Written in consultation with Gabriela Zanfir-Fortuna, Senior Advisor.
The Irish Data Protection Commission (DPC) has reportedly transmitted a draft order to its European Union (EU) counterparts that would block Meta from transferring any personal data to the U.S. In the meantime, the U.S. government is continuing to work on issuing the executive order and regulations described in the joint announcement of the Trans-Atlantic Data Privacy Framework (TADPF). After the issuance of these instruments, several steps (and months) lie ahead before the European Commission can finalize its adequacy decision (we described this process in Beyond Schrems II). Once the Commission does so, the decision will likely be challenged in court (as we described in Challenging the New Privacy Shield Framework).
But what are we to make of the Irish DPC’s draft decision in the meantime? In this post, we lay out the process for a member state’s supervisory authority (commonly referred to as a data protection authority or DPA) to finalize a draft decision. We will also explore the implications for Meta given the current state of play on the TADPF.
The process for a DPA to issue a final decision is not simple and can take some time. In this case, as provided in Article 56 of the General Data Protection Regulation (GDPR), the Irish DPC is acting as the “lead supervisory authority” because Meta’s “main establishment” is in Ireland. Article 60 requires that the Irish DPC, in its capacity as lead supervisory authority, “cooperate with other supervisory authorities … in an endeavor to reach consensus” (this process being informally known as the One-Stop-Shop procedure). Specifically, the Irish DPC must “submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.” A concerned supervisory authority then has four weeks to submit an “objection” to the draft. Objections must be “relevant and reasoned” (article 60(4)).
If there are no objections, the order is adopted and all DPAs are bound by it (article 60(6)). If a DPA raises an objection that the supervisory authority agrees with, it must circulate a revised draft; this time, the other DPA’s have two weeks to raise any objections, after which the Irish DPC would be able to adopt the order. An objection would restart this stage (article 60(5)).
On the other hand, if there are objections that the Irish DPC does not intend to follow, then Article 65’s consistency mechanism is triggered. The lead supervisory authority must refer the disagreement to the European Data Protection Board (EDPB), which has one month (extendable by another month) to issue a binding decision based on a 2/3 vote of its members (which consist of a representative of each member state’s DPA’s plus the European Data Protection Supervisor). If that fails, then the EDPB has an additional two weeks to issue a decision by simple majority (with the Chair casting the deciding vote in case of a tie). With all this back and forth, it is not surprising that this process could take several months.
What does this all mean in the context of the pending TADPF?
Let’s consider what happens when the European Commission issues a final adequacy decision. As we have explained, EU law is clear on this point: DPAs are obligated to honor the adequacy decision (as the CJEU reiterated in Schrems II in paragraphs 117, 118, and 156 of its ruling). Therefore, it stands to reason that whatever the status of the Irish DPC’s order when the adequacy decision is finalized, the Irish DPC will be obligated to allow cross-border data transfers to proceed to the extent such transfers are covered by the TADPF adequacy decision.
But what happens in the meantime? If the process described above runs its course and the adequacy decision has not yet been finalized, would Meta’s data flows to the U.S. be cut off? In this regard, it is important to remember that there are two key milestones under the TADPF. One is the European Commission’s adequacy decision, of course; but before we get to that stage, the U.S. government will publish a new executive order and a set of regulations which, among other things, will purport to address the Schrems II ruling’s concerns about necessity and proportionality, and create an entirely new court for redress.
Presumably, the Irish DPC’s draft order is based on U.S. law as it existed at the time of the Schrems II ruling. The new measures under the TADPF will constitute a change to U.S. law that is directly relevant to the draft order. It is beyond the scope of this post to explore the avenues available under Irish law to address such a situation. In the U.S. legal system, an analogy might be a motion under Rule 59(e) of the Federal Rules of Civil Procedure, which courts have interpreted to provide an avenue to a party seeking reconsideration of a court’s decision due to “an intervening change in the controlling law.” The TADPF executive order and regulations would seem to readily qualify as an intervening change in the relevant legal framework for cross-border data transfers.
This complex and confusing situation further highlights the importance of a sustainable framework enabling data transfers across the Atlantic.