As previously reported, and as far back as 2020, it has been rumoured that the Irish Data Protection Commission (IDPC) will order Facebook to stop data transfers to the US (Lewis Silkin - Schrems II The Wall Street Journal reports that the Irish DPC will order Facebook to stop transfers).
On 10 August 2022, in the latest twist, a spokesperson for the IDPC confirmed that they have received objections from several European Supervisory Authorities (SAs) to the IPDC’s updated draft order of 7 July 2022. This draft order was shared with the SAs for their review, under Article 60 GDPR. The draft order has the potential to stop Facebook and Instagram’s international data transfers between the EU and US given concerns about surveillance laws.
Following Schrems II, where the Privacy Shield Framework was invalidated, data transfers continued between the EU and US using the EU Standard Contractual Clauses (SCCs) and the European Data Protection Board’s (EDPB) recommendations. In parallel to the original complaint made by the privacy activist, Max Schrems, the IDPC instigated of its own volition an inquiry pursuant to section 110 of the Irish Data Protection Act 2018 in relation to EU/US data transfers in light of the US surveillance legislation, in particular section 702 of the Foreign Intelligence Surveillance Act (FISA). This updated draft decision from the IDPC is the result of this long-running process.
While the updated draft order of 7 July 2022 followed the provisional order, dating back to 2020, the timing of the update seemed a little unusual. If, as expected, the draft order said Facebook and Instagram’s parent company Meta can no longer rely on the SCCs to transfer data to the US, eyebrows have been raised given negotiations are still ongoing on the Trans-Atlantic Data Privacy Framework (for more information read our earlier article). This Framework is set potentially (nay hopefully…!) to resolve the very issues that are at stake in this case, i.e. transfers to the US and issues around surveillance and governmental access to data subject’s personal data.
For the more cynical among us, looking at the timings of how this may all play out make it even more interesting – will they culminate in an “either or” scenario? With the latest statement from the IDPC it looks as though it will.
First take the timeline for the IDPC’s draft order, it was shared with the EU SAs on 7 July 2022 and under Article 60 GDPR they had 4 weeks to express "relevant or reasoned objection”. As expected, and now confirmed by the IDPC, there are objections to the IDPC’s draft order so the IDPC can amend the draft order and resubmit it to the EU SAs, who would then have 2 further weeks to respond, or if the IDPC does not believe the objection(s) raised by the SAs are “relevant or reasoned” they can submit it to the EDPB for a binding decision under the consistency mechanism in Article 65 GDPR. The EDPB must give such a decision within one month, unless a further extension of an additional month be requested under Article 65(2) GDPR “on account of the complexity of the subject-matter.” If the EDPB cannot achieve the two-thirds majority vote at this stage there is an additional two week period where a simple majority vote of the EDBP will suffice (Article 65(3) GDPR). Once the EDPB reaches a decision and has communicated it to the IDPC “without undue delay”, the IDPC is required to “without undue delay and at the latest by one month after the Board has notified its decision” issue its final decision. Knowing that objections have been raised with the IDPC about the draft decision and the possible road ahead means we could be looking at many months before a final decision is reached…and of course the final decision could then be appealed!
But what about the Trans-Atlantic Data Privacy Framework? While negotiations are ongoing it has been reported that recently they have stalled. The whispers were originally about an ambitious timescale of concluding the negotiations by the end of the calendar year to have something (a partial adequacy decision for EU-US transfers resulting in the re-validation of Privacy Shield) in place by early 2023 and, as we know from the UK’s experience, the EU adequacy decision can be pushed through if there is the will to do so in a matter of months. Will the Trans-Atlantic Data Privacy Framework therefore render the IPDC and EDPB process moot?
And what does Max Schrems himself think of the updated draft decision? Is he pleased to finally see this decision? The NOYB website quotes him saying “Facebook will use the Irish legal system to delay any actual ban of data transfers. Ireland will have to send the police to physically cut the cords before these transfers actually stop. What would be however easy to do, is a fine for the past years, where the CJEU has clearly said the transfers were illegal. It is strange, that the DPC seems to 'forget' about the only efficient penalty in this case. You could get the impression, that the DPC just wants to have this case go in circles again and again.” It’s fair to say the phrase ‘less than impressed’ springs to mind!
So what does this all mean?
Despite the headlines, nothing immediate will happen to international data transfers between the EU and the US. While comments around the original provisional order were of Facebook and Instagram leaving Europe now they seem to focus on the Trans-Atlantic Data Privacy Framework as the solution to resolve the differences in approach and provide a pragmatic solution for international businesses. It will be interesting to watch how this all plays out, and what, if any, impact it may have on other big tech companies headquartered in the EU.
For those global businesses with operations in the UK, we will also be watching this with interest, particularly as it seems at odds with the UK’s approach. The UK is forging ahead with new data partnerships with priority partners, recently announcing the UK’s first data adequacy decision in principle, with the Republic of Korea, and also the UK and US Data Access Agreement which is due to come into force on 3 October 2022. The question as to whether the UK is indeed on a separate and distinct path from the EU will rear its head again at some point, with whispering of a potential challenge to the EU’s finding of adequacy for the UK growing stronger, especially after the introduction of the Data Protection and Digital Information Bill on 18 July 2022.