Facebook’s US data transfers suffered a setback in Ireland. Here’s what you need to know.
Dublin court rejects Facebook appeal against Irish privacy regulator.
Facebook’s legal troubles are going from bad to worse
On Friday, Ireland’s High Court ruled against the social networking giant in a dispute over the company’s efforts to keep moving European data to the United States.
The decision does not mark the end of Facebook’s ability to send people’s data across the Atlantic.
But it does mark a serious blow to its efforts to keep the data taps flowing amid ongoing discussions between the European Union and the U.S. on a new data-transfer pact that would allow all firms — and not just Facebook — to move data between two of the world’s largest economic blocs.
The Irish Data Protection Commission said it “welcomed” Friday’s judgment. A Facebook spokesperson said the company looked forward to defending its compliance to the DPC.
“Their preliminary decision could be damaging not only to Facebook, but also to users and other businesses,” the spokesperson said.
Here’s what you need to know:
What was decided Friday?
The Dublin court largely rebuffed Facebook’s attempts to find fault with the Irish DPC’s regulatory process.
Though Facebook’s right to challenge the regulatory process was granted, the judge gave short shrift to pretty much all the social media giant’s other claims.
To Facebook’s gripes that the DPC had diverged from standard protocol, for instance, the judge said that the regulator had every right to approach the inquiry differently from how it had done before — especially since it had said that it might do so.
“In my view, the DPC does have a wide discretion as to how to proceed with its inquiry … provided that it complies with fair procedures and with its obligations under the GDPR,” the judgment reads.
“I do not accept that it could be said to be unfair, unjust or inconsistent with good administration for the DPC to be permitted to depart from the illustrative procedures should the circumstances of a particular inquiry require it when that is precisely what the DPC said in the published material that it could do.”
Perhaps most worrying for the social media company, the Dublin court backed the regulator’s preliminary view that standard contractual clauses, or SCCs — widely used legal instruments — can’t be used to transfer data to the U.S. in light of a July Court of Justice of the European Union ruling that raised the bar for international data transfers.
SCCs could not compensate for the lack of protections in U.S. law for Europeans, the judge wrote, noting that Facebook did not appear to have put in place any extra safeguards.
What happens next?
Barring an appeal, Facebook will now have to respond to the DPC’s draft decision. It seems the rationale for its use of SCCs to shuttle European’s data to the U.S is on increasingly shaky ground.
Once the inquiry resumes, the social media company will have 21 days to respond — unless the DPC grants an extension. After that, it’s off to Europe’s network of data regulators, the EDPB, for sign-off.
The ruling will also trigger a parallel investigation of Austrian campaigner Max Schrems’ complaint against Facebook’s use of SCCs to send his data to the U.S.
Either way, it seems the social media company may have to start rethinking its global data flows.
What does this mean for EU-U.S. data talks?
The Irish court’s ruling puts even more pressure on European and U.S. officials to agree to a new data transfer pact, known as Privacy Shield, after the bloc’s top court nixed the arrangement because of fears over U.S. snooping.
Negotiations have been ongoing for almost a year, but major sticking points — particularly around access to EU data by American national security agencies — still must be overcome before a new deal can be reached. That’s unlikely before the second half of the year.
By kicking out Facebook’s judicial review, the judge has opened a gateway for more companies’ SCCs to be challenged. In its ruling Friday, the court said four such appeals had already been filed with Ireland’s Data Protection Commissioner.
With such data-transfer mechanisms on increasingly shaky ground, it is now left to EU and U.S. officials to hammer out a new transatlantic pact to ensure that companies can continue transferring data — and people’s fundamental privacy rights are upheld.
Where do international transfers go next?
Since the new European Commission took office in late 2019, there’s been a growing drumbeat for so-called data localization, or the legal right for EU citizens to demand that their digital information remain within the 27-country bloc.
Senior officials like Thierry Breton, the internal market commissioner, have championed the idea, while others, notably Margrethe Vestager, the region’s digital chief, have mostly dismissed the concept.
Expect Friday’s ruling — and an upcoming decision on the revised EU-U.S. Privacy Shield — to reignite that battle. Other countries from Brazil to Russia to India are similarly pursuing legislation that would require local citizens’ data to be stored within their jurisdictions.
In recent months, there has been a growing chorus, most notably from U.S. President Joe Biden’s administration, to create a global pact that allows international data transfers to continue among countries that agree to baseline protections. The goal, in theory, is to uphold people’s privacy rights, while also allowing billions of euros’ worth of global trade to continue unimpeded.
Yet with EU-U.S. data transfers — both from Facebook and other companies — now in jeopardy, the pendulum is increasingly swinging toward keeping data closer to home.Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email email@example.com to request a complimentary trial.