Facebook is once again risking the wrath of regulators, consumers and the courts, amid claims that the technology giant is using a little known GDPR loophole to effectively swerve EU law and send European users’ data to the US regardless.
The issue is somewhat complex but is worth a recap. It dates back more than seven years, when Austrian lawyer and privacy activist Max Schrems first complained to the Irish Data Protection Commission that the existing data transfer agreement between the EU and US, Safe Harbour, did not provide adequate protection from surveillance by American authorities.
Following a long legal battle, in 2015, the European Court of Justice ruled that Safe Harbour was invalid but within a year Brussels and Washington had come up with another pact, Privacy Shield.
Schrems argued that this new deal was still not strong enough and in July this year the ECJ agreed, outlawing Privacy Shield too, which had been used by nearly 5,400 businesses including Facebook, Amazon, Google, Experian, Acxiom, LinkedIn and Microsoft.
However, in its ruling on Privacy Shield, the ECJ also put the boot in to alternative transfer mechanisms, including so-called standard contract clauses (SCCs) and binding corporate rules, ordering that these should face greater scrutiny from both data controllers and regulators.
At the time, Mishcon de Reya Partner Adam Rose said: “There must now be serious questions as to whether any transfers to the US can be valid. As a result of this, the regime used by some of the world’s biggest international groups must now also be open to challenge. Data protection authorities must intervene to stop transfers which are made to countries without an adequate level of protection.”
Now, according to a report in the Wall Street Journal, the Irish DPC has issued a preliminary order to Facebook to stop using SCCs to transfer data to the US.
But privacy group NOYB, which is fronted by Schrems, claims Facebook is not using either SCCs or corporate binding rules but a fourth legal basis for data transfers: the alleged “necessity” to outsource processing to the US under the contract with its users (Article 49(1)(b) of GDPR).
This means that any “preliminary order” by the Irish DPC on the SCCs alone will in fact not prevent Facebook from arguing that its transfers are still legal.
NOYB claims that in practice Article 49(1)(b) of GDPR may be an appropriate legal basis for very limited data transfers (for instance, when an EU user is sending an message to a American user), but cannot be used to outsource all data processing to the US.
Schrems said: “We obviously welcome the notion that the Irish DPC is finally moving towards doing its job after seven years of procedures and five court decisions, all of which upheld our position. However, this move by the DPC may lead to another half-hearted decision.
“The leak about a secret ‘preliminary order’ against Facebook shows that the Irish DPC was trying to run a secret procedure without the complainant. While such an order should have been issued in 2013, we are very concerned that the DPC is again only embarking on a limited investigation that will not fully determine all aspects of the case.
“We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld – no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table.”
In a blog post, Facebook vice president of global affairs and communications Nick Clegg claimed it was not just a Facebook issue, insisting that “businesses large and small, across multiple sectors” would be hurt without a valid legal framework for transferring data between the EU and US.
He concluded: “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19.”
Third time lucky? EU and US open Privacy Shield talks
Firms face scramble for post-Brexit data transfer deals
US tech giants rocked as Privacy Shield gets the chop
Industry fears mount over prospect of no-deal Brexit
Industry urged to back Brexit deal to secure data flows
DMA gives cautious backing to draft Brexit data deal
DMA issues dire warning over post-Brexit data transfers
Firms urged to set up their own EU data transfer deals
Cameron takes charge of safe harbour backlash
New ruling halts US data transfer