Privacy

Facebook told it may have to suspend EU data transfers after Schrems II ruling

Comment

Image Credits: Tom Williams/CQ Roll Call / Getty Images

Ireland’s data protection watchdog, the DPC, has sent Facebook a preliminary order to suspend data transfers from the EU to the US, the Wall Street Journal reports, citing people familiar with the matter and including a confirmation from Facebook’s VP of global affairs, Nick Clegg.

The preliminary suspension order follows a landmark ruling by Europe’s top court this summer which both struck down a flagship data transfer arrangement between the EU and the US and cast doubt on the legality of an alternative transfer mechanism (aka SCCs) — certainly in cases where data is flowing to a non-EU entity that falls under US surveillance law. 

Facebook’s use of Standard Contractual Clauses to claim a legal basis for EU data transfers therefore looks to be fast running out of borrowed time.

European privacy campaigner Max Schrems, whose surname is colloquially attached to the CJEU ruling (aka Schrems II) — and to an earlier ruling which invalidated the prior EU-US data transfer deal, Safe Harbor, on the same grounds of US surveillance overreach — filed his original complaint about Facebook’s use of SCCs all the way back in 2013. So the tech giant has had more than half a decade to get its European data ducks in order.

Reached for comment on the WSJ report, Facebook pointed us to a freshly published blog post, also penned by Clegg — who acknowledges “significant uncertainty” for businesses operating online services that rely on transatlantic data flows in the wake of the Schrems II ruling.

In the blog post the former deputy prime minister of the United Kingdom goes on to advocate for “global rules that can ensure consistent treatment of data around the world”.

“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” Cleggs writes. “While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”

Facebook’s blog post lobbying for global rules to ensure “stability” for cross-border data transfers paints a picture of how the Schrems II ruling might negatively affect European startups — claiming it could result in local businesses being unable to use US-based cloud providers or run operations across multiple time zones.

The blog post doesn’t have anything much to say on how Facebook itself having to stop using SCCs might affect Facebook’s own business — but we’ve discussed that before here. (The short version is Facebook may need to split its infrastructure in two, and offer a federated version of its service to EU users — which would clearly be expensive and time consuming for Facebook.)

“Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term,” Clegg goes on, before lobbying for regulatory leniency in the meanwhile, as Facebook continues to transfer EU data to the US in what he claims is “good faith” — despite the acknowledged legal uncertainty and the complaint in question dating back well over half a decade at this point.

Here he is pleading for data transfer mercy on behalf of other businesses who are not involved in this specific complaint: “While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.”

EU lawmakers warned recently that there would be no quick fix for US data transfers, despite some parallel Commission noises about working with the US on an enhanced replacement mechanism for the now defunct ‘Privacy Shield’. (Although for businesses that aren’t, as Facebook is, subject to FISA 702 there may be ways to use SCCs for US transfers that are legal, or at least law firms willing to suggest measures you could take… )

Speaking to the EU Parliament last week, justice commissioner Didier Reynders suggested changes to US surveillance law will be needed to bridge the legal schism between US surveillance law and EU privacy rights.

And of course legislative changes require both time and political will. Although it’s interesting to see Facebook’s global VP feeling moved to wade in and call for global solutions for cross-border data transfers. Perhaps the tech giant will funnel some of its multi-million dollar domestic lobbying budget on making the case for reforming US surveillance law in future.

Ireland’s data protection regulator declined to comment on the WSJ report when we got in touch.

Schrems, meanwhile, is not sitting on his hands. In a statement following the newspaper’s report he said his digital rights not-for-profit, noyb, was not informed about the preliminary order by the DPC — speculating the information was leaked to the newspaper by Facebook to draw political attention to its cause.

He also reveals an intent by noyb to start a legal procedure against the DPC, saying it informed Ireland’s regulator this week that it plans to file an interlocutory injunction over the opening a ‘second’ procedure into the matter — arguing this move is in breach of a 2015 court order and is essentially the equivalent of letting Facebook carry on a multi-year game of legal whack-a-mole where it never actually faces enforcement for breaking each specific law.

“Facebook is knowingly in violation of the law since 2013. So far the DPC has covered them and for seven years refused to enforce the law. It seems after the second judgement by the Court of Justice not even the DPC can deny that Facebook’s international data transfers are built on sand,” Schrems told TechCrunch.

“At the same time, Facebook has in internal communication indicated that it has again shifted its legal basis from the SCCs to [the GDPR] Article 49 and the contract they allegedly sign with users. We are therefore very concerned that the DPC is again only investigating one of two legal basis that Facebook uses. This approach could lead to another frustrated case, like the ‘Safe Harbor’ case in 2015.”

What’s new since 2015 is Europe’s General Data Protection Regulation (GDPR) — which came into application in May 2018 and has led EU lawmakers to claim standard-setting geopolitical glory, as the issue of data privacy has risen up the agenda around the world, propelled by the deforming effects of platform power on societies and democracies.

However the two-year-old framework has so far failed to deliver anything much at all on major cross-border complaints which pertain to platform giants like Facebook (or indeed to the adtech industry). This summer a Commission review of the regulation highlighted what it described as a lack of uniformly vigorous enforcement.

Ireland’s DPC is fully in the spotlight on this front too, as the lead regulator for a large number of US tech firms.

It finally submitted the first draft decision on a cross border complaint earlier this summer — but a final decision on that case (relating to a Twitter security breach) has been delayed as the draft failed to gain the backing of all the region’s data supervisors, triggering further procedures related to joint working under the GDPR’s one-stop-shop mechanism.

Any order from the DPC to Facebook to suspend SCCs would similarly need to gain the backing of the bloc’s other regulators (or at least a majority of them). Per the WSJ’s report, Ireland’s regulator has given Facebook until mid-September to respond to the order — after which a new draft would be sent to the other supervisors for joint approval.

So there’s further delay built into the GDPR process before any final suspension order could be issued against Facebook in this seven year+ case. Move fast and break things this most certainly is not.

The WSJ also speculates that Facebook could try to challenge such an order in court. “Internally, Facebook considers the preliminary order and its future implications a big deal,” it adds, citing one of its unnamed sources.

Max Schrems on the EU court ruling that could cut Facebook in two

More TechCrunch

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

OpenAI is removing one of the voices used by ChatGPT after users found that it sounded similar to Scarlett Johansson, the company announced on Monday. The voice, called Sky, is…

OpenAI to remove ChatGPT’s Scarlett Johansson-like voice

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century