Ireland's data protection watchdog, the DPC, has sent Facebook a preliminary order to suspend data transfers from the EU to the US, the Wall Street Journal reports, citing people familiar with the matter and including a confirmation from Facebook's VP of global affairs, Nick Clegg.
The preliminary suspension order follows a landmark ruling by Europe's top court this summer which both struck down a flagship data transfer arrangement between the EU and the US and cast doubt on the legality of an alternative transfer mechanism (aka SCCs) -- certainly in cases where data is flowing to a non-EU entity that falls under US surveillance law.
Facebook's use of Standard Contractual Clauses to claim a legal basis for EU data transfers therefore looks to be fast running out of borrowed time.
European privacy campaigner Max Schrems, whose surname is colloquially attached to the CJEU ruling (aka Schrems II) -- and to an earlier ruling which invalidated the prior EU-US data transfer deal, Safe Harbor, on the same grounds of US surveillance overreach -- filed his original complaint about Facebook's use of SCCs all the way back in 2013. So the tech giant has had more than half a decade to get its European data ducks in order.
Reached for comment on the WSJ report, Facebook pointed us to a freshly published blog post, also penned by Clegg -- who acknowledges "significant uncertainty" for businesses operating online services that rely on transatlantic data flows in the wake of the Schrems II ruling.
In the blog post the former deputy prime minister of the United Kingdom goes on to advocate for "global rules that can ensure consistent treatment of data around the world".
"The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers," Cleggs writes. "While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on."
Facebook's blog post lobbying for global rules to ensure "stability" for cross-border data transfers paints a picture of how the Schrems II ruling might negatively affect European startups -- claiming it could result in local businesses being unable to use US-based cloud providers or run operations across multiple time zones.
The blog post doesn't have anything much to say on how Facebook itself having to stop using SCCs might affect Facebook's own business -- but we've discussed that before here. (The short version is Facebook may need to split its infrastructure in two, and offer a federated version of its service to EU users -- which would clearly be expensive and time consuming for Facebook.)
"Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term," Clegg goes on, before lobbying for regulatory leniency in the meanwhile, as Facebook continues to transfer EU data to the US in what he claims is "good faith" -- despite the acknowledged legal uncertainty and the complaint in question dating back well over half a decade at this point.
Here he is pleading for data transfer mercy on behalf of other businesses who are not involved in this specific complaint: "While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way."
EU lawmakers warned recently that there would be no quick fix for US data transfers, despite some parallel Commission noises about working with the US on an enhanced replacement mechanism for the now defunct 'Privacy Shield'. (Although for businesses that aren't, as Facebook is, subject to FISA 702 there may be ways to use SCCs for US transfers that are legal, or at least law firms willing to suggest measures you could take... )
Speaking to the EU Parliament last week, justice commissioner Didier Reynders suggested changes to US surveillance law will be needed to bridge the legal schism between US surveillance law and EU privacy rights.
And of course legislative changes require both time and political will. Although it's interesting to see Facebook's global VP feeling moved to wade in and call for global solutions for cross-border data transfers. Perhaps the tech giant will funnel some of its multi-million dollar domestic lobbying budget on making the case for reforming US surveillance law in future.
Ireland's data protection regulator declined to comment on the WSJ report when we got in touch.
Schrems, meanwhile, is not sitting on his hands. In a statement following the newspaper's report he said his digital rights not-for-profit, noyb, was not informed about the preliminary order by the DPC -- speculating the information was leaked to the newspaper by Facebook to draw political attention to its cause.
He also reveals an intent by noyb to start a legal procedure against the DPC, saying it informed Ireland's regulator this week that it plans to file an interlocutory injunction over the opening a 'second' procedure into the matter -- arguing this move is in breach of a 2015 court order and is essentially the equivalent of letting Facebook carry on a multi-year game of legal whack-a-mole where it never actually faces enforcement for breaking each specific law.
"Facebook is knowingly in violation of the law since 2013. So far the DPC has covered them and for seven years refused to enforce the law. It seems after the second judgement by the Court of Justice not even the DPC can deny that Facebook's international data transfers are built on sand," Schrems told TechCrunch.
"At the same time, Facebook has in internal communication indicated that it has again shifted its legal basis from the SCCs to [the GDPR] Article 49 and the contract they allegedly sign with users. We are therefore very concerned that the DPC is again only investigating one of two legal basis that Facebook uses. This approach could lead to another frustrated case, like the 'Safe Harbor' case in 2015."
— Johnny Ryan (@johnnyryan) September 10, 2020
What's new since 2015 is Europe's General Data Protection Regulation (GDPR) -- which came into application in May 2018 and has led EU lawmakers to claim standard-setting geopolitical glory, as the issue of data privacy has risen up the agenda around the world, propelled by the deforming effects of platform power on societies and democracies.
However the two-year-old framework has so far failed to deliver anything much at all on major cross-border complaints which pertain to platform giants like Facebook (or indeed to the adtech industry). This summer a Commission review of the regulation highlighted what it described as a lack of uniformly vigorous enforcement.
Ireland's DPC is fully in the spotlight on this front too, as the lead regulator for a large number of US tech firms.
It finally submitted the first draft decision on a cross border complaint earlier this summer -- but a final decision on that case (relating to a Twitter security breach) has been delayed as the draft failed to gain the backing of all the region's data supervisors, triggering further procedures related to joint working under the GDPR's one-stop-shop mechanism.
Any order from the DPC to Facebook to suspend SCCs would similarly need to gain the backing of the bloc's other regulators (or at least a majority of them). Per the WSJ's report, Ireland's regulator has given Facebook until mid-September to respond to the order -- after which a new draft would be sent to the other supervisors for joint approval.
So there's further delay built into the GDPR process before any final suspension order could be issued against Facebook in this seven year+ case. Move fast and break things this most certainly is not.
The WSJ also speculates that Facebook could try to challenge such an order in court. "Internally, Facebook considers the preliminary order and its future implications a big deal," it adds, citing one of its unnamed sources.