wordpress blog stats
Connect with us

Hi, what are you looking for?

Irish privacy regulator could stop Facebook from transferring EU data to US: Report

EU, European Union, GDPR

Facebook may have to temporarily suspend transfer of data belonging to its European users to the United States, the Wall Street Journal reported on Wednesday. Ireland’s Data Protection Commission (DPC) reportedly issued a preliminary order last month to suspend such data transfer since a key mechanism to send data from the EU to non-member countries — standard contractual clauses (SCC) — which is used by Facebook, is no longer considered valid by the DPC.

Nick Clegg, Facebook’s global head of policy and communications, confirmed to WSJ that the DPC, as part of an ongoing inquiry, has suggested that Facebook could no longer conduct EU-US data transfers using standard contractual clauses. In a blog post published the same day, Clegg was a lot less clear about whether Facebook would indeed follow, or reject, the DPC’s order, only to say that DPC’s order, if followed, could have “far reaching consequences” on businesses (more on this below).

In case Facebook is forced to follow the DPC’s orders, the company would have to restructure its data management systems. In case it failed to comply, the DPC has the power to fine Facebook up to 4% of its annual revenue under the GDPR.

Background: Why is data transfer between EU and the US a hot topic?

Earlier in July, the Court of Justice of the European Union (CJEU) had issued a judgement restricting how multinational companies could send personal information pertaining to their European users to the territorial jurisdiction of US. It had invalidated a EU-US data transfer agreement known as Privacy Shield.

What is Privacy Shield, and why it was struck down: To understand why Privacy Shield was adopted, and later struck down, one has to go back two decades and start at the beginning of how the transfer of data between EU and US has been governed.

Advertisement. Scroll to continue reading.

Between 2000 and 2015, companies sending data from EU to the US had to adhere to a set of principles known as “Safe Harbor”. It was accepted that US companies could transfer data as long as they ensured an adequate level of data protection. However, Safe Harbor was challenged in 2013, after revelations by whistleblower Edward Snowden, that the US was involved in large scale surveillance of its citizens. The implication was that data of EU citizens was at the risk of finding itself in the hands of US government agencies.

Read more: US court finds mass surveillance illegal

In October 2013, Maximilian Schrems, an Austrian, filed a complaint filed a complaint against Facebook in the Irish DPC, claiming that his data with Facebook was not safe since US did not offer adequate levels of protections against access to public authorities (Ireland is Facebook’s European headquarters). Later, the CJEU declared that Safe Harbour as “invalid” in a judgement in October 2015. This judgement is popularly known as “Schrems I”.

This ruling directly led to the development of the “Privacy Shield” agreement between the EU and US, which had additional protections compared to Safe Harbor. However, in July this year, in continuation to the Schrems I, the CJEU ruled that Privacy Shield too was invalid, again due to the same concerns — that the data of European users was possibly being exposed to US government surveillance. This judgement is referred to as “Schrems II”

Meanwhile, there continued to exist an alternate legal mechanism for companies, Standard Contractual Clauses (SCC), whose validity has been ambiguous since the July 2020 ruling. SCCs were prepared using pre-approved boilerplate EU language, that allowed companies to transfer data as long they met the prescribed requirements.

The CJEU had clearly stated in its ruling that SCCs were, in fact, valid. The Irish DPC, in its subsequent statement, welcomed the move but called for a more “careful examination” of the matter related to SCCs. It had said that the application of the SCCs transfer mechanism was now questionable. It wrote: “This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

Advertisement. Scroll to continue reading.

What has happened now?

Clegg, in his blog post, said that the Irish DPC has “suggested” to Facebook that SCCs cannot be used for data transfers any more. This is line with the DPC’s thinking on the validity of SCCs, evidenced from their reaction to the CJEU ruling. Furthermore, the WSJ speculated the DPC’s order would pertain to other telecommunications companies as well.

How has Facebook reacted?

Clegg, in his blog post, said that the DPC’s orders could have a far-reaching effect on businesses that rely on SCCs. He wrote: “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19.”

Clegg suggested that European businesses would no longer be able to operate international operations. “A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.” He added that not just the business world, but public services such as health and education would be affected as well. He pointed out that Ireland, from where it has received the order, uses a Covid Tracking App that relies on SCC to transfer data to the US.

Clegg urges proportionate and pragmatic approach: Clegg, a former deputy prime minister of the United Kingdom, admitted that building a sustainable data-sharing framework and simultaneously respecting fundamental rights of EU citizens as not an easy task. “While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.”

Will continue complying with CJEU’s July ruling: Facebook, however, seems noncommittal about following the Irish DPC’s order. Clegg maintained that Facebook would continue to transfer data in compliance with the CJEU’s July ruling, until the company receives “further guidance”.

The WSJ has reported that the DPC had given Facebook until mid-September to respond to the order. A source told the publication that after considering Facebook’s responses, the DPC would send a new draft of its order to privacy regulators in other EU member nations for approval. WSJ also reported that Facebook could challenge the order in court.

Advertisement. Scroll to continue reading.

Read more:

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ