The Irish Data Protection Commission has told Facebook that its current method of handling data between the EU and US is inadequate under GDPR.
Ireland’s Data Protection Commission (DPC) has sent Facebook a preliminary order to change its data-sharing practices between the EU and the US.
In late August, the Commission informed Facebook that standard contract clauses (SCCs) used by its Dublin HQ for EU-US data transfers do not offer sufficient data protection for EU-based users.
This follows a landmark ruling in July from the Court of Justice of the European Union (CJEU), which invalidated the Privacy Shield agreement for EU-US data transfers.
‘This could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on’
– NICK CLEGG
Privacy Shield was a mechanism used by many US companies to uphold GDPR while processing data from EU citizens. Following a lengthy court battle, the CJEU found Privacy Shield was insufficient as users in the EU would have no way to effectively challenge the collection of this data by the US government under its own surveillance laws.
However, the use of SCCs was deemed by the CJEU to be a valid method to ensure users in the EU could enjoy an adequate standard of data protection while making use of online services headquartered in the US.
Use of SCCs
Originally reported by the Wall Street Journal, citing “people familiar with the matter”, Facebook confirmed the order issued by the Irish Data Protection Commission in a response from Nick Clegg, the company’s VP of global affairs and communications.
“The Irish Data Protection Commission has commenced an inquiry into Facebook-controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
SCCs are used by thousands of companies operating internationally, and so the Data Protection Commission’s decision for Facebook could impact data-transfer protocols at many more organisations.
Clegg warned that this decision could damage the growth of data-driven business in the EU and also claimed it could impact critical public services.
Highlighting the extensive use of SCCs, he wrote: “Ireland’s Covid Tracking App states, in its terms, that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the US. International cloud providers and email platforms provide services to schools, universities and hospitals across Europe. Millions of people use video conferencing software every day, to keep in touch with friends and family who live in different countries.”
Compliance with the DPC’s order would require Facebook to re-engineer how it operates for EU-based users, or even stop serving them entirely until the issue is resolved. Non-compliance could see Facebook face a fine of up to 4pc of its annual global turnover under GDPR rules.
Schrems critical of DPC
This latest development is part of a long battle between US multinationals, data protection regulators and privacy advocates. Because of the number of European bases of US tech companies in Ireland, the Irish Data Protection Commission has become the gatekeeper responsible for ensuring that the data of EU citizens is adequately protected under GDPR rules.
This year’s decision by the CJEU was the culmination of court proceedings brought by European data privacy activist Max Schrems. Schrems was also responsible for the legal battle which led to the dismantling of Safe Harbour, the data transfer agreement that preceded Privacy Shield.
‘This move by the DPC may lead to another half-hearted decision after all’
– MAX SCHREMS
Schrems originally took his complaint on EU-US data transfers to the Irish Data Protection Commission in 2013. “We obviously welcome the notion that the Irish DPC is finally moving towards doing its job after seven years of procedures and five court decisions, all of which upheld our position. However, this move by the DPC may lead to another half-hearted decision after all,” he said in a statement from NOYB, a non-profit organisation advocating for digital rights in Europe.
Schrems is sceptical that the preliminary order issued last month will solve the issues his complaints have raised. Earlier this week, his solicitor wrote to the DPC claiming that a “second investigation into only a sub-issue of the initial complaint” could be deemed contempt of court under Irish law.
NOYB has also informed the DPC of plans to file and interlocutory injunction, a matter on which the DPC is expected to respond by Friday, 11 September.
The Irish Data Protection Commission has yet to release a statement on the matter.