The Irish data protection regulator has sent Facebook a preliminary order to stop transferring European user data to the US.
Following a successful legal challenge to the Privacy Shield data sharing agreement this summer, Facebook has been using Standard Contractual Clauses (SCCs) as the legal basis for transatlantic data transfers.
However, there’s been doubt about the legality of this right from the start, as SCCs are only valid if the country receiving the data has similar privacy protections to the EU. And when it comes to the US, surveillance laws mean this isn’t the case.
As a result, the Irish Data Protection Commission (DPC) has now opened an inquiry and suggested that SCCs cannot in practice be used for EU-US data transfers.
Facebook, naturally, is opposing the move.
“The impact would be felt by businesses large and small, across multiple sectors,” writes VP of global affairs and communications Nick Clegg in a blog post.
“In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.”
The proceedings over Privacy Shield were brought by activist Max Schrems. Schrems says he’s happy that the DPC is taking action, but that it isn’t going far enough.
“The DPC is again only investigating one slice of the problem – as they have done twice already in the investigations on Safe Harbor and the SCCs. Facebook seems to want the DPC to only focus on the SCCs as well, so that they can just pull out the next legal basis at the end of this procedure,” he says.
“This legal edition of ‘whack-a-mole’ has been ongoing for seven years now. I therefore suspect that the alleged preliminary order against Facebook is another useless step that will not solve the issue fully.”
It’s not clear how Facebook will respond: certainly, it won’t be easy for the company to comply. It could separate out European data from the rest, or simply stop transferring it in the first place.
Clegg is still challenging the basis if the order – that US privacy law is inadequate to protect European users.
“Facebook… welcomes the efforts already underway between EU and US lawmakers to evaluate the potential for an “enhanced” EU-US framework – a Privacy Shield Plus,” he writes.
“These efforts will need to recognise that EU Member States and the US are both democracies that share common values and the rule of law, are deeply culturally, socially and commercially interconnected, and have very similar data surveillance powers and practices.”
Whether European regulators agree remains to be seen.