International dataflows are the lifeblood of modern commerce.
Transferring data (especially personal information) between group companies is vital for allowing businesses to identify and target existing customers and potential new markets. However, as the record fine recently levied on Meta Platforms (parent company of Facebook) shows, safely navigating the regulatory landscape can require caution and diligence.
Meta’s predicament underlines several important features of GDPR and similar data protection regimes around the world, which all Australian businesses should heed:
- data protection compliance is no longer a question of just ticking boxes – modern regulations tend to be about achieving objectives rather than simply following rules;
- data protection rules can apply internationally and “extra-territorially” i.e. extending beyond the borders of a specific country;
- financial penalties for breaches can be eye-watering (typically up to 4% of global turnover) giving businesses a real incentive to take compliance seriously.
GDPR – a modern approach to data protection
When GDPR came into force in 2018, it set the modern global standard for data protection and privacy regulation, and has since been copied by legislatures around the world. It emphasises the rights of individuals to control their personal information and restricts the freedom of businesses to treat this information as if it were simply an asset to be commercialised.
GDPR is especially concerned to ensure that any personal information transferred between countries gets to retain the benefit of the highest standards of protection, regardless of the local laws of the destination territory. GDPR will only permit data transfers to less regulated jurisdictions if specific safeguards are implemented, the most common examples being “Standard Contractual Clauses” (SCCs) – preapproved forms of contractual wording that can be easily incorporated into data transfer agreements to provide the requisite protection.
A record fine
In principle, SCCs offer businesses a safe path through the minefield of regulatory compliance. However, as Meta has found out, it is not enough simply to cut-and-paste SCCs into data transfer agreements — they must also be actively and effectively implemented.
In the case of transfers from the EU to the US, the differences between GDPR and US data protection law are particularly stark and probably can’t be overcome with SCCs alone. In May 2023, the Irish Data Protection Commission (DPC) therefore held that Meta’s transfer, processing and storage of EU data in the US was unlawful and issued Meta with a record fine of EUR1.2 billion (nearly AUD2 billion), ordering it to suspend its data transfer activities.
Meta has described itself as “disappointed” by this decision and has complained of being singled out for harsh treatment. While the DPC has denied this, it is probably fair to say that it has taken the opportunity to make an example of Meta in order to send a clear message to other businesses.
The current review of Australia’s privacy laws is likely to take the Privacy Act 1988 (Cth) closer to GDPR in approach and outlook. In addition, Australian business that rely on the international transfer of personal information need to be fully aware of all overseas regulations that may apply to their activities, wherever those take place.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2023