Facebook: 'US data transfer ban will close EU business'

Facebook: EU wipe-out claim (credit: www.thoughtcatalog.com)

Facebook has thrown its toys out of the pram following the Irish Data Protection Commission’s threat to impose a ban on its use of so-called standard contract clauses (SCCs) to transfer data to the US, claiming the the move will wipe out its business operations in Europe.

The latest twist in this long and sorry tale follows the Irish DPC issuing a preliminary order to Facebook to stop using SCCs following the demise of the Privacy Shield agreement.

Last week, the Irish High Court gave Facebook permission to file for a Judicial Review against the DPC and also froze the order the regulator had issued, while setting a November date for a full hearing into the case.

In response, Facebook Ireland’s head of data protection Yvonne Cunnane filed an affidavit with the court, which the Sunday Business Post claims to have seen.

The newspaper claims the affidavit states: “In the event [Facebook] were subject to a complete suspension of the transfer of users’ data to the US, as appear to be what the DPC proposes, it is not clear to [Facebook] how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU.”

However, the affidavit fails to mention the fact that Facebook already runs a huge data processing operation inside the EU, although by processing all of its data in Europe it will be forced to adhere to EU laws, especially those around data protection.

Some observers argue this would cause Facebook significant issues with the US authorities, as the States has several laws that require American firms to provide access to data secretly, no matter where it is held. If Facebook were to do that on EU data held solely in Europe, it could open itself up to massive penalties.

There is also the not inconsiderable issue of a potentially huge EU tax bill. Facebook brings in billions of euros in ad revenue each year – €3.38bn (£3.1bn) in both in Q1 and Q2 this year alone – so if all data processing was carried out in the EU, the company would come under increasing pressure to pay more tax in Europe than it currently does.

However, Facebook nemesis Max Schrems, the Austrian lawyer and privacy activist whose legal challenges have seen both Privacy Shield – and its predecessor Safe Harbour – ruled illegal, claims Facebook is not using SCCs but a GDPR loophole to effectively swerve EU law and send European users’ data to the US regardless.

Earlier this month, Schrems vowed to keep a close eye on the situation. He said: “We obviously welcome the notion that the Irish DPC is finally moving towards doing its job after seven years of procedures and five court decisions, all of which upheld our position. However, this move by the DPC may lead to another half-hearted decision.

“The leak about a secret ‘preliminary order’ against Facebook shows that the Irish DPC was trying to run a secret procedure without the complainant. While such an order should have been issued in 2013, we are very concerned that the DPC is again only embarking on a limited investigation that will not fully determine all aspects of the case.

“We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld – no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table.”

In response to Facebook securing yet another High Court hearing, Schrems tweeted: #CantMakeItUp @DPCIreland has “prematurely judged” its EU-US data flows post #SchremsII – after 7 years and 5 judgments on #SafeHarbor, #PrivacyShield and the #SCCs… Face with tears of joy.”