Facebook may shut out of Europe because of Ireland’s refusal to permit user data being transferred to the United States.
July 8, 2022 |
Ireland, more accurately Ireland’s Data Protection Commission, has been engaged in a protracted dispute with Meta, Facebook’s parent company, regarding its data handling and compliance with the GDPR Articles. On 15 March 2022 it concluded an inquiry into 12 data breaches by Meta Platforms where it found that Meta had infringed Articles 5(2) and 24(10 of the GDPR. The media release relating to those findings stated:
The DPC has today adopted a decision, imposing a fine of €17m on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (“Meta Platforms”).
The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.
As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.
Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.
Yesterday an article titled Europe faces Facebook blackout reports that the Commission informed its counterparts in Europe that it will block Meta from sending back data to the USA. Meta has said that would close many of its services including Facebook and Instagram. Clearly the regulators are applying the GDPR in light of the absence of any Privacy Shield agreement between the EU and the USA. Absent any such agreement the data handling obligations in the USA fall far short of the obligations under the GDPR.
The article provides:
Europeans risk seeing social media services Facebook and Instagram shut down this summer, as Ireland’s privacy regulator doubled down on its order to stop the firm’s data flows to the United States.
The Irish Data Protection Commission on Thursday informed its counterparts in Europe that it will block Facebook-owner Meta from sending user data from Europe to the U.S. The Irish regulator’s draft decision cracks down on Meta’s last legal resort to transfer large chunks of data to the U.S., after years of fierce court battles between the U.S. tech giant and European privacy activists.
The European Court of Justice in 2020 annulled an EU-U.S. data flows pact called Privacy Shield because of fears over U.S. surveillance practices. In its ruling, it also made it harder to use another legal tool that Meta and many other U.S. firms use to transfer personal data to the U.S., called standard contractual clauses (SCCs). This week’s decision out of Ireland means Facebook is forced to stop relying on SCCs too.
Meta has repeatedly warned that such a decision would shutter many of its services in Europe, including Facebook and Instagram.
“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe,” Meta said in a filing to the U.S. Securities and Exchange Commission in March this year.
The Irish blocking order, if confirmed by the group of European national data protection regulators, is likely to send a chill through the wider business community too, which has been scratching its head about how to continue sending data from Europe to the U.S. following the EU’s top court ruling in 2020.
The EU and U.S. are in the midst of negotiating a new data-transfer text that would allow companies like Meta to continue to ship data across the Atlantic irrespective of the Irish order. Brussels and Washington in March agreed to a preliminary deal at the political level, but negotiations on the legal fine print have stalled and a final deal is unlikely to be reached before the end of the year.
A spokesperson for the Irish DPC confirmed that the draft decision had been sent to other European privacy regulators, who now have a month to give their input, but wouldn’t discuss details of the decision.
“This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and U.S. law which is in the process of being resolved,” a Meta spokesperson said. “We welcome the EU-U.S. agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”