As reported by the IAPP, two publicly available documents from Meta suggest that the Irish data protection authority (DPC) may soon suspend EU-US data transfers for the Facebook platform and impose a fine on Meta. As reported by the Irish Times, the decision could come as soon as May 12.
This could result in a temporary Facebook blackout for Europe, depending on how things play out. This high-profile case will certainly set a precedent and may impact the digital lives of millions.
(Update: the order to suspend data transfers arrived on May 22, along with a record 1.2 billion Euro fine. We examined the decision in another blog)
- What do the documents say?
- The story so far
- The legal issues
- What happens next?
- What does the decision mean for data transfers?
- Final Thoughts
Let’s dive in!
What do the documents say?
Page 3 of Meta’s quarterly earning report reads:
We expect the Irish Data Protection Commission (IDPC) to issue a decision in May (...), including a suspension order (...) and a fine. Our ongoing consultations with policymakers on both sides of the Atlantic continue to indicate that the proposed new EU-U.S. Data Privacy Framework will be fully implemented before the deadline for suspension of such transfers, but we cannot exclude the possibility that it will not be completed in time.
The Q-10 form includes more details on page 54:
Once the final decision is issued, we will have an opportunity to appeal and seek a stay. A transfer suspension order would become effective after a period of time unless a new transatlantic data transfer framework is finalized prior to that time or the IDPC revisits the suspension order due to a material change in U.S. law.
We consider the documents to be reliable. It is not unusual for the parties of a procedure to have inside information on the outcome before a decision is published. This is especially true for a tech giant with plenty of connections and lobbying capabilities.
The story so far
The story is long by now, so grab a sandwich (or skip ahead- we won’t blame you).
It all started in 2013 when NSA whistleblower Edward Snowden leaked confidential files on the agency’s operation, including large-scale electronic surveillance programs Upstream and Prism.
Snowden’s revelations prompted Max Schrems (yes, the guy from the Schrems I and II rulings) to file a complaint with the Austrian data protection authority against Facebook’s data transfers to the US. He claimed that, due to the massive scale and indiscriminate character of electronic surveillance from the US government, data transfers to Facebook in the US could not ensure the confidentiality of personal data.
The Austrian authority forwarded the complaint to its Irish counterpart since Facebook had its main European subsidiary in Ireland. This was the start of a never-ending legal battle in which Facebook tried to postpone a final decision in every way. For a decade, the case went back and forth between the DPC, the Irish courts, and the EU Court of Justice.
The decisions of the Court of Justice had a very important impact on European privacy law. In 2015 the Schrems I ruling invalidated the Safe Harbor agreement, which greatly simplified EU-US data transfers. A new agreement, known as the Privacy Shield, replaced the Safe Harbor, but it was again invalidated by the Court in the 2020 Schrems II ruling.
A decade and two landmark rulings later, the DPC finally drafted a decision to suspend data transfers and submitted it to the European Data Protection Board (the EU institution where all data protection authorities sit). The EDPB settled the matter last month with a yet-unpublished decision. The EDPB’s decision is binding on the DPC, but she still has some margin of autonomy, including the quantification of the fines.
The legal issues
We do not have a decision yet, but in light of the Schrems II ruling and recent decisions against Google Analytics, it is easy to guess what legal issues are at stake.
When a European user browses Facebook, their data are processed by several entities connected to Meta. The most important are Meta Platforms and its main European subsidiary, Meta Platforms Ireland. Because Meta Platforms itself carries out the bulk of the data processing, Facebook requires a data transfer to the US to work.
Data transfers to the US have been problematic since the Schrems II ruling. Companies transferring data to the US (and other “unsafe” countries) need to implement sufficient measures to keep personal data safe from State surveillance. These measures must be implemented on top of data transfer mechanisms such as standard contractual clauses or binding corporate rules, which are a standard requirement for most non-EU countries.
Meta relies on standard contractual clauses for transferring data, but it is not clear whether the company has implemented sufficient supplementary safeguards to keep personal data confidential. If it did not, then the data transfers from Meta Ireland to the parent company are in breach of the GDPR.
And in all likelihood, it did not. This is the exact same problem Google is facing in a coordinated set of complaints filed by noyb (an NGO founded by Schrems himself) and the reason five European data protection authorities have practically banned Google Analytics from their respective countries. There is no easy solution, even for a company as big as Google.
To be clear, there are technical measures that can make data transfers safer, but they are only practical for certain types of services (we discussed some of them here). As a matter of fact, three years have passed since noyb’s complaints, and Google has not found a solution yet. Our educated guess is that Meta has not, either. If the company had any cards up its sleeve, it would have played them by now instead of risking a Facebook blackout.
What happens next?
The decision will not spell the end of Facebook in Europe, but it might cause a temporary blackout for the service in the EU and the EEA, depending on two factors.
The first factor is time. The EU and the US have reached an agreement on the Trans Atlantic Data Privacy Framework- yet another data transfer framework to replace the Privacy Shield. This framework will be enacted in the EU legal framework when the European Commission adopts an adequacy decision- an act that essentially “greenlights” a non-EU country as a safe destination and allows for hassle-free data transfers.
(On a side note, the new framework will surely face legal challenges from noyb. We are looking at a Schrems III ruling, and it’s hard to predict how it will play out. But this is not a pressing issue for Meta yet.)
An adequacy decision has already been drafted and is currently pending Member States' approval. It is likely to pass, but it is not clear when that will happen.
According to the documents, Meta expects the DPC’s suspension order to come with a deadline. Therefore, the continuity of service for Facebook depends on the timing of the adequacy decision. If the adequacy decision is adopted before the deadline, Meta will be able to rely on the decision for transferring data and will continue to provide the service. But if the decision comes too late, Meta may be forced to suspend the service in the meantime. Meta is somewhat optimistic that the decision will come in time, but not entirely certain.
The second factor at play is the outcome of Meta’s future legal actions. Meta intends to challenge the decision and seek a stay for the suspension order- presumably until the vote on the adequacy decision takes place within the European Commission. A stay could buy Meta the time to keep providing Facebook to European users until data transfers can be resumed under the adequacy decision.
What does the decision mean for data transfers?
Of course, this case has implications that go well beyond Facebook. Many US service providers are walking on thin ice with their data transfers. Given the EDPB’s involvement, this case could set a very important precedent, especially if the new data transfer framework does not survive Schrems III.
Notably, many US companies, including tech giants like Google and Apple, have their European subsidiaries in Ireland. From this perspective, an Irish precedent could be especially disruptive to EU-US data transfers.
On the other hand, the DPC has a reputation for not being terribly proactive. After all, it took ten years, two rulings of the Court of Justice, and direct involvement from the EDPB for the case to come to a decision. So the DPC probably won’t crack down on data transfers first thing tomorrow.
It took a while, but we are finally starting to see energic enforcement of the GDPR. Five DPAs have already taken a stance against Google Analytics, and Facebook will likely be next. Meta was recently fined €390M by the DPC for unlawfully targeting users with personalized advertising and may end up paying high damages in a class action for the same reasons.
Why do we care?