A month after the Irish data watchdog submitted a draft ruling to EU regulators, Norway has weighed in on the legal quagmire around EU-US data transfers.
Norway’s data protection authority wants Facebook’s parent company to be fined for continuing to transfer EU data to the US in violation of EU law, according to a document seen by Politico.
While Norway is not a member of the EU, it is part of the European Economic Area which has incorporated GDPR.
The proposal was a response to a draft ruling issued by the Irish Data Protection Commission (DPC) to other EU regulators last month, following an investigation into whether Meta’s transatlantic data-sharing practices comply with EU rules.
A final ruling could force Meta to halt data transfers between the EU and US.
According to the document, Norwegian data authority Datatilsynet considers Meta’s violation of EU data transfer laws to be “particularly serious” and said that there would be “little or no incentive” for the US tech giant to comply with the laws if regulators do not issue a fine.
“Based on the facts of the case, we do not see how [Meta] could have continued its personal data transfers following the Schrems II judgment had it acted in accordance with the GDPR,” the document reads.
Schrems II refers to a 2020 EU court ruling that struck down Privacy Shield, the data privacy tool that allowed for the transfer of European data to US companies. It said that transfers of personal data from the EU could only take place if there is a sufficient level of protection.
Because the EU does not consider US data protection to be adequate, data transfers can only take place through mechanisms such as standard contractual clauses. However, the DPC has previously proposed that Meta’s use of standard contractual clauses in respect of European user data does not comply with GDPR.
In response, Meta has threatened to shut down Facebook and Instagram in the EU.
Datatilsynet said that while limitations and bans can ensure future processing of personal data is in line with GDPR, sanctions such as administrative fines “are directed towards violations in the past and carry a punitive element”.
Last year, the Norwegian data protection authority published a detailed reasoning of its decision to not use a Facebook page for communication because “the risks to the users’ rights and freedoms associated with the processing of personal data through a page on Facebook are too high”.
In March, Meta was fined €17m by the Irish DPC for not complying with GDPR requirements and having in place “appropriate technical and organisational measures” to protect user data in the context of a dozen data breaches.
But Meta could be waiting some time for a ruling from the DPC on the US-EU data transfers case. Politico reported earlier this month that the Irish watchdog has received objections from several other EU regulators to its draft order, delaying a final decision.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.