The wheels of privacy enforcement are slowly turning against Facebook in Europe — where its lead data protection regulator, Ireland’s Data Protection Commission (DPC), has taken a key procedural step on a data transfers complaint whose substance dates back almost a decade.
The DPC confirmed today that a draft decision on the legality of Meta’s EU-U.S. data transfers has been sent to other data protection agencies to review. Deputy commissioner, Graham Doyle, declined to provide any details about the decision itself — confirming only that it has been sent.
“We have sent it to our colleague data protection authorities for their views and they have one month to come back to us,” he told TechCrunch.
Politico, which reported this development earlier today, is also reporting that the DPC’s draft decision orders Meta to cease EU-U.S. data exports — and the publication goes on to claim that the order could result in Europeans being cut off from services such as Facebook and Instagram as soon as this summer, if the order is confirmed by other EU data protection agencies who are reviewing it.
A DPC order to Facebook blocking it from exporting EU citizens’ data to the US for processing, which is essentially how its service works currently, would not be a surprise: Back in September 2020, The Wall Street Journal also reported that the DPC had sent Meta a preliminary order to suspend EU-U.S. data flows.
The regulator did not confirm the substance of the order then either but the development followed a landmark decision by the bloc’s top court, in July 2020, which blew a fresh hole in the legal framework around data exports to the U.S. owing to the clash between U.S. surveillance law and EU privacy rights — so the specific substance of the order did not need spelling out.
What would be a surprise, in this painfully long and twisted data protection (lack of) enforcement saga, would be if the wheels of Europe’s regulators turned so fast that Facebook’s data flows were actually ordered to cease this summer.
Plus — given parallel reports that EU-U.S. negotiations to finalize the replacement for the defunct Privacy Shield data transfer mechanism have stalled since a political deal was reached on it back in March, and may now no longer be completed by the end of the year (as the bloc has previously suggested) — cynics might suggest that a leak now about Facebook’s data flows being on the cusp of being blocked could be a strategic ploy to grease the wheels of those high level talks.
Commission lawmakers certainly won’t relish reading summer headlines about Europeans’ Facebook access being cut off — even if the company itself continues to have a poor reputation across the wider sweep of EU institutions, following years of privacy scandals.
Max Schrems, the lawyer and European privacy campaigner who filed the original Facebook data transfer complaint back in 2013, is also doubtful that today’s development will lead to a swift resolution. In a statement responding to press reports of the draft decision, he said he anticipates that procedural objections will keep spinning out the enforcement process — potentially for many more months, or even as long as a year.
“We expect other DPAs to issue objections, as some major issues are not dealt with in the DPC’s draft,” he wrote in a response posted to the website of noyb, his privacy rights not-for-profit. “This will lead to another draft and then a vote. In other cases this took another year overall, as the DPC did not implement comments from other DPAs voluntarily and took more than half a year to forward the case for a vote.”
So — tl;dr — don’t bet the farm on Facebook shutting down in Europe before the new school year.
Schrems also points out the draft decision passed by the DPC to other EU DPAs is still not a decision on his original complaint. That’s because the regulator opened an ‘own volition’ enquiry alongside his complaint, which is what this draft decision relates to. So his complaint is still very much unresolved — underlining the challenge for citizens to exercise the EU rights they have on paper against powerful tech giants.
This is also why Schrems is calculating his wait for enforcement as nine years (it’s also two years since the landmark CJEU decision that struck down the EU-U.S. Privacy Shield mechanism and yet Facebook’s data still flows).
Schrems expects yet more delays to enforcement too — predicting the tech giant will throw the kitchen sink at litigating against any order; and querying why the DPC (seemingly) isn’t reaching for a financial penalty in this case which he argues could actually be a useful enforcement lever here, especially if backdated to his original complaint… (We asked Schrems about the substance of the DPC’s draft decision but he said he’s unable to provide public comment.)
“Facebook will use the Irish legal system to delay any actual ban of data transfers,” he predicts in the prepared remarks. “Ireland will have to send the police to physically cut the cords before these transfers actually stop. What would be however easy to do, is a fine for the past years, where the CJEU has clearly said the transfers were illegal. It is strange, that the DPC seems to ‘forget’ about the only efficient penalty in this case. You could get the impression, that the DPC just wants to have this case go in circles again and again.”
Delays do seem a given.
Back in February, when the DPC sent a revised decision on the complaint to Meta, the regulator told us it expected this procedural step to be done in April — so even that piece has taken months longer than anticipated without an obvious reason why. (We asked the DPC — but Doyle just said it took “a few weeks longer” than expected.)
Reached for comment on the DPC draft decision being sent to other DPAs for review, a Meta spokesperson sought to play down the whole complaint by suggesting that a fresh data transfer agreement between the EU and the US will soon fix its legal headache.
Here’s Meta’s statement:
This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved. We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.
What Meta doesn’t mention is that, once adopted, any fresh EU-U.S. data transfer deal is likely to face a fresh legal challenge.
Privacy experts also expect it will take less time for such a challenge to arrive in front of the CJEU this (third) time around, as well as pointing out that the court has also shown itself willing to expedite rulings when there are risks to EU citizens’ fundamental rights. So if Meta is banking on a strategy of perpetually kicking its regional privacy problems into the legal long grass it may, finally — finally! — find itself running out of road and forced to a hard stop.
But the chances of Facebook’s service lights being turned off in Europe this summer look vanishingly small.
On the replacement EU-US data transfer framework that’s still being negotiated, a Commission official declined to offer a revised timeline for likely adoption. “The work is very much ongoing but I do not have a specific timeline to share with you,” she told us. “It is now first of all for the U.S. to translate the political agreement into legal texts and we are working with them on this.”
The EU’s executive is not the only entity which has to be involved in the adoption process, either, with input also required from the European Data Protection Board; a committee of representatives of EU Member States; and the European Parliament.
This report was updated with comment from the Commission