The Data Protection Commission (DPC) in Ireland sent a preliminary order to Facebook ordering a suspension of data transfers from the EU to the US. This suspension order comes off the heels of the landmark ruling from the highest court in the EU, Data Protection Commission v. Facebook Ireland (Schrems II), which restricted the methods companies can use to transfer EU data to the US. Notably, this decision ceased the use of the widely popular “Privacy Shield” program. This decision was made because there is currently no way to limit US government surveillance on companies like Facebook. EU regulators want to ensure that EU data has the same protection in the US as it does in the EU. According to a Wall Street Journal article, Ireland’s DPC sent the order late last month, asking for a response from Facebook. Privacy Officers across the World, especially the US, are closely watching the case unravel, as this is the first significant step taken by an EU regulator to enforce Schrems II. How Facebook reacts and the steps taken by Ireland could be an indication of what is to come.
It seems that despite the court’s ruling in Schrems II, Facebook and many other similar companies have continued transferring data from the EU to the US. To comply with an order like Ireland’s preliminary order, Facebook will have to reconfigure how they process and store the data from Irish Facebook users. This could potentially place a temporary halt on Facebook services for Irish citizens and consumers all throughout the EU. Ultimately, if Facebook fails to comply, the commissioner has the power to fine Facebook up to 4% of its annual revenue.
The order from the DPC also put into question the use of the Standard Contractual Clauses (SCCs). The DPC stated they are unsure of how the current processes for data transfers could actually protect EU data from US government surveillance. More specifically, the order states that the SCCs cannot, in practice, be used for EU-US data transfers. The SCCs are a widely used mechanism for companies to transfer data from the EU under a set standard, but when the problem is whether the US government has the power to surveil certain types of data, the SCCs cannot ease those concerns. It seems that no amount of extra security measures could help US companies ease the EU’s concerns because, ultimately, the question is whether the US government has the power to surveil EU consumer data.
Currently, given its involvement as a party in the Schrems II decision, the DPC has only directed its order to Facebook—an arguably easy and highly public target. However, other companies in the US should not take this order lightly. This should serve as a warning for companies that transfer data from the EU. Now is the time to be strategic about how EU data will be stored and processed moving forward. Not only will companies have to reconsider their approach in regards to EU data, but also, the US may have to reconsider their surveillance laws to ease the EU’s concerns. If the US government does not consider another approach, it could cost big tech companies billions of dollars. This could, in turn, create a domino effect because other countries may begin to agree with the EU and question US government surveillance laws, potentially halting cloud services, marketing across borders, and employee data processing. Facebook is expected to respond to the preliminary order in mid-September. In the meantime, the Irish DPC is seeking joint approval from other privacy regulators across the EU.
Many questions are left unanswered. Are the SCCs enough for companies that are not subject to FISA 702 (a US surveillance law that companies like Facebook are subject to)? Will companies have to split their data processing activities according to the location of their consumers or users? Can smaller startups survive if data transfers between the EU and the US are no longer allowed? Answering many of these questions depends on whether the US government is willing to create US laws that bridge the gap between US surveillance laws and EU privacy rights. There is no better time to create contingency plans with your privacy attorneys and officers as this situation continues to unfold.