The unexpected decision in the Schrems II case last year threw many trans-Atlantic tech companies into chaos, with perhaps none so strongly impacted as Facebook. The social media giant has now exhausted its options for legal challenges as the Irish DPC has ended its stay on the data transfer ban. Facebook, along with other tech companies that manage pipelines of personal data that flow from the EU to the United States, will soon be faced with some very difficult compliance decisions.
Irish DPC ends Facebook’s challenge to suspension of EU-US data transfers
The Schrems II decision stemmed from a legal challenge to Facebook’s handling of the personal data of EU citizens. Privacy advocate Max Schrems successfully argued that data transfers to the US that contain protected EU citizen data are in violation of the General Data Protection Regulation (GDPR) due to the possibility that the US government may intercept this data (with the Edward Snowden leaks cited as a primary source of evidence).
Facebook has managed to stave off the legal consequences of this decision for months now via appeals to Ireland’s data protection commissioner. But at this point, it seems Facebook’s legal rope has run out. A ruling last week by the Irish High Court dismissed the company’s challenge to the Irish DPC, with no further appeals available.
Omer Tene, VP and Chief Knowledge Officer at IAPP, notes that the Irish DPC’s decision has ramifications for the world beyond the US due to prohibitions on the use of non-trusted countries as intermediaries for data handling and storage: “The decision sheds light on the regulator’s September 2020 preliminary order to Facebook, which has not been made public yet, requesting the social media giant halt data transfers as a result of the EU High Court decision in the Schrems II case. While directly affecting Facebook, the decision has momentous consequences for thousands of other companies transferring data across borders, from the EU to the US – as well as to other countries such as India and China. It raises the odds for and increases pressure on US-EU negotiations to settle the matter in a mutually acceptable way.”
Consequences of data transfer decision
The immediate consequence for Facebook is the possibility of having to shift EU citizen data entirely to storage within the EU. The data transfer stay is scheduled to be formally lifted on May 20. At that time, Facebook will be fully subject to the enhanced scrutiny that the Schrems II decision has established. While data transfers to the US are not banned, it is now incumbent upon each tech company to demonstrate that they are securing EU citizen data from potential harm or misuse once this information leaves EU borders. That’s a particular problem for Facebook, which is of such a size and scope that it is subject to special National Security Agency (NSA) surveillance rules that grant US intelligence access to international data transfers under certain circumstances. Without a change to US law that would allow Facebook to exempt itself, these rules create a clear violation of the GDPR in exactly the manner that the Schrems challenge was predicated on.
The Schrems II decision has not quite entered the enforcement stage yet, as companies were given some time to come up with legal alternatives and let court measures (such as Facebook’s) play out. This was the last of the substantial challenges to the decision, however. The Irish DPC has agreed to swiftly finalize the complaint and begin enforcing the terms of the decision, which could mean a suspension order against Facebook as soon as June. However, the EU’s other DPCs would have to sign off on the order as well; any dissension in the ranks about the terms and Facebook could receive some more time as the European Data Protection Board wrangles its members and potentially takes the issue to a vote if there is enough contention.
Should all of that play out and see Facebook handed a fully approved suspension order sometime this summer (or fall), the company would have to ensure that EU citizen data is not available to its US division. After the initial ruling last year rumors had swirled that Facebook might pull out of Europe entirely due to the decision, but it seems more likely that the company will shift to a local data processing model of some sort rather than give up its 419 million individual users and 25 million business customers in the region.
Implications for US tech companies
The Irish DPC’s decision does not just apply to Facebook, of course. Any US tech company that is subject to similar rules about interception of foreign communications will find itself in the same boat; this will most likely include Google, Apple, Amazon, Twitter and many of tech’s other biggest names. There had been some hope that EU authorities might cobble together something to replace the invalidated Privacy Shield agreement, even if it only kicked the can down the road for some years until the next legal challenge. Such legislation does not appear to be forthcoming at this point, and the US is unlikely to be considered a “trusted partner” under the GDPR’s data transfer terms until there is some sort of comparable federal data privacy law on the books there.
While there have yet to be any enforcement actions, the Irish DPC and some of the other national data protection regulators have issued some preliminary orders suspending data transfers. At the end of this entire process remains the question of how the Irish DPC will enforce the data transfer decision should Facebook (and other companies) continue to violate it after receiving an order to stop; the regulator has established something of a reputation for taking very long amounts of time in reaching enforcement decisions regarding big tech companies that headquarter in the country, and ultimately issuing fines that are far from the maximum allowable under the law.