and the 2021 SCCs. The ROS states that these legal measures provide “enforceable rights and remedies” to data subjects in ensuring Meta Ireland and Meta US’s compliance with the 2021 SCCs.

7.190 The ROS refers to a number of reactive legal measures which are in place. For example, Meta US challenges requests received for disclosure of personal data which Meta US believes to be unlawful. In addition, it seeks to challenge unduly broad requests which it believes are not necessary and proportionate in a democratic society. The ROS also state where Meta US is prohibited by the US Government from providing notice to data subjects prior to disclosing the data, Meta US will use its best efforts to obtain a waiver from such a prohibition.

7.191 The ROS refers to a number of proactive legal measures which are in place. One such measure listed is that Meta US engages in lobbying to change laws and advocates for its users’ rights. The ROS also states that, since the Judgment, Meta US has provided additional transparency to its users in respect of government agency requests.

Assessment of the measures outlined in the ROS

Organisational measures

7.192 I am satisfied (and I so find) that the organisational measures identified in the ROS, read with the 2021 DTPA, do not compensate (nor could they) for the deficiencies in US law identified by the CJEU in the Judgment and as outlined above.

7.193 Although it is acknowledged that Meta US’s Disclosure Policy, its Disproportionate Requests Policy and Law Enforcement Guidelines represent bona fide attempts to mitigate the deficiencies identified in US law, these measures are not such as would compensate for those deficiencies and so, whether viewed in isolation, or in tandem with the 2021 SCCs and the full suite of measures outlined in the ROS, they do not provide essentially equivalent protection to that available under EU law against USG access to users’ personal data via Section 702 FISA DOWNSTREAM (PRISM) requests. Ultimately, if the US Government makes a request which falls within the scope of Section 702 FISA, Meta US is required to disclose its users’ personal data.

Technical measures

7.194 The DPC has come to the same view in respect of the technical measures described in the ROS, i.e. whether viewed in isolation, or in tandem with the 2021 SCCs and the full suite of measures outlined in the ROS, they do not provide essentially equivalent protection to EU law against the wide discretion the US Government has to access Meta US users’ personal data via Section 702 FISA DOWNSTREAM (PRISM) requests.

7.195 Although I have not come to a final view on this point (and do not consider it necessary to do so for the reasons outlined earlier in this Decision), I note that the encryption measures implemented in respect of data in transit may provide appropriate safeguards in the context of Section 702 FISA UPSTREAM or EO 12333. Importantly, however, Meta US and Meta Ireland have not demonstrated that they have implemented technical measures which will provide appropriate safeguards to data subjects from Section 702 FISA DOWNSTREAM (PRISM) requests for data which is in turn collected through compelled assistance. I am of the view that none of the technical measures listed in the ROS provide appropriate safeguards in respect of such requests.

Legal measures

7.196 I am likewise satisfied (and I so find) that the legal measures identified in the ROS (to include both its reactive and proactive measures) do not compensate for the deficiencies in US law in issue, whether viewed in isolation, or along with the other measures described in the ROS and/or in the 2021 SCCs.

7.197 Ultimately, the position remains that, if a valid request is made by the US Government which falls within the Section 702 FISA (PRISM) programme, Meta US is obliged to release or provide access to its users’ personal data. Neither the 2021 DTPA nor the 2021 SCCs provide an effective remedy to affected users as required by Article 47 of the Charter.

EDPB Supplemental Measures Recommendations

7.198 The DPC has carefully considered Meta Ireland’s criticisms of the “EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” adopted on 18 June 2021 and published on 21 June 2021 (“the EDPB Supplemental Measures Recommendations”).^[134] However, these criticisms do not affect my analysis.

7.199 First, the EDPB Supplemental Measures Recommendations do not exclude a so-called risk- based approach (this was deliberately inserted after point 3 of the Executive Summary).

7.200 Second, however, the pertinent point is that Meta Ireland is not in a position to demonstrate that, notwithstanding the deficiencies in US law referenced in this Decision, in fact, no interference with EU rights occurs. Such interference does occur, and Meta Ireland does not have a remedy for it. In that regard, the risk-based approach called out by Meta Ireland as being identified in the GDPR can have no application where the essence of one or more of the Charter-based rights engaged is not respected.

7.201 Third, Meta Ireland criticises the EDPB Essential Guarantees Recommendations on the basis that they do not mention the “margin of appreciation” under the ECHR.^[135] However, as has already been addressed above, the relevant analysis must be conducted by reference to EU law and the Charter, not by reference to the ECHR. Moreover, the “margin of appreciation” has no equivalent in EU law and is not relevant for present purposes. Furthermore, the position under EU law on bulk interception regimes is clear and has already been considered above. Given that the relevant benchmark is EU law, rather than ECtHR law, Meta Ireland’s observation that the EDPB Essential Guarantees Recommendations pre-dated the Grand Chamber’s decisions in Big Brother Watch and Centrum för Rättvisa are also not persuasive.^[136]

Summary

7.202 In summary, therefore, I am satisfied (and I so find) that:

(1) US law does not provide a level of protection that is essentially equivalent to that provided by EU law;

(2) Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law; and

(3) Meta Ireland does not have in place any supplemental measures which would compensate for the inadequate protection provided by US law.

7.203 Accordingly, in making the Data Transfers, I find that, subject to the analysis contained at Section 8 below, Meta Ireland is infringing Article 46(1) GDPR.

8.1 The provisions of Article 49 GDPR are set out in detail in Part 5 of this Decision. Accordingly, I will not repeat them here.

8.2 I have carefully considered the submissions made by Meta Ireland in relation to its intended reliance on the derogations under Article 49 GDPR.^[137]

8.3 I note that Meta Ireland has made detailed submissions in relation to its intended reliance on the ‘contractual necessity’ derogation under Article 49(1)(b) GDPR. I understand Meta Ireland to say that, if this legal basis for transfers was rejected, it would seek to rely on the public interest derogation under Article 49(1)(d) GDPR or, in the alternative, certain other of the derogations under Article 49 GDPR, or it would seek to procure the consent of Meta Ireland users in the EU/EEA to the transfer of their personal data to the United States under and by reference to the consent derogation at Article 49(1)(a) GDPR.

8.4 In its Response to the RPDD,^[138] Meta Ireland submits that the approach to Article 49 GDPR in the RPDD is “manifestly incorrect” and “wrong as a matter of law”.^[139] I do not accept that characterisation, which is premised on a number of fundamental misunderstandings by Meta Ireland. I have nevertheless, for completeness, addressed Meta Ireland’s intended reliance on Articles 49(1)(b), 49(1)(d) and 49(1)(a) GDPR separately below.

8.5 For the avoidance of doubt, I accept that, in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or of appropriate safeguards pursuant to Article 46 GDPR, the derogations provided for under Article 49 GDPR may be relied on to make transfers to third countries which do not satisfy the “essential equivalence” standard. Meta Ireland’s characterisation of Chapter 8 of the RPDD to the contrary is incorrect.

8.6 However, for the reasons that follow, I am satisfied that Meta Ireland cannot rely on the derogations under sub-paragraphs (b), (d) or (a) of Article 49 GDPR, or any derogation under Article 49 GDPR, to justify the scale of data transfers it is currently making from the EU to the US.

Interpretation and Application of Article 49 GDPR

8.7 Prior to addressing the derogations under Article 49 GDPR that Meta Ireland places reliance on, it is useful to outline the basis on which I am required to interpret and apply those derogations, in particular in light of Article 52(1) of the Charter.

Obligation to interpret and apply EU law measures in accordance with the Charter

8.8 I note that secondary EU law must be interpreted in conformity with primary law as a whole, including the Charter.^[140] Where the wording of secondary EU law is open to more than one interpretation, preference should be given to the interpretation that renders the provision consistent with the Charter.^[141]

8.9 Further, Article 51(1) of the Charter requires Member States to respect the fundamental rights enshrined in the Charter when implementing EU law. The CJEU has confirmed that Member States, and in particular Courts, must not rely on an interpretation of secondary EU law that would be in conflict with the fundamental rights protected by the Charter when implementing EU law.^[142] I am satisfied that this requirement applies equally to the DPC.

8.10 I am therefore required to interpret and apply EU law – including the derogations under Article 49 GDPR – in accordance with the fundamental rights enshrined in the Charter, and in particular in light of Article 52(1) of the Charter.

Restrictive interpretation of derogations

8.11 It is well established that, in light of the foregoing, derogations from fundamental rights must be strictly construed.

8.12 First, the CJEU has confirmed that the protection of fundamental rights guaranteed under the Charter requires that derogations from and limitations on those rights must apply only in so far as is strictly necessary, and must be narrowly construed.^[143]

8.13 Second, and relatedly, it is well established that derogations cannot be interpreted so as to allow the exception provided by the derogation to replace the rule established by the EU measure; it is necessary that “the exception remain an exception.”^[144]

8.14 In that respect, where a provision: “provides for an exception to the general rule [it must] be the subject of a strict interpretation. That provision, therefore, cannot permit the exception to the obligation of principle … to become the rule, if [the rule] is not to be rendered largely meaningless.”^[145]

8.15 Third, the CJEU has confirmed that while derogations may be,

8.16 I am required to interpret and apply the derogations under Article 49 GDPR in accordance with those principles.

Article 52(1) of the Charter and the ‘essence’ of the right

8.17 In addition, I must interpret and apply Article 49 GDPR in accordance with Article 52(1) of the Charter. Any derogation from a right guaranteed by the Charter, whether that derogation is set out in an EU measure or otherwise, must comply with Article 52(1) of the Charter, which provides:

8.18 Article 52(1) of the Charter therefore identifies three cumulative requirements with which any limitation on or derogation from a Charter right must comply. Derogations are permissible only where they: “first, are ‘provided for by law’, secondly, respect the ‘essence’ of that freedom and, thirdly, respect the principle of proportionality.”^[147]

8.19 A derogation that does not respect the “essence” of a fundamental right must therefore be considered invalid, without it being necessary to examine the third condition in Article 52(1) of the Charter, relating to compliance with the principle of proportionality.

8.20 Advocate General Saugmandscaard Øe expressed that principle as follows:

8.21 That principle was recently reiterated by Advocate General Giovanni Pitruzzella, as follows:

8.22 I am therefore required to interpret and apply Article 49 GDPR as precluding derogations that do not comply with the “essence” of a fundamental right. It is only where a derogation from a fundamental right respects the “essence” of that right that it is necessary to proceed to a balancing test.

Transfers to the US and interference with the ‘essence’ of Charter rights

8.23 In the Judgment, the CJEU determined that identified laws that permit data surveillance in the United States do not respect the “essence” of the right to an effective judicial remedy under Article 47 of the Charter.

8.24 In its Response to the RPDD, Meta Ireland submits that the Judgment makes no finding that there has been an interference with the “essence” of any fundamental right.^[150] For the reasons outlined below I do not agree.

8.25 The Response to the RPDD also suggests that I reached the conclusion that there was an interference with the “essence” of the right to an effective judicial remedy, based only on the CJEU’s conclusion there was a lack of “essential equivalence” in the United States, conflating those concepts.^[151]

8.26 For the avoidance of doubt, I did not in the RPDD, and do not now, conflate a lack of “essential equivalence”, with an interference with the “essence” of a fundamental right. In that regard, it is acknowledged that a finding to the effect that the law of a third country does not ensure a level of protection that is “essentially equivalent” to that guaranteed by EU law does not mean, without more, that an interference with the “essence” of a fundamental right has been established.

8.27 My conclusion that identified laws that permit data surveillance in the United States do not respect the “essence” of the right to an effective judicial remedy under Article 47 of the Charter is not therefore based on or inferred from the Court’s finding of a lack of “essential equivalence”. Rather, it is based on the CJEU’s finding in the Judgment that there is an interference with the essence of that right.

8.28 In light of those submissions by Meta Ireland, I will outline in more detail the basis for that conclusion. In that respect, the treatment of this issue in the judgment in Case C-362/14, and the preliminary questions referred to the CJEU and at issue in the Judgment, lend useful context.

The judgment in Case C-362/14: The Safe Harbour Decision

8.29 In its judgment in Case C-362/14, the CJEU noted with respect to Article 47 of the Charter, when striking down the European Commission’s Safe Harbour Decision, that:

8.30 The CJEU also indicated (referencing paragraph 39 of its earlier decision in Digital Rights Ireland) that where a surveillance programme permits or facilitates access on a generalised basis to the content of electronic communications, such programme will be regarded as compromising the “essence” of an individual’s fundamental right to privacy under Article 7 of the Charter.^[153]

8.31 On that basis the CJEU held that the Safe Harbour decision was invalid, without engaging in a proportionality analysis under the second sentence of Article 52(1) of the Charter.

The Questions Referred

8.32 Following the judgment in Case C-362/14, the Commissioner undertook a merits-based assessment of the Complaint and, following delivery of the Prior Draft Decision, issued proceedings in the High Court in which the court was invited to make a reference to the CJEU for a preliminary ruling “on the validity of [the 2010 SCC Decision and related implementing decisions of the European Commission] insofar as they apply to data transfers from the European Economic Area to the United States, having regard to the Charter, and in particular, to Article 7 and/or Article 8 and/or Article 47 thereof.”

8.33 With respect to Article 47 of the Charter, the High Court reached a conclusion expressed in the following terms:

8.34 By order of 4 May 2018, the High Court made a reference for a preliminary ruling to the CJEU. I note that Question 4 and Question 5 as referred to the CJEU were as follows:

8.35 I note in particular, with respect to the questions referred, that the CJEU was asked expressly to determine: (i) whether the “essence” of Article 47 of the Charter was respected, and (ii) if the “essence” of Article 47of the Charter was respected, whether any limitations on Article 47 were proportionate within the meaning of Article 52 of the Charter.

The Judgment

8.36 It is acknowledged that the Judgment did not hold that the “essence” of Article 7 or Article 8 Charter rights were interfered with by limitations on the protection of personal data arising from the domestic law of the United States. Rather, the CJEU held that those limitations failed to meet the proportionality requirement under the second sentence of Article 52(1) of the Charter.^[155]

8.37 In contrast, however, when the Judgment is read as a whole, it is clear that the CJEU did determine that identified laws that permit data surveillance in the United States do not respect the “essence” of the right to an effective judicial remedy under Article 47 of the Charter.

8.38 First, in paragraph 187 of the Judgment, the CJEU referenced its findings in its judgment in C-362/14, with respect to when the “essence” of the right to an effective judicial remedy under Article 47 of the Charter will be interfered with:

8.39 Second, the CJEU held that the lack of any redress mechanism as regards, in particular, E.O. 12333, made it impossible having regard to the case-law set out in paragraph 187 – i.e. the finding in its judgment in C-362/14 that legislation “not providing for any possibility for an individual to pursue legal remedies” does not respect the “essence” of the right to effective judicial protection – to make a finding of essential equivalence:

8.40 Third, the CJEU continued, in paragraph 192:

8.41 I am satisfied, in particular having regard to the express reliance by the CJEU on the principle identified in the CJEU’s judgment in C-362/14, as set out in paragraph 187 of the Judgment – that legislation not providing for any possibility for an individual to pursue legal remedies does not respect the “essence” of the right to effective judicial protection – when concluding that a finding of effective equivalence was impossible, that these paragraphs represent a clear finding by the CJEU that, in the context of EU-US data transfers, identified legislation in the United States does not respect the “essence” of the fundamental right to effective judicial protection.

8.42 My conclusion in that respect is reinforced by the fact that the CJEU did not (in contrast to its treatment of Articles 7 and 8 of the Charter) proceed to engage in any proportionality exercise with respect to Article 47 of the Charter. This is despite the question referred to the CJEU expressly requesting a finding on proportionality, if the CJEU were satisfied that the “essence” of the right to effective judicial protection under Article 47 of the Charter was respected by the United States domestic measures.

8.43 I have carefully considered Meta Ireland’s argument that the CJEU did not in fact identify a breach of the essence of any Charter right.^[156] Having regard to the foregoing, I do not accept that argument. I am satisfied that when the Judgment is read as a whole, that finding is clear.

8.44 I am also satisfied that nothing turns on the fact that the Court’s analysis was undertaken by reference to the Privacy Shield Decision, rather than the SCCs. Ultimately, it is clear that the Court was satisfied, for the reasons set out in the Judgment, that in the context of transfers to the United States, identified laws applicable in that jurisdiction operate in such a manner as to interfere with the essence of EU citizens’ fundamental right to an effective remedy under Article 47 of the Charter.

8.45 In the circumstances, I am satisfied, bearing in mind the following matters, that when considering whether the derogations set out at Article 49(1) GDPR are available to (and can be relied on by) Meta Ireland in respect of the systematic, bulk, repetitive and ongoing transfers comprised within the Data Transfers, I must have regard to the following:

a. For the reasons noted in the Judgment, identified laws of the United States interfere with the essence of EU citizens’ fundamental right to an effective remedy under Article 47 of the Charter.

b. Any measure that interferes with the essence of a fundamental right, cannot be justified (and is not subject to any proportionality balancing exercise).

c. Meta Ireland’s Response to the PDD acknowledges that it has received (and continues to receive) requests from the US Government, with which it is bound to comply (and does in fact comply), to disclose the content of data subjects’ communications.^[157]

d. Reliance by Meta Ireland on the derogations at Article 49 GDPR (which, as a matter of principle, must apply only insofar as is strictly necessary, and cannot be applied so as to permit the exception to become the rule) falls to be considered in the same way as reliance on any measure that would interfere with the essence of a fundamental right.

8.46 I will now address the three sub-paragraphs of Article 49 GDPR on which Meta Ireland seeks to rely.

Article 49(1)(b) GDPR: ‘Contractual Necessity’

8.47 I am satisfied that the contractual necessity derogation cannot be relied on to justify the systematic, bulk, repetitive and ongoing transfers to the US comprised within the Data Transfers, for the following reasons.

8.48 First, the CJEU has held that the legal regime in the US governing redress where individuals, including EU data subjects, have been the subject of unlawful surveillance for national security purposes under certain legislation fails to respect the “essence” of the right to effective judicial protection.

8.49 Meta Ireland proposes to rely on this derogation to continue the systematic, bulk, repetitive and ongoing transfers to the United States comprised within the Data Transfers. This will result in the personal data of EU data subjects being transferred to the United States and subjected to a legal regime that does not respect the “essence” of the rights guaranteed by Article 47 of the Charter, without the consent of those data subjects to that interference with their Article 47 Charter rights.

8.50 It follows that the contractual necessity derogation cannot be interpreted and/or applied to permit the systematic, bulk, repetitive and ongoing transfers comprised within the Data Transfers, where the transfers thereby effected would give rise to a breach of the essence of a fundamental right of EU/EEA users. No proportionality balancing exercise arises in that respect.

8.51 Meta Ireland submits that this reasoning is fundamentally flawed, as it amounts to an argument that Article 49 GDPR cannot be relied on for transfer to a country that lacks an “essentially equivalent” level of protection.

8.52 However, this is to misunderstand the position.

8.53 I accept that data can be transferred under the contractual necessity derogation to a third country that does not ensure a level of protection that is “essentially equivalent” to that guaranteed by the EU, but that nevertheless respects the “essence” of the fundamental rights arising, provided that transfer meets the requirements of Article 49(1)(b) GDPR and subject to the proportionality test in the second line of Article 52(1) of the Charter.

8.54 However, that is not the situation that arises here.

8.55 As I have observed, a finding by the CJEU that there has been an interference with the “essence” of a fundamental right is comparatively rare; it is the exception, not the rule. However, where such a finding is made by the CJEU – as it has been with respect to identified laws in the United States – I am required, in accordance with Article 52(1) of the Charter, to interpret and apply the Article 49 GDPR derogations, including the Article 49(1)(b) GDPR derogation, accordingly.

8.56 In those circumstances, I find that the contractual necessity derogation cannot be relied on to justify the Data Transfers.

8.57 Second, even if the proposed reliance on the contractual necessity derogation did not give rise to a breach of the essence of Article 47 of the Charter, I am satisfied that systematic, bulk, repetitive and ongoing transfers are not in any event permitted under Article 49(1)(b) GDPR.

8.58 In this regard, it is of note that Recital 111 of the GDPR describes transfers made in the context of the “contractual necessity” and “legal claims” derogations^[158] as being “occasional”. The EDPB Guidelines state – and I agree – that, in light of Recital 111, Articles 49(1)(b), (c) and (e) GDPR can be relied on to justify “occasional” transfers only.

8.59 Such an approach is unsurprising in circumstances where, as a general point of EU law, it is well-established that derogations are to be interpreted narrowly^[159], and any restrictions or derogations from the rights guaranteed in Articles 7 and 8 of the Charter will be permissible only insofar as “strictly necessary”.^[160] As the EDPB has correctly observed, and as held by the CJEU on many occasions^[161], such a position is necessary to avoid a situation in which the exception may become the rule.^[162]

8.60 Meta Ireland submits that the EDPB Guidelines are incorrect in that respect, and that this interpretation is incompatible with the terms of Article 49 GDPR. In making that submission, they rely, inter alia, on the following:

a. The non-binding nature of the preamble to EU measures;

b. The legislative history of Article 49 GDPR, and

c. Changes made to the EDPB Supplemental Measures Recommendations.

8.61 I have considered each of those arguments carefully. However, for the reasons set out below, I remain of the view that the EDPB guidelines are correct and that Article 49(1)(b) GDPR can justify “occasional” transfers only.

The non-binding nature of preambles

8.62 Meta Ireland argues that where the limitation on derogations under Article 49(1)(b) GDPR to “occasional” transfers is stated in Recital 111 of the GDPR only, and is not repeated in Article 49 GDPR, it has no effect.

8.63 It is acknowledged that the preamble to an EU law measure does not have the same status as an operative provision. Meta Ireland is correct that the preamble of an EU Act has no binding legal force and cannot be relied on as a ground for either derogating from the actual provisions of the act, or for interpreting those provisions in a matter that is clearly contrary to their wording. This is well established in the CJEU jurisprudence, including in the cases cited by Meta Ireland.

8.64 However, it is also well established that the recitals of an EU act: “may explain the content of the provisions of that act”, and that recitals “constitute important elements for the purposes of interpretation, which may clarify the intentions of the author of that act.”^[163]

8.65 In that respect, I note that in Case C-528/16 Confédération paysanne and Others EU:C:2018:583, the CJEU relied on Recital 17 of the GMO Release Directive^[164] to inform the limitations of a derogation under that Directive. Article 3(1) of the GMO Release Directive provides that the Directive shall not apply to organisms obtained through the techniques of genetic modification listed in Annex 1 B. One of the techniques listed in Annex 1 B is “mutagenesis”.

8.66 No limitation on the type of mutagenesis excluded from the scope of the Directive is contained in Article 3 or Annex 1 B. The CJEU nevertheless interpreted the limitations on the scope of that derogation in light of Recital 17, which provides:

8.67 In light of that Recital the CJEU held:

8.68 In reaching that conclusion the CJEU relied on, inter alia, the following:

a. That as “a provision derogating from the requirement to subject GMOs to the obligation laid down in the Directive”, Article 3(1), read in conjunction with Annex 1 B, “must be interpreted strictly”;^[165]

b. That for the purpose of interpreting a provision of EU law, it is necessary to consider not only its wording but also “the context in which it occurs and the objectives pursued by the rules of which it is part”;^[166]

c. That by “referring generally to mutagenesis”, that provision does not, on its own, “provide any conclusive guidance as to the types of techniques/methods that the EU legislature intended specifically to exclude from the scope of the directive”;^[167]

d. That the EU legislature set out in recital 17 “the conditions under which certain GMOs should be excluded from the scope of the Directive” and that, “accordingly, the scope of the derogation … must be determined in the light of the clarifications thus given by the EU legislature”;^[168] and

e. That an interpretation of the derogation that did not exclude techniques that had not conventionally been used in a number of applications and have a long safety record would fail to have regard to the intention of the EU legislature, reflected in recital 17, and would compromise the objective of the Directive.^[169]

8.69 I have also considered the authorities relied on by Meta Ireland. I accept that those authorities establish that a recital cannot be relied on to derogate from the actual provisions of the act in question, or to interpret those provisions in a manner that it clearly contrary to their wording. However, I do not accept that Recital 111 of the GDPR either derogates from Article 49(1)(b) GDPR or results in an interpretation of Article 49(1)(b) GDPR that is clearly contrary to its wording. Rather, recital 111 of the GDPR serves to clarify the scope of the derogation permitted under Article 49(1)(b) GDPR.

8.70 Further, I do not accept that the authorities cited by Meta Ireland require – or could justify – an interpretation of Article 49(1)(b) GDPR that ignores the clear legislative intent demonstrated in Recital 111 of the GDPR. The EU legislature set out in Recital 111 of the GDPR the conditions under which certain transfers should be excluded from the requirements in GDPR Chapter IV and “accordingly, the scope of the derogation … must be determined in the light of the clarifications thus given by the EU legislature.” I am satisfied that interpreting the limitations of the scope of Article 49(1)(b) GDPR in light of Recital 111 of the GDPR is entirely consistent with the approach taken by the CJEU in Confédération paysanne.^[170]

The legislative history

8.71 Meta Ireland also rely on the legislative history of the GDPR, in particular with respect to the insertion – or failure to insert – a limitation based on frequency or volume of transfers in Article 49 GDPR, other than with respect to the “legitimate interest” derogation.

8.72 I do not accept that this means that Article 49 GDPR should not be interpreted in light of Recital 111 of the GDPR. Regard must also be had to the legislative history of Recital 111 itself. I note, in that respect, that the requirement that transfers under the “contractual necessity” derogation be “occasional” was not included in the preamble to the Directive. Nor was included in the first proposal with respect to the GDPR. It was introduced during the GDPR legislative process and, in that respect, cannot be considered to be unintentional or inadvertent.^[171] On the contrary, it must be considered to represent the legislative intent with respect to the limitations of the scope of the derogation under Article 49(1)(b), (c) and (e) GDPR. I do not accept Meta Ireland’s submission that it should simply be disregarded.

Amendments to the EDPB Supplemental Measures Recommendations

8.73 Finally, I do not find Meta Ireland’s reliance^[172] on the amendments between the initial draft of the EDPB Supplemental Measures Recommendations and the final draft to be convincing. The text in the original draft reads:

8.74 The text in the amended draft reads:

8.75 A similar change was made later in the document.

8.76 It is uncontroversial – and has at all times been reflected in the EDPB Guidelines – that the reference to “occasional” in Recital 111 of the GDPR applies to sub-paragraphs (b), (c) and (e) of Article 49(1) GDPR only, and that the reference to “non-repetitive” applies to the “legitimate interest” derogation only. However, the well-established principle that a derogation cannot become “the rule” in practice, reflected in the final draft of the EDPB Regulations, applies to all Article 49 derogations. In those circumstances, I do not accept that the change in language can reasonably be interpreted as indicating that the EDPB has altered its clear and unequivocal position that the contractual necessity derogation under Article 49(1)(b) GDPR applies only with respect to “occasional” transfers. I am reinforced in that conclusion by the fact that the final EDPB Supplemental Measures Recommendations, which provide only a short reference to the Article 49 GDPR derogations, expressly refer the reader to the EDPB Guidelines for more detailed guidance on those derogations.^[175] That is not, in my view, consistent with Meta Ireland’s submission that the EDPB has changed its position on the relevance of Recital 111 of the GDPR.

8.77 I therefore do not accept Meta Ireland’s submission that the EDPB Guidelines misinterpret the scope of the derogation under Article 49(1)(b) GDPR. I am satisfied that Article 49(1)(b) GDPR can relied on to justify “occasional” transfers only.

8.78 Third, I note Meta Ireland’s emphasis on paragraph 202 of the Judgment, where the Court stated that the consequence of invalidating the Privacy Shield Decision “is not liable to create such a legal vacuum” on account of the derogations in Article 49 GDPR. I understand Meta Ireland to say that this observation is to be taken to mean that the Court considered that some or all of the derogations would be available to Meta Ireland.

8.79 In my view, that contention is not well-founded, either with respect to Article 49(1)(b) GDPR or otherwise, particularly in light of a number of other statements of principle contained elsewhere in the Judgment. In that regard, I consider that it is important to have regard to the Judgment in determining whether or not the derogations provided for at Article 49(1) GDPR – including the derogation at Article 49(1)(b) GDPR – are available to Meta Ireland for, or in connection with, the Data Transfers.

8.80 In particular, and whilst acknowledging that the point was made in the context of the Court’s analysis of Article 46 GDPR, it is nonetheless of significance that, at paragraph 92 of the Judgment, the CJEU observed that the baseline level of protection contemplated by Article 44 GDPR must be guaranteed irrespective of the particular transfer mechanism relied on to make a given transfer or set of transfers. The Court expressed this point in the following terms:

8.81 If the derogations at Article 49(1) GDPR – including Article 49(1)(b) GDPR – could properly be relied on by Meta Ireland as providing a lawful basis for the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US, such an outcome would not simply be in tension with the Court’s findings in the Judgment as they relate to US law (and, in particular, its finding to the effect that the Data Transfers give rise to a breach of the essence of the rights conferred on Meta Ireland’s users by Article 47 of the Charter), but would set those findings at nought.

8.82 Having regard to the Court’s statements in relation to the baseline level of protection applicable, uniformly, across all transfer methods provided for in Chapter V, and noting the Court’s statements (elsewhere in the Judgment) presaging the mandatory suspension or prohibition of transfers, to include, for example, that set out at paragraph 146 of the Judgment^[176], I am satisfied that the Court did not have it in mind that one or more of the derogations might conceivably be used, in effect, to side-step its core findings in relation to US law and, further, that, in the light of the Judgment, and having regard to all of the circumstances of the Data Transfers, any contention to the effect that one or more of the derogations – including Article 49(1)(b) GDPR – might be relied on to justify systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US, is not sustainable.

8.83 Having regard to the foregoing, it is my conclusion (and I so find) that Meta Ireland cannot rely on the “contractual necessity” derogation under Article 49(1)(b) GDPR to justify the systematic, bulk, repetitive and ongoing transfers comprised within the Data Transfers.

Article 49(1)(d) – the public interest derogation

8.84 Meta Ireland submits that, in the event that its position regarding reliance on Article 49(1)(b) GDPR is not accepted, it will rely on the public interest derogation under Article 49(1)(d) GDPR. It is my conclusion (and I so find) is that Meta Ireland cannot rely on Article 49(1)(d) GDPR to justify the Data Transfers, for broadly the same reasons it cannot rely on Article 49(1)(b) GDPR.

8.85 First, for the reasons set out above, with respect to Meta Ireland’s proposed reliance on Article 49(1)(b) GDPR, I do not accept that Article 49(1)(d) GDPR can be interpreted or applied so as to permit the systematic, bulk, repetitive and ongoing transfers comprised within the Data Transfers, where the transfers thereby effected would give rise to a breach of the essence of the fundamental rights of EU/EEA users. No balancing exercise arises in that respect.

8.86 For the avoidance of doubt, I again clarify that the reason no balancing exercise arises is because permitting Meta Ireland to rely on the derogation under Article 49(1)(d) GDPR to justify the Data Transfers would not respect the “essence” of the rights guaranteed by Article 47 of the Charter. Were reliance to be placed on Article 49(1)(d) GDPR to make transfers to a third country that does not satisfy the “essential equivalence” standard, but that nevertheless respects the “essence” of the rights guaranteed by the Charter, I accept it would be necessary to engage in a balancing exercise under the second sentence of Article 52(1) of the Charter, having regard in particular to the public interests relied on. However, that is not the situation here.

8.87 Second, I am in any event satisfied that Article 49(1)(d) GDPR cannot be relied upon to justify the systematic, bulk, repetitive and ongoing transfers comprised within the Data Transfers. Whilst it is acknowledged that Recital 111 of the GDPR does not explicitly state that the derogation at Article 49(1)(d) GDPR^[177] is to apply solely to “occasional” and/or “non-repetitive” transfers, I note and agree with the following observations made by the EDPB:

8.88 Again, that conclusion is supported by the well-established principle that derogations must be interpreted strictly, and cannot be interpreted so as to allow the exception provided by the derogation to replace the rule established by the EU measure. The case for a narrow interpretation of the derogations in Article 49(1) GDPR is reinforced by the wording of the title to Article 49 GDPR itself, which indicates that the derogations are to be used for “specific situations”.^[179]

8.89 Third, I again note that if the derogations at Article 49(1) GDPR – including the derogation at Article 49(1)(d) GDPR – could properly be relied on by Meta Ireland as providing a lawful basis for the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US, such an outcome would not simply be in tension with the Court’s findings in the Judgment as they relate to US law, but would set those findings at nought. Again, I am of the view that this supports an interpretation of Article 49(1)(d) GDPR that does not permit the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US.

8.90 Accordingly, I am satisfied that it is not open to Meta Ireland to rely on the derogation at Article 49(1)(d) GDPR in the context (or for the purpose of) systematic, bulk, repetitive and ongoing transfers of its users’ data from the EU to the US.

Article 49(1)(a) – Explicit consent

8.91 Finally, Meta Ireland indicates that, to the extent that its reliance on Article 49(1)(b) and (d) GDPR is not accepted, “it would likely seek to obtain and rely upon the explicit consent” of EU/EEA users to the Data Transfers.

8.92 As will be apparent, Meta Ireland has not in fact obtained the explicit consent of EU/EEA users to any of the Data Transfers at this point. It follows, therefore, (and I so find), that Meta Ireland cannot rely on the derogation under Article 49(1)(a) GDPR to justify the Data Transfers.

8.93 Whether Meta Ireland could rely on Article 49(1)(a) GDPR to justify any of the Data Transfers in the future, if it were to obtain the explicit consent of EU/EEA users, cannot be determined in the abstract.

8.94 I have, nonetheless, carefully considered Meta Ireland’s submissions on this issue and, in so doing, I have identified a number of points of principle on which I believe I can and, indeed, should, set out my views at this point.^[180]

8.95 In that regard, I acknowledge that Article 8 of the Charter recognises the importance of consent, with respect to the processing of data. I further recognise that Recital 7 of the GDPR states that “Natural persons should have control of their own personal data”.

8.96 I also accept, as a matter of principle, and having regard to the foregoing, that it may be possible for reliance to be placed on Article 49(1)(a) GDPR to justify a transfer or set of transfers to the US, where all of the requirements of that sub-article are complied with.

8.97 Although identified legislation in the United States does not respect the “essence” of Article 47 Charter rights, I accept that that does not necessarily or automatically mean that a derogation that permits a specific transfer of data to the United States, subject to explicit and fully informed consent in accordance with Article 49(1)(a) GDPR, will interfere with the “essence” of that fundamental right.

8.98 This is because, in order to obtain explicit consent under Article 49(1)(a) GDPR to “the proposed transfer”, it is necessary that the data subject is “informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

8.99 In the context of transfers to the United States, this would require that the data subject be informed, in addition to the information that would be provided for ‘normal’ consent, inter alia: (i) that the data will not be subject to equivalent protection to that afforded by Article 7 and Article 8 of the Charter, (ii) that identified laws in the United States interfere with the essence of Article 47 Charter rights with respect to that data, and (iii) of the possible risks of the proposed transfer to the data subject.^[181] If explicit and fully informed consent in accordance with Article 49(1)(a) GDPR is obtained from the data subject to “the proposed transfer”, and therefore to that interference with his or her Article 47 Charter rights, I accept in principle that such a transfer cannot be said to interfere with the “essence” of that data subject’s right under Article 47 of the Charter.

8.100 However, I note that it is unclear how, on a practical level, Meta Ireland could justify all of the Data Transfers based on Article 49(1)(a) GDPR in the event that it sought to put in place a scheme by which the explicit consent of EU/EEA Users to any proposed transfer of their personal data to the United States was obtained, sufficient to meet the requirements laid down in Article 49(1)(a) GDPR and elsewhere in the GDPR. In particular, it is my preliminary view that a single consent by an EU/EEA data subject could not be sufficient to justify any and all future transfers of that user’s personal data to the US.

8.101 In that regard, there is a high threshold for obtaining any consent under the GDPR.^[182] The threshold for obtaining consent under Article 49(1)(a) GDPR is even higher. In particular:

a. The data subject must have “explicitly consented” to “the proposed transfer”, and

b. The data subject must have been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.

8.102 The requirement that consent be “explicit” for the “contractual necessity” derogation is newly introduced in the GDPR, and raises the threshold with respect to the quality of consent as compared to the equivalent derogation in the Directive, which required only that the consent be “unambiguous”.

8.103 My preliminary view is that the requirement that consent be “explicit” and that it relate to “the proposed transfer” precludes a single consent being obtained for ongoing data transfers and/or different sets of transfers. I am also of the view that seeking a single consent for ongoing data transfers and/or different sets of transfers is not compatible with the obligation to inform the data subject of the possible risks of the transfers being made. Further, interpreting Article 49(1)(a) GDPR to allow such an approach would be inconsistent with the well-established principle that derogations must be interpreted narrowly, and the exception must not be permitted to become the rule, and would again be to set the decision of the CJEU in the Judgment at naught.

8.104 Finally, and for completeness, I also note in this regard – and agree with – the statement in the EDPB Guidelines that:

The Balance of the Derogations

8.105 Meta Ireland has not sought to rely on the balance of the derogations at Article 49 GDPR. It follows, therefore, that no issue arises for determination in relation thereto. For completeness, however, I would observe that it would not appear to be open to Meta Ireland to rely on those other derogations, when it is not clear how they could be engaged in connection with the Data Transfers in the first place, and where, in any event, broadly the same reasons as those set out above in connection with the derogations at Article 49(1)(b) and (d) GDPR would also appear to apply the remaining derogations cited within that Article.

Conclusion and Finding

8.106 In light of the foregoing, I find that it is not open to Meta Ireland to rely on the derogations at Article 49(1) GDPR (or any of them) to justify the systematic, bulk, repetitive and ongoing transfer of users’ data from the EU to the US.

9.1 It is my view that, for the reasons outlined below, it is necessary to exercise corrective powers in order to address the infringement identified above and that, in all the circumstances, it is appropriate, necessary and proportionate to order the suspension of the Data Transfers pursuant to Article 58(2)(j) GDPR.

Obligation of an EU controller or processor to suspend EU/US data transfers

9.2 The responsibility to ensure that data transfers are only made in circumstances in which a level of protection is ensured that is essentially equivalent to that provided by the GDPR, read in light of the Charter, falls in the first instance on the EU controller or processor.

9.3 In particular, the CJEU held in the Judgment that, where a controller or a processor established in the EU is not able to take adequate additional measures to guarantee the required protection, the controller or processor “or, failing that, the competent supervisory authority” are required to suspend or end the transfer of personal data to the third country concerned.^[183]

9.4 Significantly, the CJEU added that: “[t]his is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data”.^[184]

9.5 The CJEU also observed that:

“[i]n the light of the requirements of Article 46(1) and (2)(c) of the GDPR, read in the light of Articles 7 and 8 of the Charter, the controller is bound to suspend the transfer of data and/or to terminate the contract where the recipient is not, or is no longer, able to comply with the standard data protection clauses. Unless the controller does so, it will be in breach of its obligations under Clause 4(a) in the annex to the SCC Decision as interpreted in the light of the GDPR and of the Charter.”^[185]

9.6 The Advocate General also referred to the obligation on the controller to suspend the proposed transfer.^[186]

9.7 The EDPB Supplemental Measures Recommendations likewise identify the obligation to suspend or end the transfer of personal data in such circumstances.^[187]

9.8 Thus, it is only where the EU controller fails to guarantee the required protection, that the supervisory authority is required to take action. Furthermore, the corrective measure chosen by the DPC must be viewed in light of Meta Ireland’s obligations in this regard.

Corrective Measure

9.9 For the reasons set out above, and having considered the relevant circumstances of the Data Transfers, to include, inter alia, the “factors” assessment and Record of Safeguards contained in the TIA, I am satisfied that:

(1) US law does not provide a level of protection that is essentially equivalent to that provided by EU law;

(2) Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law;

(3) Those of the measures set out in the Record of Safeguards that forms part of the TIA that are presented or characterised as supplemental to the measures for which provision is made in the 2010 SCCs and/or 2021 SCCs, do not compensate for the inadequate protection provided by US law; and

(4) It is not open to Meta Ireland to rely on the derogations provided for at Article 49(1) GDPR (or any of them) when making the Data Transfers.

9.10 Accordingly, I have found that, in making the Data Transfers, Meta Ireland is infringing Article 46(1) GDPR.

9.11 I also note Meta Ireland’s reference to the EDPB statement that supervisory authorities are: “required to assess individual cases, either ex officio or following a complaint, and to either refer the case to a national Court if they suspect that the transfer does not comply with Article 45 where there is an adequacy decision, or to suspend or prohibit the transfer if they find Article 46 GDPR cannot be complied with and the protection of the data transferred required by EU law cannot be ensured by other means”.^[188]

9.12 I agree with this statement.

9.13 I also note that Meta Ireland appears to suggest that suspension of data transfers is not required in all cases where there is non-compliance with Article 46 GDPR. As a general point, I agree with this, but only where protection can be “ensured by other means”. I am not satisfied that such “other means” have been demonstrated by Meta Ireland.

9.14 Given that the Data Transfers have not been suspended or ended by Meta Ireland, the DPC has available to it a range of corrective powers under Article 58(2) GDPR.

9.15 I accept Meta Ireland’s submission that the DPC is required to exercise any corrective power in a manner that is “appropriate, necessary and proportionate”^[189], taking into account the circumstances of the individual case.

9.16 However, I do not accept Meta Ireland’s submission regarding the nature of the proportionality assessment required in the context of exercising a corrective power. Meta Ireland correctly notes that the need to balance the right to the protection of personal data against other fundamental rights is expressly recognised in Recital 4 GDPR. However, Meta Ireland submits that a further such balancing of rights is required by Recital 129 GDPR, after an infringement of the GDPR has already been established and corrective measures are being considered. Meta Ireland therefore submits that the DPC must conduct the balancing exercise both when interpreting the provisions of the GDPR (e.g., Article 49 GDPR) and when considering the use of corrective powers.^[190] Meta Ireland submits that it cannot be said that the GDPR itself incorporates the relevant balancing exercise, even if Meta Ireland acknowledges that Recital 4 GDPR supports such an interpretation.^[191] I do not accept Meta Ireland’s submissions in this regard.

9.17 Recital 4 GDPR provides that the right to the protection of personal data must be “balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”

9.18 The analysis of whether Article 46 GDPR has been breached is conducted within the framework of the GDPR and as such, insofar as appropriate, relevant fundamental rights are balanced accordingly.^[192] I have determined that Article 46 GDPR has been (and is being) breached. That determination is the product of, inter alia, a proportionality-based assessment embedded in the legislative scheme.

9.19 Meta Ireland submits that, notwithstanding this determination, a further balancing of rights must take place before a corrective measure is adopted. In particular, Meta Ireland submits that a suspension order would be wholly disproportionate to furthering the aim of protecting users against any “practical risk of undue interference” with their data protection rights.^[193] This submission overlooks the fact that the relevant balancing exercise has (insofar as required) taken place and it effectively seeks to avoid the consequences of the determination that Article 46 GDPR has been breached.

9.20 In support of this submission, Meta Ireland refers also to the requirement to reconcile the right to the protection of personal data with the right to freedom of expression and information. However, this requirement is embedded into the scheme of the GDPR, rather than required as part of an assessment for the purposes of Article 58(2) GDPR. Section 43 of the 2018 Act, which gives effect to this requirement, provides for an exemption from compliance with a broad range of provisions of the GDPR where compliance would be incompatible with the said rights.

9.21 Instead, what is required when considering the adoption of corrective measures under Article 58(2) GDPR is an assessment of what is “appropriate, necessary and proportionate in view of ensuring compliance with” the GDPR.^[194] To conduct a further balancing of rights as suggested by Meta Ireland would not be appropriate at this stage as it carries with it the possibility that an infringement of the GDPR would be permitted to continue. The assessment of whether there has been a breach of the GDPR will have already taken place prior to consideration of the appropriate corrective measure. Under the proper legislative scheme, once the breach has been established, it is for the supervisory authority to adopt those corrective measures (if any) which are appropriate and necessary to ensure compliance with the GDPR, but which are also proportionate to the relevant infringement.

9.22 If the imposition of a corrective measure required to ensure compliance with the GDPR were subject to the kind of proportionality assessment put forward by Meta Ireland – and thereby potentially allowed the breach to continue – the general legislative scheme and policy would be significantly undermined. Meta Ireland submits that an appropriate and proportionate corrective measure in the circumstances is something less than suspension of the Data Transfers, but that cannot be so if it permits the ongoing infringement of the GDPR.

9.23 It is my view that the corrective measure I have determined to apply – suspension of the Data Transfers – is necessary but no more than necessary in order to ensure compliance with the GDPR. As stated in the Judgment, if “a supervisory authority takes the view, following an investigation, that a data subject whose personal data have been transferred to a third country is not afforded an adequate level of protection in that country, it is required, under EU law, to take appropriate action in order to remedy any findings of inadequacy, irrespective of the reason for, or nature of, that inadequacy.”^[195]

9.24 In such circumstances, although it is for the DPC to “determine which action is appropriate and necessary and take into consideration all the circumstances of the transfer of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”^[196] The DPC is therefore required to take appropriate action in order to remedy the identified (and ongoing) breach of Article 46 GDPR.

9.25 In all the circumstances, I am satisfied that it is appropriate, necessary and proportionate to invoke the power under Article 58(2)(j) GDPR to order the suspension of the Data Transfers. It also clearly emerges from the Judgment that, in circumstances such as these, it is appropriate for a supervisory authority such as the DPC to suspend or end invalid data transfers.

9.26 In that regard, the CJEU endorsed the observation of the Advocate General in his Opinion^[197] that the supervisory authority is required, under Article 58(2)(f) and (j) GDPR, to suspend or prohibit a transfer of personal data to a third country if, in its view, in the light of all the circumstances of that transfer, the 2010 SCCs are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.^[198]

9.27 I accept Meta Ireland’s submission that the CJEU stated in the Judgment (at paragraph 113) that supervisory authorities should suspend any data transfer if “in light of all the circumstances of that transfer, the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means”. I have considered all of the relevant circumstances of the Data Transfers above, in Section 6, and have reached my view on the appropriate corrective measure accordingly.

9.28 Insofar as I am required to exercise any corrective power in a manner that is “appropriate, necessary and proportionate”, taking into account the circumstances of the individual case, I consider that the following points arise in the particular circumstances of the present case:

(1) In the Judgment, the CJEU has made findings to the effect that certain of the infringements it identified (most notably those relating to the absence of any effective remedy^[199]), give rise to a breach of the essence of a fundamental right, namely, the fundamental right to effective judicial protection, as protected by Article 47 of the Charter.

(2) Where a measure compromises the essence of a fundamental right, it is per se incompatible with the Charter, without there being a need to carry out a balancing exercise between such competing interests (if any) as may also be engaged.

(3) In the circumstances, and noting Meta Ireland’s position that, if it cannot make the Data Transfers, it would not be in a position to maintain the provision of its services in the EU/EEA, the exercise of any corrective power other than one directing the temporary or permanent cessation of the offending transfers would result in a situation where the essence of a fundamental right of Users would be compromised on an ongoing and indefinite basis. On no view could such an outcome, the upshot of which would be to set Users’ rights under Article 47 of the Charter at nought, be considered acceptable, much less permissible under law.

(4) That view is not undermined by any of the factors identified at Part G, paragraph 2.20 of the Response to the PDD, or any of the impacts identified at paragraphs 3.4 through 3.11 thereof.

(5) As I have noted above, the Court has made clear in its Judgment^[200] that, if, in a case where a transfer of personal data to a third country is not subject to an adequacy decision, a competent supervisory authority comes to the view that, in the light of all the circumstances of the transfer in question, the SCCs are not or cannot be complied with in that third country, and where (as here) the protection of the data transfers that is required by EU law cannot be ensured by other means, the competent supervisory authority is required, under Article 58(2)(f) and (j) GDPR, to suspend or prohibit such transfer.

9.29 It is accepted that, consistent with the requirement that any corrective measure be appropriate, necessary and proportionate, where “there is a choice between several appropriate measures recourse must be had to the least onerous”.^[201] It is important to note that the appropriateness of the relevant measures is determined by reference to the objective to be achieved. In this instance, the objective is to ensure compliance with the GDPR in circumstances where, in making the Data Transfers, Meta Ireland has (from the date of delivery of the Judgment on 16 July 2020), infringed, and is presently infringing, Article 46 GDPR.

9.30 I expressed the view, in the Draft Decision, that it was clear (and the relevant principles also emerge clearly from the Judgment) that the only corrective measures that are adequate to achieve the said objective are the banning or suspension of the Data Transfers. Accordingly, I noted my view, in the Draft Decision, that the DPC had a choice between two appropriate measures, and the DPC chose, in the Draft Decision, to order the suspension of the Data Transfers because that is the least onerous measure that ensures compliance with the GDPR. Such other measures as suggested by Meta Ireland do not ensure compliance with the GDPR.

9.31 It is submitted by Meta Ireland that the suspension order is disproportionate in circumstances where the DPC ought first to engage with Meta Ireland and explore what steps and actions might be adopted in order to make the Data Transfers compliant with Chapter V GDPR.^[202] It is respectfully observed that an appropriate level of engagement has already taken place and Meta Ireland has had sufficient opportunity to satisfy the DPC regarding compliance.

9.32 Meta Ireland also relies on the observation of the DPC that a suspension order is more appropriate than a ban because, if measures become available to make the Data Transfers compliant, then the suspension could be re-considered. Meta Ireland submits that if such measures are capable of addressing the deficiencies, it must be afforded the opportunity to implement them prior to finalising any decision to suspend the Data Transfers.^[203] However, it must be observed that Meta Ireland has not made any such proposals in the course of the Inquiry and that one of the purposes of the suspension order is to keep that opportunity open. In the circumstances, I neither agree nor accept that I am obliged, in effect, to stay the making of a decision to afford Meta Ireland a further opportunity to make fresh proposals in terms of achieving compliance with the requirements of the GDPR as they apply to the Data Transfers.

9.33 I also note the submission by Meta Ireland that to proceed with the suspension order at a point in time when an agreement in principle is said to have been reached between the European Commission and the USG regarding a new framework for transatlantic data flows would be inappropriate, unnecessary and disproportionate.^[204] However, I do not accept that submission in circumstances where the DPC is under an obligation to give effect to the law as it currently stands^[205].

9.34 Part D of the Response to the PDD sets out in detail Meta Ireland’s views on the many rights that are engaged and, in Meta Ireland’s view, promoted by the Data Transfers.

9.35 The DPC accepts that Users can avail themselves of the Facebook Service to engage in:

(1) Freedom of expression; =

(2) The right to respect for private and family life; (3) The freedom to conduct a business; (4) Freedom of thought, conscience and religion; and (5) Freedom of the arts and sciences.^[206]

9.36 It is also accepted that Meta Ireland enjoys freedom conduct a business and to “peaceful enjoyment of [its] possessions”.^[207]

9.37 I do not accept, however, that the other rights to which reference is made above would be “severely adversely impacted” if the Data Transfers were suspended such that, on the basis of a proportionality-balancing exercise, it necessarily follows that a suspension of the Data Transfers would be disproportionate.^[208] In answer to criticisms levelled in Meta Ireland’s Response to the RPDD (at Part D, Section 4), I would note that such an analysis assumes, not just that a proportionality-balancing exercise is required (it is not) but also that the suspension of the Data Transfers can properly be identified (and has been established as) the proximate cause of any such adverse impact (it has not).

9.38 I also note the reference of the CJEU in Privacy International (at paragraph 72) to the fact that:

“ … the transmission of traffic data and location data to public authorities for security purposes is liable, in itself, to infringe the right to respect for communications, enshrined in Article 7 of the Charter, and to deter users of means of electronic communication from exercising their freedom of expression, guaranteed in Article 11 of the Charter. Such deterrence may affect, in particular, persons whose communications are subject, according to national rules, to the obligation of professional secrecy and whistle-blowers whose actions are protected by Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (OJ 2019 L 305, p. 17). Moreover, that deterrent effect is all the more serious given the quantity and breadth of the data retained (see, to that effect, judgments of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 28; of 21 December 2016, Tele2, C‑203/15 and C‑698/15, EU:C:2016:970, paragraph 101; and of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, paragraph 118).”

9.39 It is of note that, in the present case, the deficiencies in US law themselves have an impact in undermining the protection afforded to the other fundamental rights to which Meta Ireland refers.

9.40 Additionally, it is of note, not just that an order directing the suspension of the Data Transfers would not be targeted at the suite of “other” rights identified by Meta Ireland in its Response to the PDD, but that, on Meta Ireland’s own case, any compromising of those other rights would arise as a result of the architecture of the systems developed and deployed by Meta Ireland in the delivery of its services. In that regard, it is noted that Meta Ireland makes the point that, at least in their current configuration, its systems do not and/or cannot make provision for the delivery of its services in the EU/EEA without the Data Transfers.

9.41 In any event, the critical issues here are that the deficiencies in US law identified by the CJEU have not been addressed by the SCCs or supplemental measures, that a derogation under Article 49(1) GDPR is not available to Meta Ireland, and that the Data Transfers have been found to give rise to a breach of the essence of one or more fundamental rights.

9.42 Given the circumstances of the Data Transfers and all of the other factors outlined above, and having considered the provisions of Article 83(2) GDPR, I am satisfied, and I so find that a suspension of data transfers is appropriate and proportionate.

9.43 In this respect, I regard as relevant:

(1) The importance of the rights at issue, namely Articles 7, 8 and 47 of the Charter;

(2) The very clear inadequacies in US law identified by the CJEU;

(3) The fact that neither the 2010 SCCs nor the 2021 SCCs can compensate for those inadequacies;

(4) Those of the measures set out in the Record of Safeguards that forms part of the TIA that are presented or characterised as supplemental to the measures for which provision is made in the 2010 SCCs and/or 2021 SCCs, do not compensate for the inadequate protection provided by US law;

(5) The fact that it is not open to Meta Ireland to rely on the derogations provided for at Article 49(1) GDPR (or any of them) when making the Data Transfers;

(6) The clear emphasis in the Judgment on suspension and banning of data transfers in circumstances such as those arising here; and

(7) The fact that suspension is necessary to ensure that the ongoing interferences with the rights of data subjects (to include a breach of the essence of certain of those rights) are brought to an end as soon as possible.

9.44 I note that Meta Ireland criticises the DPC for relying “almost exclusively on statements in the CJEU Judgment” in adopting a preliminary view in the PDD that suspension would be appropriate.^[209] This is not accepted.

9.45 I therefore find that it is appropriate that the Data Transfers be suspended pursuant to my powers under Article 58(2)(j) GDPR.

9.46 For completeness, I clarified, in the Draft Decision, that I did not propose to impose a permanent ban on the Data Transfers, recognising that new measures, not currently in operation, may yet be capable of being developed and implemented by Meta Ireland and/or Meta US to compensate for the deficiencies identified herein. I noted, in the Draft Decision, that if that situation were to arise, I would then be in a position to reconsider the suspension. I concluded, in the Draft Decision, that suspension therefore appeared to me to be a proportionate response in all the circumstances, and one that was more appropriate than (for example) an order directing Meta Ireland to bring its processing operations as they relate to the Data Transfers into compliance with the requirements set out in Chapter V of the GDPR, read in the light of the Charter. In that regard, I noted again, in the Draft Decision, Meta Ireland’s stated position that, if it cannot make the Data Transfers, it would not be in a position to provide its services in the EU/EEA.

9.47 I also had regard, in the Draft Decision, to the DPC’s power to impose an administrative fine, whether in addition to, or instead of, any of the other measures set out in Article 58(2) GDPR. In that regard, I carefully considered the criteria set out in Article 83(2)(a)–(k) GDPR.

9.48 I expressed the view, in the Draft Decision, that the imposition of an administrative fine in addition to an order directing the suspension of the Data Transfers would not be "effective, proportionate and dissuasive.” I noted, in this regard, that the critical feature of the Draft Decision, and the corrective measure for which it made provision, was that data transfers which were found to be unlawful would cease. That is to say, it is the compelled cessation of the Data Transfers that will right the particular wrongs identified. Against that backdrop, I expressed the view, in the Draft Decision, that the imposition of an administrative fine would not render the DPC’s response to the findings of unlawfulness any more effective. Nor did I consider that, in the particular circumstances of this case, or in relation to transfers generally, the imposition of an administrative fine on top of the suspension would have any meaningful dissuasive effect, particularly when set against the consequences said to attach to an order directing the suspension of transfers. I also expressed concern, in the Draft Decision, that the imposition of an administrative fine would be disproportionate, both having regard to the consequences attaching to an order directing suspension of transfers but also because it is ultimately through the Judgment that a series of complex legal issues relating to the Data Transfers have been resolved, and where, in the interim, I considered that the Data Transfers were being effected, in good faith, under and by reference to transfer mechanisms provided for at law.

9.49 I also considered, in the Draft Decision, whether it could be said to be “appropriate, necessary and proportionate” to direct Meta Ireland to procure the return and/or deletion of some or of all the personal data that has already been transferred to Meta US. I expressed the view that the making of an order directing the bulk return and/or deletion of all transferred data from an identified point in time would be excessive. In having expressed this view, however, I made it clear that it must (and will) be open to any individual user to exercise the rights conferred on them by Chapter III of the GDPR, in accordance with the law, and to the fullest extent.

9.50 Further to the circulation of the Draft Decision to the CSAs, for the purpose of the Article 60 Process, objections to the conclusions proposed by this Section 9 were raised by the supervisory authorities of Austria, Spain, France and Hamburg (acting on behalf of all German SAs). Those objections expressed disagreement with my view that it would not be appropriate, proportionate or necessary to direct Meta Ireland to procure the return and/or deletion of some or all of the personal data that has already been transferred to Meta US (“the Deletion or Return Objections”). They further expressed disagreement with my view that the imposition of an administrative fine would not, in the particular circumstances of this inquiry, be effective, proportionate or dissuasive (“the Administrative Fine Objections”). In relation to the Deletion or Return Objections, the EDPB determined as follows:

9.51 Accordingly, and as directed by the EDPB further to the Article 65 Decision, I have included, in Section 10, below, an order requiring Meta Ireland to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within the period of 6 (six) months from the date on which this Decision is notified to Meta Ireland (“the Cessation Order”). I note, in this regard, that neither the CSAs (by way of the Deletion or Return Objections or otherwise) nor the EDPB expressed disagreement with my view, set out at paragraph 9.46 above, that “new measures, not currently in operation, may yet be capable of being developed and implemented by Meta Ireland and/or Meta US to compensate for the deficiencies identified herein”. While that view was expressed in the context of the suspension order that was proposed by the DPC in the Draft Decision (and which is reflected in Section 10, below), it applies equally to the Cessation Order. Accordingly, and for the sake of clarity and legal certainty, the orders specified in Section 10, below, will remain effective unless and until the matters giving rise to the finding of infringement of Article 46(1) GDPR have been resolved, including by way of new measures, not currently in operation, such as the possible future adoption of a relevant adequacy decision by the European Commission pursuant to Article 45 GDPR.

9.52 For the sake of completeness, I note that Meta Ireland indicated^[210] its expectation that, as regards the deadline for compliance with the Cessation Order, the DPC would “word” the deadline for compliance in similar terms to the deadline applicable to the suspension order that was proposed by the DPC in the Draft Decision (and which is reflected in Section 10, below). The applicable enforcement period is a period of 12 weeks, which commences after the expiry of specified statutory limitation periods. The EDPB gave consideration, during the Article 65 Process, to the possibility of formulating the timeline for compliance with the Cessation Order in a manner which aligned to the approach taken by the DPC, as regards the date on which the timeline for compliance would commence. The EDPB ultimately decided against this approach and instead determined that the applicable deadline for compliance (with Cessation Order) should commence immediately upon the notification of this Decision to Meta Ireland. In circumstances where the Article 65 Decision is binding upon the DPC (and all CSAs), it is not open to me to take account of Meta Ireland’s request to reformulate the date of commencement in respect of the Cessation Order compliance period.

9.53 In relation to the Administrative Fine Objections that were raised by the CSAs during the Article 60 GDPR consultation period, the EDPB determined as follows:

On the nature, gravity and duration of the infringement (Article 83(2)(a) GDPR)

On the intentional or negligent character of the infringement (Article 83(2)(b) GDPR)

On the degree of responsibility of the controller taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 (Article 83(2)(d) GDPR)

Any relevant previous infringements by the controller (Article 83(2)(e) GDPR)

On the categories of personal data affected by the infringement (Article 83(2)(g) GDPR)

On the manner in which the infringement became known to the supervisory authorities (Article 83(2)(h) GDPR)

On any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement (Article 83(2)(k) GDPR)

The application of the criteria under Article 83(1) GDPR, in particular proportionality

Conclusion

9.54 Article 83(2) GDPR provides that: “(w)hen deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to [the criteria described in Article 83(2)(a) to (k)]”. In this regard, paragraph 88 of the Article 65 Decision records the EDPB’s position that:

9.55 The EDPB reiterates the position at paragraph 171 of the Article 65 Decision:

9.56 It is therefore clear that, when calculating the amount of the administrative fine to be imposed, I must do so by reference to the assessments and determinations made by the EDPB for the purpose of Article 83 GPDR. Section 4.2.2 of the Article 65 Decision records the assessments, conclusions and determinations of the EDPB on the application of the Article 83(2) GDPR criteria to the particular circumstances of this case. Insofar as the Article 65 Decision records a clear and unequivocal determination of the EDPB concerning any aspect of the Article 83(2) GDPR assessment, the DPC cannot look behind that determination and is bound to apply it when calculating the quantum of the administrative fine to be imposed. This obligation arises as a result of the nature of the Article 65 Decision which, pursuant to Article 65(2) GDPR, is binding on the DPC and all CSAs. Where the Article 65 Decision does not record a clear and unequivocal determination of the EDPB on any aspect of the Article 83 GDPR assessment, the DPC must exercise its own discretion. In any such case, the DPC must ensure to exercise its discretion in a manner that is consistent with the views that have been expressed by the EDPB in the Article 65 Decision. This obligation arises further to Article 65(6) GDPR, which requires the DPC to adopt its final decision “on the basis of” the EDPB’s binding decision.

9.57 Against the background of the above, the following reflects the basis upon which the DPC will calculate the amount of the administrative fine to be imposed, by reference to the criteria set out in Article 83(2) GDPR, and the requirement, set out in Article 83(1) GDPR, for administrative fines to be “effective, proportionate and dissuasive” by reference to the circumstances of each individual case.

Meta Ireland’s Final Submissions

9.58 By way of an annex to a letter dated 28 April 2023 (“the Annex”), the DPC invited Meta Ireland to exercise its right to be heard in response to the assessment set out below. Meta Ireland subsequently sought clarification, by way of letter dated 2 May 2023, in relation to the extent to which the DPC considered that it had the ability to exercise its own discretion on the matters identified in the Annex. The DPC confirmed, by way of letter dated 3 May 2023, that it only had the ability to exercise its own discretion insofar as the relevant aspect of the Article 83 GDPR assessment was not the subject of a clear and unequivocal determination of the EDPB. Meta Ireland furnished its final submissions, responding to the DPC’s provisional Article 83 GDPR assessment on 8 May 2023 (“the Final Submissions”).

9.59 The Final Submissions included a range of “preliminary objections”^[211], under the following headings:

- “Breach of the right to be heard”

- “Excess of competence by the EDPB”

- “Application of the Draft Fining Guidelines”

9.60 The submissions made pursuant to these headings concern matters that have been determined by the EDPB itself, as part of the Article 65 process. As already outlined, the binding nature of an Article 65 decision and the clear and unequivocal nature of many of the determinations set out in the Article 65 Decision preclude the DPC from being able to take account of these particular submissions in the context of this decision (i.e. the final decision of the DPC).

9.61 Otherwise, I have incorporated a summary of any submissions made by Meta Ireland within the relevant aspect of the Article 83 GDPR assessment, below.

The Article 83(2) Assessment: “the processing concerned”

9.62 For the purpose of the following assessment, “the processing concerned” should be understood as meaning the transfer of personal data under the controllership of Meta Ireland, from the EU/EEA to Meta Ireland’s processor in the United States of America for the purposes of providing the Facebook service to its users. For ease of reference, the term “the Infringement” is used throughout the following assessment to denote the infringement of Article 46(1) GDPR.

Article 83(2)(a): the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them Nature and Gravity of the Infringement

9.63 Paragraphs 90 and 91 of the Article 65 Decision record the EDPB’s assessment that:

Nature, Scope and Purpose of the Processing

9.64 Paragraph 92 of the Article 65 Decision records the EDPB’s assessment that:

Number of data subjects affected by the Infringement

9.65 Paragraphs 93 – 96 of the Article 65 Decision record the EDPB’s assessment that:

Duration of the Infringement

9.66 Paragraphs 97 – 99 of the Article 65 Decision records the EDPB’s assessment that:

9.67 At paragraph 99 of the Article 65 Decision, the EDPB records its conclusion as follows:

Article 83(2)(b): intentional or negligent character of the infringement

9.68 Paragraphs 103 – 115 of the Article 65 Decision record the EDPB’s assessment of this aspect of matters:

Article 83(2)(c): any action taken by the controller to mitigate the damage suffered by data subjects

9.69 The EDPB (in the Article 65 Decision) has not addressed this aspect of matters. In the Annex, I noted that Meta Ireland, throughout the course of the inquiry, considered that the processing concerned was being carried out on a lawful basis. That being the case, I considered that it followed that Meta Ireland could not have been expected to take action “to mitigate the damage suffered by data subjects” in circumstances where it did not consider any infringement to have occurred or any damage to have been suffered by data subjects. In the circumstances, I expressed the view, in the Annex, that nothing arises for consideration under this heading.

9.70 By way of the Final Submissions, Meta Ireland submitted^[212] that:

9.71 In relation to the suggestion that the DPC failed to take account of “Meta Ireland’s full cooperation with the DPC throughout the inquiry”, I will address this submission as part of the Article 83(2)(f) assessment, below.

9.72 In terms of the identified actions that were voluntarily undertaken by Meta Ireland “to assist Meta Ireland users following Schrems II”, my views are as follows: in relation to the provision, to Users, of “a significant amount of additional information about the Data Transfers beyond that required by Article 13(1)(f) GDPR” (“the Additional Information”), I note that the assessment required to be undertaken, pursuant to Article 83(2)(c) GDPR, is the assessment of “any action taken by the controller … to mitigate the damage suffered by data subjects”.

9.73 The Article 65 Decision does not address the “damage suffered by data subjects” as a result of the Infringement. It does, however, detail the EDPB’s views, as regards the risks to the fundamental rights and freedoms of data subjects arising from the Infringement. At paragraph 122 of the Article 65 Decision, the EDPB records its view that the Data Transfers result in “a high residual risk for the rights and freedoms of the data subjects concerned, because, as highlighted [in the Draft Decision], data subjects are still not protected against 702 FISA DOWNSTREAM (PRISM) requests and Meta US would still be required to disclose its users’ personal data, if requested by the US Government”. Considering the damage that might flow from this risk, if materialised, it seems clear that the resulting damage (where the risk to materialise) would comprise, at least, the loss of control over one’s personal data.

9.74 While I acknowledge that the provision of the Additional Information to Users about the Data Transfers (including in relation to the potential for access to personal data by the US Government) would help them to make “fully informed choices as to whether to continue to use Facebook^[213]”, my view is that the impact of the Additional Information, in terms of its potential to mitigate the damage identified above, is limited in circumstances where it places the obligation on individual users to seek out and engage with the information and to decide whether they wish to accept the risk of access by the US Government associated with continued use of the Facebook service.

9.75 In the circumstances, I consider it appropriate for me to take account, as a mitigating factor for the purpose of the Article 83(2)(c) GDPR assessment, the fact that Meta Ireland provides the Additional Information to Users. In terms of the weight that I might attribute to this factor, however, its limited ability to mitigate the loss of control that would result from access, by the US Government, to Users’ personal data means that the weight that I might attribute to this mitigating factor is also limited.

9.76 In relation to the other identified actions^[214], namely “quickly taking of all steps necessary to ensure the Data Transfers were made pursuant to the 2021 SCCs, thereby affording data subjects the additional safeguards and rights provided for therein” and “[i]mplementing supplementary measures which provided additional safeguards in respect of the Data Transfers”, I am unable to take these matters into account as mitigating factors in circumstances where this would be inconsistent with the views that have been expressed by the EDPB in the Article 65 Decision^[215].

Article 83(2)(d): the degree of responsibility of the controller, taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32

9.77 Paragraphs 116 to 125 of the Article 65 Decision records the EDPB’s assessment of this aspect of matters:

Article 83(2)(e): any relevant previous infringements by the controller

9.78 Paragraphs 126 and 127 of the Article 65 Decision record the EPDB’s assessment of this aspect of matters:

Article 83(2)(f): the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement

9.79 The EDPB (in the Article 65 Decision) has not addressed this aspect of matters. In the circumstances, I proposed, in the Annex, to conclude that nothing arises for consideration under this heading.

9.80 By way of paragraph 4.4 of the Final Submissions, Meta Ireland submitted that I should take account of its full cooperation with the DPC throughout the Inquiry as a significantly mitigating factor. While acknowledging Meta Ireland’s full cooperation during the course of the within Inquiry, I note that it is required to do so by Article 31 GDPR, which requires data controllers and processors to “cooperate, on request, with the supervisory authority in the performance of its tasks”. I secondly note that the assessment required to be carried out, pursuant to Article 83(2)(f) GDPR, is “the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement” [emphasis added]. It is therefore clear that the cooperation that would be relevant for assessment, here, is the cooperation that has taken place for the purpose of remedying the Infringement and mitigating the possible adverse effects on data subjects. I note, in this regard, that I have already taken account, within the Article 83(2)(c) assessment, above, of the actions taken by Meta Ireland in an effort to mitigate the possible adverse effects of the Infringement on data subjects. That being the case, it is not open to me to take those same matters into account for a second time within the same Article 83(2) assessment.

Article 83(2)(g): the categories of personal data affected by the infringement

9.81 Paragraphs 128 to 133 of the Article 65 Decision record the EDPB’s assessment of this aspect of matters:

“128. Concerning the requirement to take account of the categories of personal data affected under Article 83(2)(g) GDPR, the EDPB recalls that the GDPR clearly highlights the types of data that deserve special protection and therefore a stricter response in terms of fines. The EDPB has already explained that categories of personal data deserving a stricter response in terms of fines include at the very least, the types of data covered by Articles 9 and 10 GDPR, and data outside the scope of these Articles the dissemination of which causes immediate damages or distress to the data subject, such as location data, data on private communication, national identification numbers, or financial data.

Article 83(2)(h): the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller notified the infringement

9.82 Paragraphs 134 – 136 of the Article 65 Decision record the EDPB’s assessment of this aspect of matters:

9.83 The EDPB (in the Article 65 Decision) has not addressed this aspect of matters. The DPC notes that measures have not previously been ordered against Meta Ireland with regard to the same subject matter. In the circumstances, the DPC considers that nothing arises for consideration under this heading.

Article 83(2)(j): adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42

9.84 The EDPB (in the Article 65 Decision) has not addressed this aspect of matters. The DPC considers that nothing arises for assessment under this heading.

Article 83(2)(k): any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement

9.85 Paragraphs 137 to 140 of the Article 65 Decision record the EDPB’s assessment of this aspect of matters:

Summary Conclusion of the EDPB

9.86 At paragraphs 141 and 142 of the Article 65 Decision, the EDPB records its conclusion that:

9.87 The EDPB then proceeded to carry out an assessment of the criteria under Article 83(1) GDPR, namely the requirement for administrative fines, in each individual case, to be “effective, proportionate and dissuasive”. That assessment is recorded at paragraphs 143 to 178 of the Article 65 Decision. It is important to note, in this regard, that that assessment concerned the EDPB’s proposal to include, in its binding decision, a requirement for the DPC to impose an administrative fine on Meta Ireland. A separate assessment, for the purpose of Article 83(1) GDPR, must be carried out by the DPC by reference to the fine to be imposed by way of this final decision. While the DPC will be required to exercise its own discretion, in this regard, the binding nature of the Article 65 Decision and the requirement, set out in Article 65(6) GDPR, for the DPC to adopt its final decision “on the basis of” the Article 65 Decision mean that the DPC must ensure to exercise its discretion in a manner that it not inconsistent with the views expressed, and determinations made, by the EDPB in the Article 65 Decision. That assessment is set out, further below.

Assessment of Quantum

9.88 As already noted, the EDPB assessments set out above reflect the EDPB’s views on the application of the Article 83(2) GDPR criteria, as regards both the determination of whether or not an administrative fine ought to be imposed and the determination of the amount of any such fine.

9.89 As noted, above, nothing arises for consideration pursuant to Articles 83(2)(e), (f), (h), (i) and (j). I have recorded my view that Meta Ireland’s provision of the Additional Information ought to be taken into account, as a mitigating factor, for the purpose of Article 83(2)(c) GDPR. As regards the remaining factors – Articles 83(2)(a), (b), (d), (g) and (k) – paragraph 178 of the Article 65 Decision makes it clear that the EDPB considered each of these factors to be aggravating.

9.90 Paragraph 174 of the Article 65 Decision makes it clear that the EDPB requires the DPC to apply the EDPB’s Guidelines on calculation of fines^[216] (“the Fining Guidelines”) when calculating the amount of the administrative fine to be imposed in the within inquiry.

9.91 The Fining Guidelines firstly require the identification of a starting amount for further calculation of the fine on the basis of whether the infringement is classified as being of a low, medium or high degree of seriousness. Paragraph 52 of the Fining Guidelines clarify that this starting amount is to be determined by reference to the assessments that have been carried out pursuant to Articles 83(2)(a), (b) and (g) GDPR. The EDPB confirmed, in this regard, at paragraph 173 of the Article 65 Decision, that:

9.92 The EDPB concluded, at paragraph 174 of the Article 65 Decision, that:

9.93 At paragraph 175 of the Article 65 Decision, the EDPB notes that:

9.94 It is important to note, in this regard, that, as clarified by paragraph 73 of the Fining Guidelines, each of the Article 83(2) criteria should only be taken into account once as part of the overall assessment of Article 83(2) GDPR. This means that, in the context of the assessments reflected in the Article 65 Decision, the only Article 83(2) criteria that remain to be taken into account, after the starting point for further assessment has been determined by reference to the assessments of Articles 83(2)(a), (b) and (g), are the assessments that were carried out by the EDPB by reference to Articles 83(2)(d) and (k) GDPR.

9.95 In this regard, the EDPB made it clear, at paragraph 176 of the Article 65 Decision, that:

9.96 In addition to the above, I note that, further to Meta Ireland’s Final Submissions, I concluded that the provision of the Additional Information ought to be taken into account, as a mitigating factor of light weight, for the purpose of Article 83(2)(c) GDPR.

9.97 I proposed, by way of the Annex, to impose an administrative fine of an amount falling within the range of €1.2 billion and €1.5 billion in respect of the infringement of Article 46(1) GDPR.

9.98 I expressed the (provisional) view that an administrative fine within this range would satisfy the requirement in Article 83(1) GDPR for any administrative fine imposed to be effective, proportionate and dissuasive in each individual case. In this regard, I have taken account of:

a. The purpose of the fine, which is to sanction the infringement of Article 46(1) that was found to have occurred;

b. The requirement for any fine to be effective. In this regard, the DPC notes that the fine proposed above reflects the circumstances of the case, as assessed by the EDPB in the Article 65 Decision, including both the specific elements of the infringement as well as those elements that relate to the controller which committed the infringement, namely its financial position. I note, in this regard, that the EDPB determined that the Infringement is of “significant nature, gravity and duration”, committed with “at least the highest degree of negligence” and that Meta Ireland has a “high degree of responsibility”. Furthermore, the EDPB did not identify any mitigating factors and, instead, identified two aggravating factors that determined ought to be attributed “sufficiently heavy weight”. In terms of the requirement for me to take account of Meta Ireland’s financial position, I have taken account of the very significant turnover of the undertaking of which Meta Ireland forms part, namely the Meta Platforms, Inc. group of companies (the DPC’s assessment of the applicable turnover figure is detailed below). I note that I am required to take these particular matters into account not only by paragraph 177 of the Article 65 Decision but also by paragraph 414 of the EDPB’s binding decision 1/2021. The combination of all of these factors (namely, the most serious classification for the purpose of calculating the starting point (assessed by reference to Articles 83(2)(a), (b) and (g) GDPR) with further adjustment to take account of two aggravating factors of “sufficiently heavy weight” (representing the EDPB’s assessments of Articles 83(2)(d) and (k) GDPR) along with a very significant level of turnover) suggests that an administrative fine of an amount selected at a point extending beyond the mid-range of the scale identified by the EDPB in the Article 65 Decision ought to be imposed. This remains my view, notwithstanding my subsequent conclusion that the provision of the Additional Information ought to be taken into account as a mitigating factor for the purpose of Article 83(2)(c) GPDR, in circumstances where I concluded that only a light weight could be attributed to this factor;

c. The requirement for a genuinely deterrent effect, in terms of discouraging both Meta Ireland and others from committing the same infringement in the future;

d. The requirement for any fine to be proportionate and to not exceed what is necessary to achieve the stated objective (as recorded at a., above). The DPC considers that the fine proposed is proportionate to the circumstances of the case, taking into account the gravity of the infringements and all of the elements that may lead to an increase (aggravating factors) or decrease (mitigating factors) of the initial assessment as well as the significant turnover of the undertaking concerned, as assessed by the EDPB in the Article 65 Decision. The fine also takes account of the fact that it will be imposed in addition to orders requiring Meta Ireland to take action to bring its processing into compliance. As noted by the EDPB, as part of its assessment of the Article 83(2)(k) criterion, “it can be inferred that transferring the data to the US in a way that infringes the GDPR is inextricably linked to the provision of the service to EU/EEA individuals”. The EDPB further noted Meta Ireland’s submissions that “the suspension order proposed by the IE SA would have ‘severe consequences’ for Meta IE and ‘would clearly have a devastating impact on FIL’s business, revenue and employees’” and concluded that this suggested that “a considerable part of its profits derived from the provision of the service in the EU arise from the breach of the GDPR.” As noted above, I have already taken account of the EDPB’s Article 83(2)(k) assessment as an aggravating factor with sufficiently heavy weight. By the same token, I cannot ignore Meta Ireland’s submissions that the suspension order would have “severe consequences” for its business. I accept that the suspension order will likely have adverse consequences for Meta Ireland. I also accept that, while the orders to bring processing into compliance are being made for the purpose of bringing about the remedial action required to address the Infringement, I cannot ignore the negative financial consequences that will likely flow from the action that might be required to be taken by Meta Ireland in order to achieve compliance with the orders (“the Financial Consequences”). In these circumstances, I have taken account of the Financial Consequences by applying a reduction to the overall quantum of the administrative fine in order to ensure that the fine is proportionate to all of the circumstances of the case, as required by Article 83(1) GDPR. As set out at paragraph b., above, my view, following the completion of the Article 83(2) GDPR assessment (which is the basis upon which the amount of the administrative fine must be determined) was that an administrative fine of an amount selected at a point extending beyond the mid-range of the scale identified by the EDPB in the Article 65 Decision ought to be imposed. In terms of the reduction that ought to be applied to that conclusion, for the purpose of taking account of the Financial Consequences and ensuring that the fine to be imposed is proportionate, in accordance with Article 83(1) GPDR, I consider that a reduction the equivalent to a mitigating factor of moderate weight must be applied, when determining the range of the administrative fine proposed above. That reduction has been reflected in the fining range proposed at paragraph 9.97, above.

Meta Ireland’s Final Submissions on Article 83(1) GDPR

9.99 The manner in which the DPC has determined that the proposed fining range is “effective, proportionate and dissuasive” for the purpose of Article 83(1) GDPR is set out in paragraph 9.98, immediately above. I will now consider the submissions furnished by Meta Ireland, in response to that assessment (as it appeared in the Annex).

9.100 By way of Section 5 of the Final Submissions, Meta Ireland has submitted^[217] that the DPC has not been instructed, by the EDPB, to “have regard to the EDPB’s assessment under Article 83(1) when deciding what level of fine complies with Article 83(1), in the operative or any other part of the Article 65 Decision.” Meta Ireland has further submitted^[218], in this regard, that:

9.101 To be clear about the position, the DPC has carried out its own assessment of the extent to which the fining range proposed above achieves compliance with the requirements of Article 83(1) GDPR. That assessment was outlined in the Annex and is now set out at paragraph 9.98, above.

9.102 Meta Ireland has further submitted^[219] that “it is not possible to ascertain … how the DPC fixed the fining range within the parameters set by the EDPB, in the exercise of the limited discretion the DPC considers has been left to it by the EDPB”. Meta Ireland has submitted^[220] that this has “significantly interfered with” its ability to make meaningful submissions. I disagree that this is the case. As is evident from the extensive analysis set out above (which was also included in the Annex), the DPC has clearly identified how it calculated the fining range by reference to the Article 83(2) assessments. Furthermore, the manner in which the relevant factors have been taken into account, as mitigating or aggravating factors, as well as the weight that has been attributed to each one has been clearly addressed. The analysis also explains how the DPC assessed the proposed fining range to be “effective, proportionate and dissuasive” for the purpose of Article 83(1) GDPR. This approach is in line with the DPC’s obligation to provide reasons for its decisions. While the DPC is required to explain how it arrived at the level of a proposed fine, it is not required to apply such specificity so as to allow a controller or processor to make a precise mathematical calculation of the expected fine^[221].

9.103 I further note Meta Ireland’s submission^[222] that:

9.104 For the avoidance of doubt, the DPC has not taken any of the Article 83(2) assessments into account twice. This is self-evident from the analysis set out above and, in particular, the analysis set out at paragraph 9.98, above.

9.105 Meta Ireland has further submitted^[223] that:

9.106 I agree that this is a correct assessment of both the Article 65 Decision as well as the Fining Guidelines. Notwithstanding Meta Ireland’s submissions, I remain of the view that the fining range proposed above is “effective, proportionate and dissuasive” for the purpose of Article 83(1) GDPR. I have already detailed, above, why I consider this to be the case. By way of summary of the key factors:

a. The EDPB has determined that the DPC must apply the Fining Guidelines when calculating the quantum of the administrative fine;

b. The EDPB has further determined that the starting point for further calculation should be determined at a point between 20% and 100% of the applicable legal maximum. This is the highest of the three possible starting ranges for further calculation set out in the Fining Guidelines;

c. Based on the evaluation of the factors under Article 83(2)(a), (b) and (g) GDPR, the EDPB determined that the Infringement is of a high level of seriousness;

d. Further to its assessments of the factors arising pursuant to Articles 83(2)(d) and (k) GDPR, the EDPB concluded that the relevant factors are aggravating and should be attributed “sufficiently heavy weight” in the calculation of the administrative fine;

e. The EDPB did not identify the existence of any mitigating factors;

f. The DPC took account, as a mitigating factor of light weight for the purpose of the Article 83(2)(c) assessment, of the Additional Information that has been provided to Users by Meta Ireland;

g. The DPC further applied a significant reduction to the outcome of the Article 83(2) assessment, in order to take account of the Financial Consequences for the purpose of ensuring that the fining range was “effective, proportionate and dissuasive”, as required by Article 83(1) GDPR. The reduction applied, in this regard, is equivalent to a mitigating factor of moderate weight.

9.107 In the circumstances, the DPC is satisfied that the proposed fining range reflects the individual circumstances of this particular case, as required by Articles 83(2) and 83(1) GDPR.

9.108 As regards Meta Ireland’s attempted reliance on the view that was expressed in the Draft Decision, that “the Data Transfers were being effected, in good faith, under and by reference to transfer mechanisms provided for at law”, it is clear, from the EDPB’s assessment of the character of the Infringement for the purpose of Article 83(2)(b) GDPR, that the EDPB does not agree with this view. The DPC is obliged, pursuant to Article 65(6) GDPR, to adopt (this) final decision “on the basis of” the Article 65 Decision. In the circumstances, I cannot take this matter into account, as a mitigating factor, when calculating the amount of the fine to be imposed.

9.109 Under the heading of “effectiveness”, Meta Ireland has submitted^[224] that “there is no basis to conclude that an administrative fine of the magnitude proposed … is appropriate or necessary for reasons of effectiveness. This is entirely inconsistent with the views expressed by the DPC previously in this Inquiry.”

9.110 It is not disputed that the views expressed by the DPC in the Draft Decision are not consistent with the outcome recorded in this Decision. It stands to reason that, in giving effect to the binding determination of the EDPB, that the DPC must amend the positions previously reflected in the Draft Decision that are not consistent with the determinations made by the EDPB so that this Decision may be adopted “on the basis of” the Article 65 Decision, as required by Article 65(6) GDPR.

9.111 Having taken account of Meta Ireland’s Final Submissions, I remain of the view that an administrative fine of an amount falling with the range of €1.2 billion and €1.5 billion ought to be imposed in respect of the infringement of Article 46(1) GDPR, for the reasons outlined in paragraph 9.98, above.

Assessment of the Undertaking Concerned and the Applicable Fining “Cap”

9.112 The infringement of Article 46(1) GDPR is subject to the higher fining “cap” set out in Article 83(5) GDPR, as follows:

9.113 In order to determine the applicable fining “cap”, it is firstly necessary to consider whether or not the fine is to be imposed on “an undertaking”. Recital 150 clarifies, in this regard, that:

9.114 Accordingly, when considering a respondent’s status as an undertaking, the GDPR requires me to do so by reference to the concept of ‘undertaking’, as that term is understood in a competition law context. In this regard, that the CJEU has established that:

9.115 The CJEU has held that a number of different enterprises could together comprise a single economic unit where one of those enterprises is able to exercise decisive influence over the behaviour of the others on the market. Such decisive influence may arise, for example, in the context of a parent company and its wholly owned subsidiary. Where an entity (such as a subsidiary) does not independently decide upon its own conduct on the market, but carries out, in all material respects, the instructions given to it by another entity (such as a parent), this means that both entities constitute a single economic unit and a single undertaking for the purpose of Articles 101 and 102 TFEU. The ability, on the part of the parent company, to exercise decisive influence over the subsidiary’s behaviour on the market, means that the conduct of the subsidiary may be imputed to the parent company, without having to establish the personal involvement of the parent company in the infringement^[226].

9.116 In the context of Article 83 GDPR, the concept of ‘undertaking’ means that, where there is another entity that is in a position to exercise decisive influence over the controller/processor’s behaviour on the market, then they will together constitute a single economic entity and a single undertaking. Accordingly, the relevant fining “cap” will be calculated by reference to the turnover of the undertaking as a whole, rather than the turnover of the controller or processor concerned.

9.117 In order to ascertain whether a subsidiary determines its conduct on the market independently, account must be taken of all the relevant factors relating to the economic, organisational and legal links which tie the subsidiary to the parent company, which may vary from case to case^[227].

9.118 The CJEU has, however, established^[228] that, where a parent company has a 100% shareholding in a subsidiary, it follows that:

a. the parent company is able to exercise decisive influence over the conduct of the subsidiary; and

b. a rebuttable presumption arises that the parent company does in fact exercise a decisive influence over the conduct of its subsidiary.

9.119 The CJEU has also established that, in a case where a company holds all or almost all of the capital of an intermediate company which, in turn, holds all or almost all of the capital of a subsidiary of its group, there is also a rebuttable presumption that that company exercises a decisive influence over the conduct of the intermediate company and indirectly, via that company, also over the conduct of that subsidiary^[229].

9.120 The General Court has further held that, in effect, the presumption may be applied in any case where the parent company is in a similar situation to that of a sole owner as regards its power to exercise a decisive influence over the conduct of its subsidiary^[230]. This reflects the position that: “… the presumption of actual exercise of decisive influence is based, in essence, on the premise that the fact that a parent company holds all or virtually all the share capital of its subsidiary enables the Commission to conclude, without supporting evidence, that that parent company has the power to exercise a decisive influence over the subsidiary without there being any need to take into account the interests of other shareholders when adopting strategic decisions or in the day-to-day business of that subsidiary, which does not determine its own market conduct independently, but in accordance with the wishes of that parent company …^[231]”

9.121 Where the presumption of decisive influence has been raised, it may be rebutted by the production of sufficient evidence that shows, by reference to the economic, organisational and legal links between the two entities, that the subsidiary acts independently on the market.

9.122 It is important to note that “decisive influence”, in this context, refers to the ability of a parent company to influence, directly or indirectly, the way in which its subsidiary organises its affairs, in a corporate sense, for example, in relation to its day-to-day business or the adoption of strategic decisions. While this could include, for example, the ability to direct a subsidiary to comply with all applicable laws, including the GDPR, in a general sense, it does not require the parent to have the ability to determine the purposes and means of the processing of personal data by its subsidiary.

Application of the above to the within inquiry

9.123 At paragraph 177 of the Article 65 Decision, the EDPB determined as follows:

9.124 Applying the above to Article 83(5) GDPR, I firstly note that, in circumstances where the fine is being imposed on an “undertaking”, a fine of up to 4% of the total worldwide annual turnover of the preceding financial year may be imposed. I note, in this regard, that Meta Platforms Inc. reported the generation of revenue in the amount of $116.61 billion for the year ending 31 December 2022.^[232] That being the case, the administrative fine proposed above does not exceed the applicable fining “cap” prescribed by Article 83(5) GDPR.

9.125 For the sake of completeness, I acknowledge Meta Ireland’s submission^[233] that it considers the approach taken above, further to the instructions of the EDPB, “constitutes an error of law”. I am unable to take account of Meta Ireland’s views, in this regard, in circumstances where the DPC is subject to the clear and unequivocal determination of the EDPB, as recorded at paragraph 177 of the Article 65 Decision, that requires the DPC, amongst other things, to use the consolidated turnover of the group of companies headed by Meta Platforms, Inc. when calculating the final amount of the fine.

Summary of Findings and Decision

10.1 Having regard to the provisions of Section 111 of the 2018 Act, and for the reasons set out in this Decision, I find that:

(i) US law does not provide a level of protection that is essentially equivalent to that provided by EU law;

(ii) Neither the 2010 SCCs nor the 2021 SCCs can compensate for the inadequate protection provided by US law;

(iii) Meta Ireland does not have in place supplemental measures which compensate for the inadequate protection provided by US law; and,

(iv) It is not open to Meta Ireland to rely on the derogations provided for at Article 49(1) GDPR, or any of them, when making the Data Transfers.

10.2 Accordingly, I find (and it is my decision that), in making the Data Transfers, Meta Ireland is infringing Article 46(1) GDPR.

10.3 I am satisfied (and I so decide) that it is appropriate that I should exercise corrective powers in respect of Meta Ireland, as the relevant Controller, as follows:

(i) I make an order, pursuant to Article 58(2)(j) GDPR, to require Meta Ireland to suspend the Data Transfers in accordance with the timeline outlined below (“the Suspension Order”);

(ii) further to the determination of the EDPB set out at paragraph 267 of Article 65 Decision, I make an order pursuant to Article 58(2)(d) GDPR to require Meta Ireland to bring its processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 (six) months following the date of notification of this Decision to Meta Ireland; and

(iii) I impose, pursuant to Article 58(2)(i) GDPR, an administrative fine in the amount of €1.2 billion. I consider that an administrative fine of this amount reflects the assessments of Article 83(2) and 83(1) GPDR that are recorded in Section 9, above.

Timeline for compliance with the Suspension Order

10.4 For the purpose of this Section 10, “the Commencement Date” shall be understood as meaning the date corresponding to the later in time of the following events: (i) the date on which the period allowed for an appeal against this Decision under Section 150 of the 2018 Act expires; and (ii) the date on which the period allowed for the bringing of an application for annulment of the Article 65 Decision under Article 243 TFEU expires.

10.5 The Suspension Order will take effect on a date 12 (twelve) weeks from the Commencement Date.

10.6 During the said period of 12 weeks, Meta Ireland is invited to make submissions to the DPC outlining, with precision:

(i) how it will implement the suspension in a manner consistent with its obligations to Users, to include its obligations under and by reference to Chapter III of the GDPR; and,

(ii) how, and when, it will communicate its plans to Users.

10.7 Such submissions shall be made to the DPC not later than 4 weeks after the Commencement Date.

10.8 On receipt of such submissions, the DPC will engage with Meta Ireland and will endeavour to agree the terms of its implementation plan within a further period of 4 weeks, commencing on the date of receipt of Meta Ireland’s submissions.

10.9 Upon agreement of such implementation plan, Meta Ireland will be afforded a further and final period of 4 weeks to give effect to same such that the Data Transfers shall be suspended no later than 12 weeks from the Commencement Date.

10.10 For the avoidance of doubt, if Meta Ireland fails to submit an implementation plan to the DPC within the time period noted (or at all) and/or the terms of an implementation plan cannot be agreed between the parties (whether within the time period noted, or at all), Meta Ireland will nonetheless be bound to give effect to the Suspension Order no later than 12 weeks from the Commencement Date.

Other Matters

Scope of application of the final decision

10.11 This Decision will bind Meta Ireland only. It is clear, however, that the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA. This point was raised by the DPC before the Irish High Court and the CJEU when it raised questions as to the validity of the SCC instruments specifically as a mechanism underpinning transfers to the United States. In the event, the CJEU upheld the validity of the SCCs as a legal instrument, emphasising the need to undertake a case-by-case assessment to determine whether, in any given case, data transfers to a third country conducted under their terms are lawful or not. In the circumstances, and notwithstanding the findings made by the CJEU in the Judgment in relation to US law, it is not open to the DPC to make an order suspending or prohibiting transfers to the United States generally.

Right of an effective remedy

10.12 Meta Ireland has the right of an effective remedy as against this Decision, the details of which have been provided separately.

This Decision is addressed to:

Meta Platforms Ireland Limited
4 Grand Canal Square
Grand Canal Harbour
Dublin 2

Dated the 12th day of May 2023

Decision-Maker for the Commission:

_______________________________________
Helen Dixon
Commissioner for Data Protection 216