Facebook has told Ireland’s Data Protection Commission that it cannot see how it can continue operating in the European Union if regulators’ proposal to suspend overseas data transfers between the EU and United States is implemented. In the event that Facebook becomes subject to a complete suspension of the transfer of users’ data to the US, it is not clear “how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU”, Facebook said in a regulatory filing to the Irish DPC. Facebook alone has about 410 million monthly active users in Europe. This was first reported by VICE News.
On August 28, the Commission had issued a preliminary order to suspend data transfers to the US since a key mechanism to send data from the EU to non-member countries — standard contractual clauses (SCC) — which is used by Facebook, is no longer considered valid by the DPC.
Facebook has filed a lawsuit challenging the Irish DPC’s preliminary order. In a new filing by Yvonne Cunnane, Facebook Ireland’s head of data protection and privacy, the company accused the regulator of selectively acting against Facebook and failing to follow due process.
Not enough time given to Facebook to respond: Facebook said the regulator’s three-week timeline to Facebook for a response to its preliminary decision was “manifestly inadequate” and amounted to breach of fair procedure. It gave the impression that the Commission will “give little weight” to Facebook’s submissions and that the regulator will not change its views.
Failures in due process: Besides, Facebook pointed out that the Commission informed Maximillian Schrems — whose 2013 lawsuit kicked off the whole data transfer debate — that it anticipated a draft decision within another three weeks of Facebook’s response. The fact that this was not disclosed to Facebook makes it apparent that the Commission intends to reach a final decision, which will have potentially very serious consequences, without giving Facebook an opportunity to make its submissions.
Facebook said the regulator appears to have skipped or sidestepped important processes such as information gathering, preparing a draft inquiry report, and so on, and declared that this was “prejudicial and unfair” to Facebook.
Selectively acting against Facebook: Cunnane said she was not aware of any similar inquiry being conducted into transatlantic data transfers being done by other companies under the DPC, pointing out that SCCs are used by “very many other companies” to transfer data to the US. Since the Commission’s concerns arise due to aspects of American law, its concerns will likely arise in respect of many other companies, Facebook said.
Cunnane also raised concern about the decision being made “solely” by Helen Dixon, Ireland’s data protection commissioner. “The fact one person is responsible for the entire process is relevant to [Facebook’s] concerns, in respect of the inadequacy of the investigative process engaged in and independence of the ultimate decision-making process,” Cunnane wrote.
Data transfers between US and EU under scrutiny
The present development around data transfers flows from Schrems II judgment in July 2020, wherein the Court of Justice of the European Union (CJEU) had ruled that the Privacy Shield agreement between the EU and US was invalid, due to concerns that the data of European users was possibly being exposed to US government surveillance.
However, alongside the judgment, there continued to exist an alternate legal mechanism for companies, Standard Contractual Clauses (SCC), whose validity has been ambiguous since the July 2020 ruling. SCCs were prepared using pre-approved boilerplate EU language, that allowed companies to transfer data as long they met the prescribed requirements. The CJEU, in its ruling, had held SCCs to be valid. But the Irish DPC was unconvinced, and said SCCs were “questionable” and called for careful examination of the matter.