The Irish Data Protection Commission (DPC) has issued a preliminary order calling for Facebook to cease transferring the personal data of EU citizens to the United States.
While it was possible for data to be transferred to the United States under the Privacy Shield agreement, in July 2020, the European Court of Justice issued a ruling that essentially voided the Privacy Shield agreement because it was deemed to be insufficient to protect the personal data of EU citizens when data are transferred for commercial uses. The Privacy Shield does not prevent personal data from being monitored by U.S. authorities.
Following the European Court of Justice ruling, the Irish DPC launched an official enquiry into the data transferred by Facebook from the EU to the US, resulting in the issuing of the preliminary order. Facebook has until the end of September to respond or comply, after which a financial penalty could be issued. The maximum fine under the GDPR is €20 million or 4% of global annual revenues for the previous fiscal year, which for Facebook would mean a maximum fine of €2.9 billion.
Facebook uses a mechanism called Standard Contractual Clauses (SCCs) for the transfer of data, which the social media giant believed had been validated by the European Court of Justice in July. Facebook is far from the only company to use SCCs to transfer the data of EU citizens. Thousands of companies use SCCs. The issue is not SCCs, rather it is the transfer of data to countries, such as the United States, where privacy protection cannot be assured. It is only possible to transfer personal data of EU citizens to another country if the country where the data are being sent is compliant with the General Data Protection Regulation (GDPR).
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” said Facebook VP of global affairs and communications Nick Clegg. “While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
In a recent blog post, Facebook said, “We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”
There is concern that the ruling would damage the economy and hamper growth, not just in the US but also in the EU. “The impact would be felt by businesses large and small, across multiple sectors. In the worst-case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider,” said Clegg.