Meta fine: ORG warns that DPDI Bill could allow laundering of EU citizens’ data

Open Rights Group has warned that the Data Protection and Digital Information (DPDI) Bill could allow Meta to get around the suspension of data transfers from Europe to the United States, which was imposed by Ireland’s data protector regulator today.

The Data Protection Commission issued Meta with a fine of €1.2bn (£1bn) for mishandling Facebook users’ data when it was transferred from the European Union (EU) to the United States (US). The transfer of data between the EU and US has also been suspended, although Meta has been given five months to enact this. If the UK passes the DPDI Bill, it could create a loophole that could allow EU data to be transferred to the US via the UK. 

Abigail Burke, Policy Manager for Open Rights Group said: 

“It is very welcome to see a data protection regulator taking strong enforcement action against companies that fail to protect their users’ data.

“However, today’s decision exposes flaws in the Data Protection and Digital Information Bill, which could allow the UK to transfer data to countries that have poor data protection. In effect this could allow the data of EU citizens to be laundered through the UK.

“This bill could threaten the impact of decisions by data protection regulators as well as jeopardizing the UK’s current adequacy agreement with the EU.”

Weakening of protection for data transfers

Schedule 5 of the DPDI Bill lowers the protections for personal data that is transferred abroad from the UK. It gives the Secretary of State the powers to approve international transfers to countries with poor data protection and a lack of enforceable rights and effective remedies. In particular, the new “data protection test” for international transfers (1) does not have to consider the impact that foreign legal frameworks concerning defence, national security, criminal law, and the access of public authorities to personal data, will have on the protection of UK personal data and (2) does not require an independent and effective supervisory authority in the country where data is being transferred, or the availability of judicial redress.

If the UK keeps its adequacy decision with the EU, the Bill creates a scenario where the data of EU citizens could be laundered through the UK to countries that the EU does not have an agreement with, including the United States. This would allow companies like Meta to potentially sidestep the strong data protection laws and enforcement in the EU and continue to amass vast amounts of EU data unethically. 

Independence of the ICO

Today’s decision highlights the important role that data protection regulators play in upholding people’s rights. The approach of the DPC is in contrast to the UK’s Information Commissioner’s Office, which has styled itself as a “critical friend” of the government. The ICO has been criticised for failing to take strong action against both companies and government departments that have failed to implement data protection law. Its independence will be undermined further by provisions in the DPDI, which will give the Secretary of State new powers to issue instructions to the ICO and to interfere with how it functions. 

For further information, read ORG’s latest briefing on the DPDI Bill.