Facebook’s EU-US data transfers face their final countdown

Ireland’s Data Protection Commission (DPC) has agreed to swiftly finalize a long-standing complaint against Facebook’s international data transfers which could force the tech giant to suspend data flows from the European Union to the US within in a matter of months.

The complaint, which was filed in 2013 by privacy campaigner Max Schrems, relates to the clash between EU privacy rights and US government intelligent agencies’ access to Facebook users’ data under surveillance programs that were revealed in high resolution detail by NSA whistleblower Edward Snowden.

The DPC has made the commitment to a swift resolution of Schrems’ complaint now in order to settle a judicial review of its processes which noyb, his privacy campaign group, filed last year in response to its decision to pause his complaint and opt to open a new case procedure.

Under the terms of the settlement Schrems will also be heard in the DPC’s “own volition” procedure, as well as getting access to all submissions made by Facebook — assuming the Irish courts allow that investigation to go ahead, noyb said today.

And while noyb acknowledged there may (yet) be a further pause, as/if the DPC waits on a High Court judgement of Facebook’s own Judicial Review of its processes before revisiting the original complaint, Schrems suggests his 7.5 year old complaint could at long last be headed for a final decision within a matter of months…

“The courts in Ireland would be reluctant to give a deadline and the DPC played that card and said they can’t provide a timeline… So we got the maximum that’s possible under Irish law. Which is ‘swift’,” he told TechCrunch, describing this as “frustrating but the maximum possible”.

Asked for his estimate of when a final decision will at last close out the complaint, he suggested it could be as soon as this summer — but said that more “realistically” it would be fall.

Schrems has been a vocal critic of how the DPC has handled his complaint — and more widely of the slow pace of enforcement of the bloc’s data protection rules vs fast-moving tech giants — with Ireland’s regulator choosing to raise wider concerns about the legality of mechanisms for transferring data from the EU to the US, rather than ordering Facebook to suspend data flows as Schrems had asked in the complaint.

The saga has already had major ramifications — leading to a landmark ruling by Europe’s top court last summer when the CJEU struck down a flagship EU-US data transfer arrangement after it found the US does not provide the same high standards of protection for personal data as the EU does.

The CJEU also made it clear that EU data protection regulators have a duty to step in and suspend transfers to third countries when data is at risk — putting the ball squarely back in Ireland’s court.

Reached for comment on the latest development the DPC told us it would have a response later today. So we’ll update this report when we have it.

The DPC, which is Facebook’s lead data regulator in the EU under the bloc’s General Data Protection Regulation (GDPR), sent the tech giant a preliminary order to suspend data transfers back in September — following the landmark ruling by the CJEU.

However Facebook immediately filed a legal challenge — couching the DPC’s order as premature, despite the complaint itself being more than seven years old.

noyb said today that it’s expecting Facebook to continue to try to use the Irish courts to delay enforcement of EU law. And the tech giant admitted last year that it’s using the courts to ‘send a signal’ to lawmakers to come up with a political resolution for an issue that affects scores of businesses which also transfer data between the EU and the US, as well as to buy time for a new US administration to be in a position to grapple with the issue.

But the clock is now ticking on how much longer Zuckerberg can play this game of regulatory whack-a-mole. And a final reckoning for Facebook’s EU data flows could come within half a year.

This sets a fairly tight deadline for any negotiations between EU and US lawmakers over a replacement for the defunct EU-US Privacy Shield.

European commissioners said last fall that no replacement would be possible without reform of US surveillance law. And whether such radical retooling of US law could come as soon as the summer, or even fall, seems doubtful — unless there’s a major effort among US companies to lobby their own lawmakers to make the necessary changes.

In court documents Facebook filed last year, linked to its challenge of the DPC’s preliminary order, the tech giant suggested it might have to close service in Europe if EU law is enforced against its data transfers.

However its PR chief, Nick Clegg, swiftly denied Facebook would ever pull service — instead urging EU lawmakers to look favorably on its data-dependent business model by claiming that “personalized advertising” is vital to the EU’s post-COVID-19 economic recovery.

The consensus among the bloc’s digital lawmakers, however, is that tech giants need more regulation, not less.

Separately today, an opinion by an influential advisor to the CJEU could have implications for how swiftly GDPR is enforced in Europe in the future if the court aligns with Advocate General Bobek’s opinion — as he appears to be taking aim at bottlenecks that have formed in key jurisdictions like Ireland as a result of the GDPR’s one-stop-shop mechanism for handling cross-border cases.

So while Bobek confirms the general competence of a lead regulator to investigate in cross-border cases, he also writes that “the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned, the input of which is crucial in this area”.

He also sets out specific conditions where national DPAs could bring their own proceedings, in his view, including for the purpose of adopting “urgent measures” or to intervene “following the lead data protection authority having decided not to handle a case”, among other delineated reasons.

Responding to the AG’s opinion, the DPC’s deputy commissioner, Graham Doyle, told us: “We, along with our colleague EU DPAs, note the opinion of the Advocate General and await the final judgment of the Court in terms of its interpretation of any relevant One Stop Shop rules.”

Asked for a view on the AG’s remarks, Jef Ausloos, a postdoc researcher in data privacy at the University of Amsterdam, said the opinion conveys “a clear recognition that ACTUAL protection and enforcement might be crippled by the [one-stop-shop] mechanism”.

However he suggested any new openings for DPAs to bypass a lead regulator that could flow from the opinion aren’t likely to shake things up in the short term. “I think the door is open for some changes/bypassing DPC. BUT, only in the long run,” he said.