Facebook sought to derail proposals by the Irish data protection watchdog that the tech giant warns could curb transfers of vast amounts of commercial data across the Atlantic.
The social network giant said it sought a judicial review of the Data Protection Commission’s preliminary decision that the company may have to halt trans-Atlantic data transfers using the most commonly used EU tool still available to firms.
“A lack of safe, secure and legal international data transfers would have damaging consequences for the European economy,” Facebook said in a statement on Friday. “We urge regulators to adopt a pragmatic and proportionate approach until a sustainable long-term solution can be reached.”
In an investigation into Facebook's data transfers, the Data Protection Commission told the company that so-called standard contractual clauses "cannot in practice be used for EU-US data transfers," according to a blog post by Facebook this week.
While the order isn’t final and will still need the backing of other EU data watchdogs, it could also put in doubt data transfers with the same tool by other tech firms under the Irish authority’s purview. The legal clash follows a shock decision in July by the European Union’s top court to topple the so-called Privacy Shield over fears EU citizens’ data isn’t safe once shipped to the US.
The Irish regulator declined to comment on the case and it is understood court papers have not yet been filed.
The EU is still grappling with the ramifications of the EU Court of Justice ruling, because while it didn’t issue an outright ban on the more widely used contract-based system, doubts about US data protection have made this a shaky alternative too.
The Irish authority already in July said that “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”
The EU court raised the bar to a level that make EU-US transfers under any tool complicated. The protection of EU citizens’ data in the US must be “essentially equivalent” to that in the 27-nation bloc, the court said.
Still, the judges put the onus on companies such as Facebook to make sure their data transfers are in line with the bloc’s strict data protection rules and tasked regulators with assessing the risks of data transfers on a case by case basis.
‘Difficult to justify’
"While some transfers may be difficult to justify in light of the concerns raised" by EU judges, "all EU-US data transfers should not be tarred with the same brush," said Wim Nauwelaerts, a data protection lawyer with Alston and Bird in Brussels. "I don't believe that there's a silver bullet, but it would be helpful if the European regulators could provide practical guidance on how companies should go about analysing the laws of non-EU countries."
The European Data Protection Board, the group in charge of all EU privacy watchdogs, said it is preparing more guidance and will create a special taskforce to help companies with their duty to ensure their data transfers are safe.
The controversy stretches back to 2013, when former contractor Edward Snowden exposed the extent of spying by the US National Security Agency. Privacy campaigner Max Schrems has been complaining to the Irish watchdog that Facebook's data transfers were as a result no longer safe, because EU citizens' data is at risk the moment it gets transferred to the US.
"Without the Privacy Shield, it's important to continue to work with standard contractual clauses," EU justice commissioner Didier Reynders said at a virtual event on Thursday. "We are working with the EDPB to see what kinds of other tools are possible to use."
The European Commission, the EU's executive authority, added that it's working with US authorities to see "how to address the court's requirements and develop a new, improved arrangement for transatlantic data flows." – Bloomberg