Facebook to Challenge Order to Cease Trans-Atlantic Data Transfers
"There is no immediate disruption to Facebook," the company said Monday after the Irish Data Protection Commission (DPC) ordered parent company Meta to suspend future data transfers to the U.S. within five months, pay a fine of $1.3 billion (1.2 billion pounds), and come into compliance with EU privacy law within six months. Facebook "will appeal the ruling, including the unjustified and unnecessary fine, and seek a stay of the orders through the courts," Global Affairs President Nick Clegg blogged.
The DPC decision follows several years of wrangling in Ireland's High Court and the European Data Protection Board (EDPB). The ruling says Meta Ireland infringed Article 46 (1) of the EU general data protection regulation (GDPR) when it continued to shift personal data from the EU to the U.S. after the European Court of Justice judgment in the Schrems II case, the DPC said. Facebook carried out the transfers on the basis of updated standard contractual clauses adopted by the European Commission in 2021, but the DPC said those arrangements didn't "address the risks to the fundamental rights and freedoms of data subjects" identified by the court.
The EDPB said "Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive and continuous," said Chair Andrea Jelinek. "Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Facebook said it's immediately seeking a stay of the orders due to the harm they would cause to users. "This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.," wrote Clegg: Besides, policymakers on both sides of the Atlantic are "on a clear path to resolving this conflict with the Data Privacy Framework," which they committed to implementing as quickly as possible. If the framework takes effect before Meta's deadlines expire, "our services can continue as they do today without any disruption or impact on users."
Max Schrems, who plans to challenge the latest cross--border data transfer agreement (see 2304050062), said Meta will appeal the decision, but "there is no real chance" it will be materially overturned: "Past violations cannot be overcome by a new EU-US deal. Meta can at best delay the payment of the fine for a bit.”
Schrems said it's "laughable" that Facebook is making "empty threats that they will stop services in Europe." It's the company's largest market outside the U.S., he said, suggesting one potential option could be a "federated" social network where European data stays in Facebook's data centers in Europe unless users are chatting with someone in the U.S. Meta said in February 2022 it's "absolutely not threatening to leave Europe" over uncertainty about data transfers.
The Computer & Communications industry Association urged the U.S. to quickly implement all privacy safeguards and redress mechanisms called for by President Joe Biden's executive order on cross-border data (see 2210070069), and for EU national governments to approve the EC adequacy decision on U.S. data protection safeguards "without delay." This "issue goes far beyond Meta," said the U.S. Chamber of Commerce. It, too, urged speedy completion of the trans-Atlantic agreement.
Monday’s decision “underscores the importance of implementing” a new data privacy framework between the EU and U.S., said Aaron Cooper, BSA | The Software Alliance vice president-global policy: “That agreement, once in place, will both improve privacy protections and provide greater certainty for EU-US data transfers. While the decision announced today is about social media, data transfers are integral for creating jobs in every sector of the economy and on both sides of the Atlantic.” The Information Technology Industry Council urged leaders in the U.S. and EU to “take all steps necessary to fully implement” the agreement.” Data flows “underpin the $7 trillion economic relationship between the EU and U.S., and the movement of data across borders is the foundation of global trade and innovation in an increasingly digitized world,” said CEO Jason Oxman.
The Biden administration “should stand up to the unwarranted harassment of American companies by EU data protection agencies,” said Information Technology and Innovation Foundation Associate Director Nigel Cory: The GDPR authorizes companies to use standard contractual clauses to share data, but dominant American companies “face a constant challenge of interpreting the unclear, restrictive, and ever-shifting legal requirements of managing data inside and outside the EU.”