Europe closer to banning Facebook personal data transfers to the US

The Data Protection Commission of Ireland (DPC) is getting closer to taking action that might stop Facebook and Instagram from transferring data from the European Union (EU) to the United States.

The DPC acknowledged on Thursday that a draught ruling on the legitimacy of Meta’s EU-US data transfers had been sent to other European data protection authorities for assessment.

The DPC has reportedly informed regulators that it would prevent Meta, the owner of Facebook, from transmitting user data from Europe to the United States.

“We have sent it to our colleague data protection authorities for their views and they have one month to come back to us,” Deputy Commissioner, Graham Doyle told TechCrunch.

Doyle declined to provide any specifics about the draft decision, just saying it had been sent to other regulators.

The decision, first reported by Politico, puts further pressure on American and European negotiators to reach a deal that would enable European companies to continue sending digital information to the US.

The DPC issued a provisional order in 2020 to block the mechanism that Meta used to transfer data on European users to the US after Europe’s highest court ruled that the transatlantic Privacy Shield agreement between the EU and the US was invalid. The court said that the agreement was unable to protect European users’ data from US surveillance mechanisms.

However, it allowed some tech firms like AWS and Google to use standard contractual clauses (SCCs) as a legal mechanism for data transfers, with some adjustments. Meta relies on SCCs to transfer data today, but has cautioned that they could be subject to ‘regulatory and judicial scrutiny’.

The DPC’s investigation has continued since 2020, and on Thursday it shared a draught of its final verdict with its EU peers.

Meta, which owns Facebook and Instagram, has indicated that it may be forced to discontinue both services in Europe if it is unable to move data to the US easily.

In a filing to the US Securities and Exchange Commission (SEC) in March this year, the company said that it would likely be unable to provide many of its services, including Facebook and Instagram, in Europe if “a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States.”

Because Meta’s WhatsApp subsidiary has a separate data controller within the bloc, the final DPC ruling would not apply to WhatsApp.

A Meta spokesperson said on Thursday: “This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved.

“We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”

However, discussions between the EU and US on cross-border data sharing after the Schrems II case struck down Privacy Shield in 2020 have made little progress in recent months.

Leave a Reply

Your email address will not be published.