Meta sent a new draft decision on its EU-US data transfers

Facebook has received a “revised” preliminary decision from its lead EU privacy regulator with implications for its ability to continue to export user data to the US, TechCrunch has learned.

“Meta has 28 days to make submissions on this preliminary decision at which point we will prepare a draft Article 60 decision for other Concerned Supervisory Authorities (CSAs). I’d anticipate that this will happen in April,” a deputy commissioner at the Irish Data Protection Commission (DPC), Graham Doyle, told us.

Doyle declined to detail the contents of the preliminary decision.

However, back in September 2020, the DPC sent a preliminary order telling Facebook to suspend data transfers, per a Wall Street Journal report at the time, citing people familiar with the matter.

Meta, as the tech giant has recently rebranded its data-mining empire, has been flagging the ongoing risk to its EU-US data transfers in calls with investors.

It also immediately sought to challenge the DPC’s earlier draft order in the courts — but that legal avenue ran out of road in May last year when the Irish High Court issued a ruling dismissing the challenge to the DPC procedures.

It’s not clear there has been any material change to the facts of the case — which hinges on the clash between European data protection law and US surveillance powers — since the earlier draft order telling the company to suspend transfers that would lead the regulator to arrive at a different conclusion now, regardless of what Meta submits at this next stage.

Moreover, in recent months, other European data protection agencies have been issuing decisions against other US services that involve the transfers of personal data to the US — such as Google Analytics — which is, from an optics perspective at least, amping up the pressure on the DPC to finalize a decision against Meta.

The regulator also faced a procedural challenge by the original complainant, Max Schrems, who extracted an agreement from it, in January 2021, that it would swiftly finalize the long-standing complaint — so that’s another quasi deadline in play.

Under the terms of that settlement, the DPC agreed Schrems would also be heard in its (parallel) “own volition” procedure — which it opened in addition to its complaint-based enquiry related to his original (2013) complaint, and which is now moving forward via this new preliminary decision issued to Meta.

Schrems confirmed he has been sent the decision by the DPC — but made no further comment.

(For yet more twists, back in November, the privacy advocacy group founded by Schrems filed a complaint of criminal corruption against the DPC — accusing the regulator of “procedural blackmail” in relation to attempts to prevent publication of other draft complaints… )

It’s still not clear how long exactly this multi-year data transfer saga could drag on before a final decision hits Meta — potentially ordering it to suspend transfers.

But it should be closer to months than years, now.

The Article 60 process loops in other interested data protection agencies — who have the ability to make reasoned objections to a draft decision by a lead authority within, initially, a month timeframe. Although there can be extensions. And if there is major disagreement between DPAs over a preliminary decision it can add months to the final decision-making process — and could ultimately require the European Data Protection Board to step in and push a final decision.

All that’s still to come; for now the ball is back in Meta’s court to see what fresh blather its lawyers can come up with.

The tech giant was contacted for comment on the latest development and in a statement a Meta spokesperson told us:

“This is not a final decision and the IDPC have asked for further legal submissions. Suspending data transfers would be damaging not only to the millions of people, charities, and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service. A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected.”

There is another moving piece to this apparently neverending story — as negotiations between the European Commission and the US on a replacement to the defunct Privacy Shield data transfer arrangement remain ongoing.

In recent months, Facebook and Google have been making public calls for a new transatlantic data transfer deal to be agreed — urging a high level fix for the legal uncertainty now facing scores of US cloud services (or at least those that refuse to give up their own access to people’s data-in-the-clear).

However the Commission has previously warned there will be no ‘quick fix’ this time — saying back in 2020 that a replacement would only be possible if all the issues identified by the European Court of Justice in its July ruling which invalidated Privacy Shield can be resolved (which means both a legal and accessible means of redress for Europeans and tackling disproportionate US surveillance powers which rely on bulk intercepts of Internet communications).

So, in short, Privacy Shield 3.0 looks like a tall order — certainly in the kind of short order that Meta’s business-as-usual demands… So chief lobbyist, Nick Clegg, certainly has his work cut out!