On 13 April 2023, the European Data Protection Board (EDPB) issued its binding decision, under the GDPR’s Article 65 dispute mechanism process, to the Irish Data Protection Commission (IDPC) in the Meta data transfers case. While this matter has been rumbling on for a number of years, some eyebrows have been raised given the timing of this announcement, with the potential EU adequacy decision for the US (in the form of the Data Privacy Framework) expected in “Summer 2023” (even in spite of the European Parliament LIBE committee’s non-binding opinion rejecting the Data Privacy Framework being announced on the very same day!)

How did we get here?

In July 2022, the IDPC concluded its post-Schrems II own volition investigation into Meta’s data transfers. Due to the cross-border nature and impact of any decision, the IDPC was required to pass its file and draft decision to other concerned supervisory authorities (CSAs) under the Article 60 mechanism in the GDPR (read more in our previous article here). In January 2023, it was announced that the IDPC and the CSAs could not reach agreement on the IDPC’s 7 July 2022 draft decision and therefore the Article 65 GDPR mechanism was invoked, sending the disputed matters to the EDPB for binding determination.

The EDPB has concluded the process and issued its decision which is binding on the IDPC. The EDPB decision has not been made publicly available and is not expected to be published until the IDPC has issued their final determination. The IDPC must issue its final decision “without undue delay and at the latest by one month after the Board has notified its decision”, so in other words no later than 13 May 2023. All of this will seem very familiar to those who followed the IDPC’s inquiries into Meta (Facebook and Instagram) which concluded in January 2023, where a similar stalemate requiring the use of the Article 65 GDPR procedure arose – along with some strong rhetoric from the IDPC about the EDPB’s powers (for more see our article here).

What does this all mean?

Without seeing the text of the EDPB’s binding decision there is much speculation about what the IDPC’s final decision will say – what it decided and what the EDPB has mandated. The big question is will we see suspension of data transfers to the US for Meta? But many more also follow, e.g. if suspension is ordered will it be immediate or will there be a grace period? What does this mean for other large US tech companies using EU standard contractual clauses (SCCs)? Will it have an impact on data transfers to other jurisdictions? Will there be a fine? If so, how much will it be and how will it be calculated? Will any consideration be given to the amount Meta has already been fined this year? If it is found data was unlawfully transferred – what will happen with this data? Can this data even be deleted? What impact will this have for users of Meta’s services? And of course since this case began things have changed! All these issues are also to be viewed in light of (i) the new EU SCCs that must be used for ex-EEA transfers as of 27 December 2022 (for more see our article here), not the old SCCs that were in force at the time of this investigation, and (ii) the potential EU adequacy decision for the US. While they don’t change the fact pattern of the investigation itself, they may have an impact on the final decision and what may or may not be ordered.

Many are asking what Meta might do if it finds itself with an order to suspend data transfers to the US, a mere number of weeks before a (potential) EU adequacy decision in favour of the US. One option would be for Meta to lodge an appeal with the Irish High Court to stay proceedings pending the outcome of the EU adequacy decision process. Other suggestions have included Meta using any compliance window in the final decision to wait it out, or Meta potentially getting around the issue by taking the approach they have adopted in the UK and replicating it in the EU, i.e. making Meta Inc, in the US, the controller and not having an EU entity involved.

While it is certainly going to be an interesting few weeks, it is also important to remember that the IDPC final decision and the Data Privacy Framework are two separate matters, inextricably linked. A lot of time and effort has gone into getting to this stage with the Data Privacy Framework and with the economic opportunities and (hopefully) legal certainty such a deal will bring, there is a clear intention from both the EU and the US to reach agreement, thus simplifying data transfers between them. Hopefully pragmatism will win the day…but for now all we can do is sit back, take a deep breath and await the IDPC’s final decision.