Facebook strikes back regarding the right to transfer data from EU

What companies had been dreading in the wake of the Court of Justice of the European Union's ruling in Data Protection Commission v. Facebook Ireland, C-311/18 (Schrems II) came to fruition: This month, Facebook announced it is the subject of an inquiry by the Irish Data Protection Commission. The commission had issued a confidential preliminary order to suspend data transfers of EU data subjects from the EU to the U.S. Failure to abide could result in a fine of up to 4% of the company's annual revenue (roughly $2.8 billion for Facebook). Companies collectively clutched their pearls wondering who might be next.

And this isn't fear mongering, this is reality: The European Data Protection Board announced that, "A total of 101 identical complaints have been lodged with [European Economic Area] Data Protection Authorities against several controllers in the EEA member states regarding their use of Google / Facebook services which involve the transfer of personal data." The influx of complaints is so vast that the board released a press statement on stating it has, "created a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement."

So how did we get here? The EU's privacy law, the General Data Protection Regulation, has been in effect since May 2018. Privacy is viewed as a fundamental right in the EU. This law ensures data subjects' personal data is protected during transfers to countries not part of the EU. Article 45 of the GDPR mentions transfers on the basis of an adequacy decision. The United States had been found to be inadequate, though mechanisms over the years such as the Safe Harbor arrangement and later the Privacy Shield were put in place to allow for data transfers to occur legally. On Oct. 6, 2015, in the Schrems I case, the CJEU found the Safe Harbor arrangement inadequate, giving rise to the Privacy Shield.

In July, the CJEU's ruling invalidated the Privacy Shield as a legal mechanism for data transfers between the EU and U.S. The reasoning was the mechanism failed to provide adequate protection of EU citizen's data because of the surveillance from the United States government. The added significance is this ruling occurred while GDPR is in effect, a law with the broadest privacy protections for data subjects and massive fines for violations. The CJEU's decision in Schrems II left the door open that perhaps any data transfers to the United States may be deemed prohibited under GDPR. This reasoning is rooted in the fallout from Edward Snowden's revelations regarding the vast surveillance by the U.S. government on private citizen's communications.

The ruling by the CJEU left the legality of the standard contractual clauses hanging by a thread by tacking on a caveat to this mechanism (SCCs are method for U.S. companies to certify they meet certain privacy requirements for the transfer of data from the EU to the U.S.). This caveat is that these clauses are still valid but only if the national security laws are in compliance with GDPR. This means companies employing SCCs must examine the national security laws of their own country to determine if the SCCs are in compliance. One interpretation of this narrow caveat is that SCCs and any personal data transfers might be unlawful with the United States. An alternative interpretation is that a company could legally transfer data if it vets the data it receives in the context of government surveillance and by asking the question of would the intelligence community ever want this information? A way to vet the data is to investigate the volume and frequency of requests from the government under the Foreign Intelligence Surveillance Act, and the information that FISA is seeking in those requests. If the data being transferred is not in keeping with what is sought by FISA requests, there might be an argument that the data transfer does not violate GDPR.

On Sept. 10, Facebook filed an appeal with the High Court of Ireland regarding the Irish Data Protection Commission's order suspending its data transfers. According to the privacy NGO called, "None of Your Business (NOYB)," a group established by Max Schrems, it states that on Sept. 14, "the Irish High Court has granted Facebook leave to file a Judicial Review against the DPC (Case No 2020/617 JR) and stayed a new 'ex office' procedure by the DPC into EU-US data flows." NOYB went on to state, "A Judicial Review allows parties to have the Courts review an ongoing procedure, even before a final decision is made. Facebook has complained to the Courts within weeks of a new 'ex officio' investigation by the DPC into Facebook's EU-US data flows. This new case is aimed at the use of SCCs and limited to such data flows -- completely ignoring the fact that Facebook has already announced to rely on a different transfer instruments for EU-US data transfers." These alternative data transfers are found in Article 49 of the GDPR, which lists "derogations for specific situations" in the absence of an adequacy decision. Examples of derogations are explicit consent by the data subject of the proposed transfer of data, if the transfer of the data user's information is necessary for the performance of a contract, among others.

Facebook addressed the issue in a public blog posting on Sept. 9. Nick Clegg, VP of Global Affairs and Communications, said, "We support global rules that can ensure consistent treatment of data around the world." He cited the fact that prior to the CJEU's ruling in July, "more than 5,000 companies relied on Privacy Shield" for transatlantic data flows. Clegg outlined the potential fallout to come if this continues, "In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a U.S.-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco."

Ironically, Max Schrems, the Austrian privacy advocate, is not happy with the Data Protection Commission. Seven years ago, Schrems' made his original complaint with the DPC regarding Facebook's data transfers. Regarding this, the CJEU said in its ruling, "The supervisory authority must handle such a complaint with all due diligence." In a letter to the Data Protection Commission dated Sept. 7, Schrems' solicitor, Ahern Rudden Quigley, lashed out stating, "It therefore appears that you have launched a wholly unnecessary secondary inquiry, without providing any rationale for so doing, with the consequences that your investigation of our client's complaint is suspended indefinitely." Further, the solicitor wants the issues brought forth in this new inquiry to be "addressed in the context of our client's complaint and in the course of the investigation of that complaint."

Facebook is the canary in the mine. Companies large and small will be watching with baited breath on how the behemoth fares in the forthcoming outcome. Currently, companies relying on data transfers can only hope what they are doing is not something that will bring a complaint and enormous fines. Although SCCs are still legal, this inquiry by the DPC highlights their fragility. Companies can attempt to use derogations, but those are supposed to be limited in context. Binding corporate rules are not much better of an answer, as they only apply to intra-organization data transfers, and down the line, BCRs could be challenged in the same vein as SCCs. Localization of data in the EU is an option only open to large corporations able to have satellite branches.

One long-term solution might be reanimating the Privacy Shield. In a joint press statement following the CJEU ruling in July, European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross stated they have "initiated discussions to evaluate potential for an enhanced EU-US Privacy Shield framework." The statement continues: "The European Union and the United States recognise the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies." 