Meta ruling blows US data transfers out of the water

submarine-2The DMA has waded into the debate over data transfers between the EU and the US following yesterday’s record GDPR fine and cease and desist order against Facebook owner Meta, warning of the “significant challenges” businesses face for using cloud tech services in the States.

The ruling gives Meta five months to stop sending data from Europe to the US and six months to stop handling data it previously collected, which could mean deleting photos, videos, and Facebook posts or moving them back to Europe.

While Brexit means the ruling does not affect international data transfers between the UK and US or the UK and EU, the industry body insists the move raises important questions about differing privacy standards between countries outside of the EU with commercial interests inside of it.

The case will have a major impact for the thousands of companies that rely on EU standard contractual clauses (SCCs) as a legal mechanism to transfer data from the EU to the US.

Most large companies have complex webs of data transfers – which can include email addresses, phone numbers and financial information – to overseas recipients, many of which depend on SCCs. While the ruling only affects  Facebook, thousands of other firms also use SCCs, including Amazon, Google, Experian, Acxiom, LinkedIn and Microsoft.

DMA chief executive Chris Combemale said: “This is a concerning situation for businesses across the UK, particularly those who have customers based in the EU and who use cloud tech services hosted in the US.

“It highlights a significant challenge when transferring data between the EU and US, especially how businesses use standard contractual clauses to create sufficient privacy safeguards. The DMA is reviewing this case to determine how it will affect UK companies and will soon provide guidance to help explain its impact.”

Non-profit think tank Future of Privacy Forum, meanwhile, reckons that the entire commercial and trade relationship between the EU and the US underpinned by data exchanges may be affected.

Vice president of global privacy Gabriela Zanfir-Fortuna explained: “While this decision is addressed to Meta, it is about facts and situations that are identical for all American companies doing business in Europe offering online services, from payments, to cloud, to social media, to electronic communications, or software used in schools and public administrations.”

The Computer & Communications Industry Association (CCIA) has warned the ruling will exacerbate confusion over current data transfer protocols for US-based firms.

In a statement it said: “Since an EU Court invalidated the previous EU-US data framework (Privacy Shield) back in 2020, European and US organisations and companies of all sizes have been left without clear guidelines for transatlantic data transfers.

“To this day, that uncertainty continues to affect not only companies, but also non-profits, charities, governments, and others. Data flows between the EU and US make up the busiest Internet route in the world, and are vital to transatlantic trade. Yet, today’s decision to suspend data transfers from the EU to the US ignores that reality.”

Last year, the Biden administration signed an executive order introducing new data protection safeguards for European consumers in an effort to replace the Privacy Shield agreement with the Trans-Atlantic Data Privacy Framework.

The CCIA said these should “pave the way for a new and strengthened EU-US data privacy framework”, however, this has yet to be finalised.

It added: “Today’s legal uncertainty will continue to persist as long as this new data transfer mechanism has not been formally approved by EU member states. We call on the 27 EU national governments to approve the Commission’s adequacy decision without delay.”

Edward Machin of law firm Ropes & Gray’s agrees. He commented: “The DPC’s ruling over standard contractual clauses will have a significant impact on the ability of organisations of all shapes and sizes to lawfully share and receive data from Europe.

“It will also kick off a race against time for lawmakers to finalise the EU-US data transfer framework before the end of the six-month transition period the DPC has given Meta to bring its transfers into compliance.”

Naturally, privacy groups have welcomed the move. Caitlin Fennessy, of the International Association of Privacy Professionals, believes it could make EU companies demand US partners stored data within Europe – or switch to domestic alternatives.

She concluded: “The size of this record-breaking fine is matched by the significance of the signal it sends. The decision signals that companies have a whole lot of risk on the table.”

Related stories
Meta rocked by EU data transfer block and €1.2bn fine
Meta bows to GDPR ruling to block personalised ads
Meta GDPR consent fine €4bn short, says Max Schrems
Meta the villain again as consent for ads is ruled illegal
Where will we be in 2023…with data-driven marketing?
Meta faces mega fine as ad policy is declared illegal
US tech giants rocked as Privacy Shield gets the chop
Firms urged to set up their own EU data transfer deals