In a statement from Facebook’s VP of Global Affairs and Communications, Nick Clegg, the social media giant confirmed that the Irish Data Protection Commission (DPC) has commenced an inquiry into data transfers from the EU to the U.S. by Facebook.1 The Wall Street Journal reports that the Irish DPC sent Facebook a preliminary order to suspend data transfers to the U.S. late last month.2
Action by regulators was inevitable following the Court of Justice of the European Union (CJEU)’s Schrems II ruling in July (for an analysis of this judgment see our previous OnPoint here) where the CJEU raised doubts about the protection provided to personal data transferred to the U.S. because of government surveillance. Max Schrems’ privacy group, Noyb, has already filed 101 complaints with regulators across all EU member states against companies with major European websites using code from Facebook or Google, both of which transfer data to the U.S. for processing.
In the first sign of major action from an EU regulator, the Irish DPC has reportedly sent Facebook a preliminary order to suspend data transfers to the U.S. (the Wall Street Journal cites sources as being “people familiar with the matter”). Facebook will have an opportunity to respond and the Irish DPC will need to coordinate with regulators in the other EU member states so it is possible that the order could be revised, but it is difficult to see how the DPC would do so and remain aligned with the CJEU’s judgement.
As noted in Facebook’s statement, if standard contractual clauses (SCCs) cannot be used in practice for data transfers, this could have a far reaching effect on businesses and online services. Highlighting the effects on smaller businesses, Clegg points out that “in the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.”
There is a tension between the CJEU’s judgment and the practical realities of business. Ultimately, the situation is a political one that requires redress between the EU and the U.S. but, given that the CJEU’s concerns stem from the surveillance activities undertaken in the U.S., it seems that this is a situation unlikely to be resolved without some action on the part of the U.S. to amend surveillance laws. In the meantime, Facebook is calling on regulators to be pragmatic: “while policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.”
Although it looks likely that large tech businesses will be the first targets of regulators, other businesses could be caught in the fall-out. Transferring personal data to the U.S. post Schrems II is likely to prove challenging for many businesses and in many cases will largely be about limiting risk rather than seeking to achieve full compliance. Pending formal guidance from regulators, businesses which rely on SCCs should ensure that they complete their data transfers review and assessment and consider putting in place extra security measures and policies in order to demonstrate that the inherent risks to data subjects are being minimised should a regulator come calling. For further information please see our previous Schrems II OnPoint related, herein.
1) Securing the Long Term Stability of Cross-Border Data Flows (Facebook, September 9, 2020)
2) Ireland to Order Facebook to Stop Sending User Data to U.S. (The Wall Street Journal, September 9, 2020)