Facebook may have to temporarily suspend transfer of data belonging to its European users to the United States, the Wall Street Journal reported on Wednesday. Ireland’s Data Protection Commission (DPC) reportedly issued a preliminary order last month to suspend such data transfer since a key mechanism to send data from the EU to non-member countries — standard contractual clauses (SCC) — which is used by Facebook, is no longer considered valid by the DPC.
Nick Clegg, Facebook’s global head of policy and communications, confirmed to WSJ that the DPC, as part of an ongoing inquiry, has suggested that Facebook could no longer conduct EU-US data transfers using standard contractual clauses. In a blog post published the same day, Clegg was a lot less clear about whether Facebook would indeed follow, or reject, the DPC’s order, only to say that DPC’s order, if followed, could have “far reaching consequences” on businesses (more on this below).
In case Facebook is forced to follow the DPC’s orders, the company would have to restructure its data management systems. In case it failed to comply, the DPC has the power to fine Facebook up to 4% of its annual revenue under the GDPR.
Background: Why is data transfer between EU and the US a hot topic?
Earlier in July, the Court of Justice of the European Union (CJEU) had issued a judgement restricting how multinational companies could send personal information pertaining to their European users to the territorial jurisdiction of US. It had invalidated a EU-US data transfer agreement known as Privacy Shield.
What is Privacy Shield, and why it was struck down: To understand why Privacy Shield was adopted, and later struck down, one has to go back two decades and start at the beginning of how the transfer of data between EU and US has been governed.
Between 2000 and 2015, companies sending data from EU to the US had to adhere to a set of principles known as “Safe Harbor”. It was accepted that US companies could transfer data as long as they ensured an adequate level of data protection. However, Safe Harbor was challenged in 2013, after revelations by whistleblower Edward Snowden, that the US was involved in large scale surveillance of its citizens. The implication was that data of EU citizens was at the risk of finding itself in the hands of US government agencies.
Read more: US court finds mass surveillance illegal
In October 2013, Maximilian Schrems, an Austrian, filed a complaint filed a complaint against Facebook in the Irish DPC, claiming that his data with Facebook was not safe since US did not offer adequate levels of protections against access to public authorities (Ireland is Facebook’s European headquarters). Later, the CJEU declared that Safe Harbour as “invalid” in a judgement in October 2015. This judgement is popularly known as “Schrems I”.
This ruling directly led to the development of the “Privacy Shield” agreement between the EU and US, which had additional protections compared to Safe Harbor. However, in July this year, in continuation to the Schrems I, the CJEU ruled that Privacy Shield too was invalid, again due to the same concerns — that the data of European users was possibly being exposed to US government surveillance. This judgement is referred to as “Schrems II”
Meanwhile, there continued to exist an alternate legal mechanism for companies, Standard Contractual Clauses (SCC), whose validity has been ambiguous since the July 2020 ruling. SCCs were prepared using pre-approved boilerplate EU language, that allowed companies to transfer data as long they met the prescribed requirements.
The CJEU had clearly stated in its ruling that SCCs were, in fact, valid. The Irish DPC, in its subsequent statement, welcomed the move but called for a more “careful examination” of the matter related to SCCs. It had said that the application of the SCCs transfer mechanism was now questionable. It wrote: “This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”
What has happened now?
Clegg, in his blog post, said that the Irish DPC has “suggested” to Facebook that SCCs cannot be used for data transfers any more. This is line with the DPC’s thinking on the validity of SCCs, evidenced from their reaction to the CJEU ruling. Furthermore, the WSJ speculated the DPC’s order would pertain to other telecommunications companies as well.
How has Facebook reacted?
Clegg, in his blog post, said that the DPC’s orders could have a far-reaching effect on businesses that rely on SCCs. He wrote: “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19.”
Clegg suggested that European businesses would no longer be able to operate international operations. “A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.” He added that not just the business world, but public services such as health and education would be affected as well. He pointed out that Ireland, from where it has received the order, uses a Covid Tracking App that relies on SCC to transfer data to the US.
Clegg urges proportionate and pragmatic approach: Clegg, a former deputy prime minister of the United Kingdom, admitted that building a sustainable data-sharing framework and simultaneously respecting fundamental rights of EU citizens as not an easy task. “While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.”
Will continue complying with CJEU’s July ruling: Facebook, however, seems noncommittal about following the Irish DPC’s order. Clegg maintained that Facebook would continue to transfer data in compliance with the CJEU’s July ruling, until the company receives “further guidance”.
The WSJ has reported that the DPC had given Facebook until mid-September to respond to the order. A source told the publication that after considering Facebook’s responses, the DPC would send a new draft of its order to privacy regulators in other EU member nations for approval. WSJ also reported that Facebook could challenge the order in court.