Ireland’s Data Protection Commissioner (DPC) has sent Facebook a preliminary order to stop transferring data from the European Union (EU) to the US, signalling a potential crackdown on big tech companies’ data sharing practices.
The suspension order was sent to Facebook in late August, according to a report in the Wall Street Journal, which now has until the end of September to contest a provisional ruling that Standard Contractual Clauses (SCCs) cannot be used as the mechanism for EU-US data sharing.
If it fails to comply with the order, the DPC has the power to fine Facebook up to 4% of its annual revenue, or $2.8bn, under the General Data Protection Regulation (GDPR).
The order follows a landmark ruling by the European Court of Justice (ECJ) in July to strike down Privacy Shield, the EU-US data sharing agreement, which the court said failed to ensure European citizens adequate right of redress when data is collected by the US National Security Agency (NSA) and other US intelligence services.
The ruling also cast doubt on the legality of using SCCs as the basis for international data transfers, finding that although they were legally valid, companies still have a responsibility to ensure those they shared the data with granted privacy protections equivalent to those contained in EU law.
Nick Clegg, Facebook’s vice-president of global affairs and communications and the former deputy prime minister of the UK, confirmed Facebook is in receipt of the DPC order in a blog post.
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” he wrote.
“While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
He added: “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU…the impact would be felt by businesses large and small, across multiple sectors.”
Clegg went on to claim that if SCCs were annulled, “the effects would reach beyond the business world, and could impact critical public services such as health and education”, including Ireland’s Covid Tracking App.
In a final plea, Clegg urged regulators to adopt a “proportionate and pragmatic approach” to minimise disruption to thousands of business that, “like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way”.
However, according to Austrian lawyer Max Schrems, who initiated the legal proceedings that led to the ECJ’s landmark decision (colloquially known as Schrems II), his digital rights not-for-profit NOYB was not informed of the DPCs actions, which he now plans to take legal action against.
“The leak about a secret ‘preliminary order’ against Facebook shows that the DPC was trying to run a secret procedure without the complainant. While such an order should have been issued in 2013, we are very concerned that the DPC is again only embarking on a limited investigation that will not fully determine all aspects of the case,” he said.
“We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld – no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table.”
In late July 2020, Schrems’s lawyers wrote to the Irish data protection commissioner Helen Dixon to demand that she set out a clear timetable for the regulator to make a decision on the legality of Facebook Ireland’s transfer of EU citizens’ data to Facebook in the US. Schrems added that the commissioner had failed to act on his complaint for seven years.
NOYB said on its website that it has now informed the DPC of its plans to file an interlocutory injunction over its decision to conduct a second investigation, which “is strictly limited to Facebook’s use of SCC”, on the basis that pausing Schrems’s ongoing complaints procedure breaches a 2015 order from the Irish High Court.
“This limited case by the DPC is especially interesting, as Facebook has indicated in a letter from 19 August 2020 that (after the end of Safe Harbor, Privacy Shield and the SCCs) it is now relying on a fourth legal basis for data transfers: the alleged ‘necessity’ to outsource processing to the US under the contract with its users,” it said.
“This means that any ‘preliminary order’ or ‘second investigation’ by the DPC on the SCCs alone will, in fact, not stop Facebook from arguing that its EU-US data transfers continue to be legal. In practice Article 49(1)(b) GDPR may be an appropriate legal basis for very limited data transfers (e.g. when an EU user is sending an message to a US user), but cannot be used to outsource all data processing to the US.”
Schrems claimed that Facebook wants the DPC to focus solely on SCCs because it only represents a “slice of the problem”.
“Facebook seems to want the DPC to only focus on the SCCs as well, so that they can just pull out the next legal basis at the end of this procedure,” he said.
“This legal edition of ‘whac-a-mole’ has been ongoing for seven years now. I suspect that the alleged preliminary order against Facebook is another useless step that will not solve the issue fully.”
When approached about the legal action by Computer Weekly, the DPC said it would not be commenting at this time.