Ireland's Data Protection Commission (DPC) has issued a preliminary order to Facebook, telling it to suspend any personal data transfers between the EU and the US.
Facebook still has until the end of September to respond to the order, which could be revised over the next few months.
First reported by the Wall Street Journal, the order is the result of a ruling made by European courts in July to stop any data from being exported to the US or to any country where US authorities can monitor data. According to the ruling, colloquially known as Schrems II, data transfers should only take place if the “third country in question ensures an adequate level of data protection.” If Facebook fails to comply with the order then the DPC has the power to impose a fine of up to four percent of the company's annual revenue.
EU regulators will now have to figure out how to enforce the ruling and how companies like Google, Facebook, Amazon all intersect with the Schrems II ruling.
Data protection not good enough
The ruling is named after Austrian lawyer Max Schrems. As a Facebook user, some of Schrems’s data was found to have been transferred by the social media and advertising company to its servers in the US. Schrems went on to found the pressure group None of Your Business (NOYB), which has leveled complaints against companies like Facebook over compliance with GDPR.
Previously, the EU was able to permit a company with a license to export customer data internationally (out of the EU) with a Standard Contractual Clause (SCC). Facebook under its SCC granted by the EU was permitted to transfer data to its US servers, so no law was broken at the time. Whenever a company applies for an SCC, it must undergo evaluations as to whether an EU client's data will be protected sufficiently.
However, Schrem complained that Facebook Ireland, the company's European division, was sending data to where it was vulnerable and at risk of snooping by the NSA under PRISM; Schrems cited this in his complaint with Ireland's DPC back in 2013.
Initially, the complaint was rejected by the DPC due to the belief that the US ensured a good standard of protection. However, Schrems and his team, back then called Europe vs Facebook (EVF), filed an appeal to the Irish High Court and in October 2015 the Court of Justice of the European Union (CJEU) declared the decision by the DPC invalid (‘the Schrems I judgment’). This prompted the DPC to reevaluate its decision and ask Schrems to resubmit his complaint; the commission has since ruled in Schrems's favor.
Following the ruling, the DPC has now set up an inquiry and is ordering Facebook Ireland to suspend all its data transfers to its US servers - pending revisions.
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” Facebook VP of global affairs and communications, Nick Clegg, said in a blog post.
“While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
The former deputy Prime Minister of the UK continued by claiming getting rid of SCCs "would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19. The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider."
Adding to the confusion, Schrems said that NOYB had not been made aware of the latest DPC move, and would challenge it in court claiming it did not go far enough.
“The leak about a secret ‘preliminary order’ against Facebook shows that the DPC was trying to run a secret procedure without the complainant. While such an order should have been issued in 2013, we are very concerned that the DPC is again only embarking on a limited investigation that will not fully determine all aspects of the case,” he said.
“We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld – no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table.”
In a letter to NOYB, DPC highlighted that this second investigation is strictly limited to Facebook's use of SCC under Article 46(1) GDPR.
Article 46(1) GDPR says: "In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available."
The article above cites Article 45(3) which says: "The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organization ensures an adequate level of protection..."
Facebook says it "needs" to transfer data to the US under Article 49(1)(b) GDPR if it hopes to fulfill "contractual" obligations to users.
As a result of the Schrems II ruling, the EU-US Privacy Shield was effectively dismantled. On August 10, a joint statement from the US Secretary of Commerce, Wilbur Ross, and European Commissioner for Justice Didier Reynders revealed a whole new "enhanced" EU-US Privacy Shield was in the works. According to the statement, the judgment behind Schrems II declared that "this framework is no longer a valid mechanism to transfer personal data from the European Union to the United States." The previous EU-US Privacy Shield replaced ‘Safe Harbor’ a similar but much weaker framework in place since 2000.
In mid-August, NOYB dumped a host of complaints about 101 companies that use Google and Facebook for analytics and services. Citing data protection, agencies across the EU and its Economic Area have been lobbied by NOYB to take action. To deal with the complaints, the European Data Protection Board (EDPB) created a task force to handle the 101 complaints. Another task force is being established to come up with advice for data "controllers" (European companies handling personal data) and "processors" (the services those companies use to process that data).
Andrea Jelinek, chair of the EDPB: “The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility… We will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries.
“However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick-fix solution. Each organization will need to evaluate its own data processing operations and transfers and take appropriate measures.”