One of the biggest pieces of news to arguably go under a lot of radars recently was the fine levied by the Irish Data Protection Commission on Meta / Facebook of €1.2 billion (so roughly around £1 billion GBP) for breaches of Article 46 of the General Data Protection Regulation (“GDPR”). Specifically there was a finding that Meta had been continuing to transfer and store the personal data of users despite the warnings and findings about exactly those kinds of transfers following the infamous “Schrems II” case which we talked about at the time – see here.
Relevant Background
Let’s take a step back here to understand what this is all about.
- Firstly, personal data is important and should be kept safe – something we can all agree. For UK travel & leisure businesses of any description, the transfer of data is governed by GDPR and, following Brexit, the Data Protection Act 2018. The EU and UK rules are, broadly, the same.
- Secondly, where data is being transferred between countries, there need to be technical and security measures in place. Where there is a finding of “adequacy” in place between those countries, the transfer of data is in theory much easier to achieve. So, for instance, the UK recognises the EU as having an adequate level of data security measures in place, and vice versa. However, there are only a relatively small number of adequacy findings – the UK for instance recognises the EU (alright, that’s a lot of coverage…), Andorra, Isle of Man, Gibraltar, Argentina, Japan, Switzerland, Canada (partial), Jersey, Uruguay, Guernsey, Faroe Islands, Israel and New Zealand. There are a lot of countries one may think are notably absent from that list, including the USA.
- Prior to Schrems II there had in fact been a mechanism in place to deal with EU (this was prior to Brexit) to USA transfers – something called the Privacy Shield Framework, or more commonly “Privacy Shield”. It was the Schrems II case which effectively put Privacy Shield out of action, and made the USA a non-adequate country.
- Where a country is deemed non-adequate, and this is currently the USA (and they see the UK & EU the same way) then additional safeguards need to be in place. This is where the much-talked about Standard Contractual Clauses (“SCCs”) come into play, although there is slightly more to it than that. In short, Meta was deemed by the Irish Data Protection Commission to have not taken the appropriate measures to have addressed the fundamental rights and freedoms that were identified in Schrems II, notably that there was a risk of law enforcement agencies in the USA being able to access the data being transferred.
Analysis – What Does This All Mean for our Industry?
The travel & leisure industry is not, it should be said, unaccustomed to large data fines – notably various hotels and airlines have seen huge fines in previous years levied either by the UK Information Commissioners Office or by equivalents in other countries. However, this fine is on another level again.
Our current concern here at Travlaw is this – when reviewing the Meta situation the Irish Data Protection Commission considered Meta’s “Transfer Impact Assessment” and various security and technical measures, all of which were clearly very comprehensive, as you might expect from a genuinely global company with huge resources. The Assessment and measures were clearly very advanced. What seems to have tripped Meta up is that despite all those, law enforcement agencies in the USA could still access data if they wanted to. The concern is therefore that if what Meta had in place was considered not good enough, how likely is it that a travel & leisure business without those resources will be able to comply? Even assuming an appeal by Meta, that is looking like an almost impossible test, which actually starts to bring into question the rationality of the current personal data scheme in place in the EU and UK despite the clear need for there to be such a scheme in place.
As we have seen with Brexit, there is clearly a political element to all of this and which is not, realistically, helping businesses that just want to get on with trading and doing their bit for the economy. We here at Travlaw are very aware that the groans of frustration that first sounded out in 2018 with the introduction of the new data laws have never really gone away, and that “getting it right” with regards to data can be challenging.
One important point that the Meta case also highlighted was that storage of data is just as important as the transfer of data. We have advised on many situations where, say, a UK business does not consider it is transferring data across borders, but stores data in a centre which is in another jurisdiction. That needs to be factored into any structural and legal thinking.
What of the Future?
Despite the wider concerns about data generally, there is cause for cautious optimism.
The UK can, in theory, now diverge away from the EU rules – although that would not make any real sense. There is talk of the UK ICO giving more guidance on how data transfers might work and how to get more usage from tools like the UK’s International Data Transfer Agreement.
However, the most notable event on the horizon is the much-talked-about Trans Atlantic Data Privacy Framework which is in essence a full solution to the issues raised in Schrems II and should conclude in a finding of adequacy between the EU and USA. The theory is that the UK would then similarly follow suit with a finding of adequacy. That would make transfers of personal data between the UK, EU and USA much, much easier – much to the delight of the many clients we have who have found the current regime challenging.
We here at Travlaw have long thought that there is at least a good argument for a genuinely global set of rules around personal data that countries can join and then be a part of maintaining. The importance of data is here to stay, and it makes sense to have a regime that recognises the importance of security whilst balancing the practical need of businesses to be able to get on and trade.
For more information on this, or indeed any other travel law matters please contact Matt@Travlaw.co.uk or any of the Travlaw team.
This article was originally published on: 14 June 2023
