Ireland’s data protection authority has ordered Facebook to suspend the transfer of European citizens’ personal data to the United States following concerns the social media giant is breaching the terms of a key European court ruling from July that said U.S. surveillance laws were incompatible with EU privacy rights.
According to a report in the Wall Street Journal on Wednesday—and confirmed by sources close to the information approached by Compliance Week—the Irish Data Protection Commission (DPC) sent Facebook a preliminary order in August to suspend data transfers to the United States about its EU users and asked for the company’s response by mid-September.
The Irish DPC’s action “could absolutely speed up progress on a U.S. federal privacy law as major platforms will be brought to their knees if trans-Atlantic data transfers are shut down.”
Cillian Kieran, privacy compliance expert and CEO of startup Ethyca
It is the first significant step EU regulators have taken to enforce the Court of Justice of the European Union’s July 16 ruling that invalidated the EU-U.S. Privacy Shield and raised doubts about the adequacy of standard contractual clauses (SCCs) and binding corporate rules (BCRs) as alternative mechanisms to send data safely to the United States and other third countries with equally strong snooping laws.
Privacy campaigner Max Schrems, who has been gunning for the Irish DPC to speed up its investigations into Big Tech and its use (and abuse) of EU citizens’ data, said in a statement: “We obviously welcome the notion that the Irish DPC is finally moving towards doing its job after seven years of procedures and five court decisions.”
The order to halt data transfers, experts say, would pose an operational and legal challenge for Facebook that could set a precedent for not only other tech giants, but companies generally.
To comply, Facebook would likely have to re-engineer its service to silo most data it collects from European users or stop serving them entirely, at least temporarily. If it fails to comply with an order, the regulator has the power to fine Facebook up to 4 percent of its annual revenue, estimated to be around $2.8 billion, under the EU’s General Data Protection Regulation (GDPR).
“Compliance is not simple since Facebook’s data ecosystem comprises hundreds or even thousands of companies, service providers, IT vendors, and such, many of which are based in the U.S.,” says Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals. “I doubt Facebook can conduct business with all data protected to the extent the European court has sought.”
Experts agree the wider impact of any order could be “massive.” Stewart Room, partner and global head of data protection and cyber-security at law firm DWF, says the effects will be “profound … for all organizations that directly or indirectly send data out of Europe.”
Jamie Akhtar, CEO and co-founder of cyber-security firm CyberSmart, says Facebook and other Big Tech companies may have to split into two separate entities and operate separate data storage solutions in different countries to avoid EU-U.S. transfers and comply with “local” legislation.
Cillian Kieran, privacy compliance expert and CEO of startup Ethyca, says the Irish DPC’s action “could absolutely speed up progress on a U.S. federal privacy law as major platforms will be brought to their knees if trans-Atlantic data transfers are shut down.”
The Irish DPC has not released any official statement. It was approached for comment but did not reply.
However, Nick Clegg, Facebook’s VP of global affairs and communications, confirmed in a blog the Irish DPC has commenced an inquiry into the firm’s controlled EU-U.S. data transfers, and that it has suggested SCCs cannot in practice be used by Facebook for EU-U.S. data transfers.
Clegg points out such an approach does not only harm Facebook, it also negatively impacts all other businesses that transfer data between the two markets, even by using third-party cloud service providers. He also points out (in an obvious dig) that Ireland’s own COVID tracking app states in its terms and conditions that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the United States.
“While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimize disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way,” says Clegg.
Ireland’s order is only preliminary—it could be significantly revised before it is finalized, and experts warn any such process could take several months, especially as the Irish DPC must coordinate any final order with the remaining 26 EU data protection authorities in cross-border cases to attain joint approval. The European Data Protection Board (EDPB), the EU’s regulator for the GDPR, would also need to consider the matter. Facebook could also potentially challenge the order in court.
However, the move signifies EU data protection authorities are ready to act to deter companies—particularly those that are data-driven, like Big Tech—from transferring EU citizens’ data to the United States.
On Sept. 3, the EU’s Justice Commissioner, Didier Reynders, warned there will be no “quick fix” to replace the Privacy Shield as the “political nature” of the issue would likely hamper progress. He also hinted “legislative changes” may need to be considered by U.S. legislators to satisfy EU demands.
In the meantime, the European Commission is seeking to “modernize” SCCs (a first draft of the proposed model should be available this month), while the EDPB announced it has created a taskforce to help companies implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.