Facebook has received a “reviewed” preliminary ruling from its top EU privacy regulator with implications for its ability to continue exporting user data to the US, Ploonge has learned.
“Meta has 28 days to make presentations on this preliminary decision, at which time we will prepare a draft Article 60 decision for other Interested Supervisory Authorities (CSAs). I predict this will happen in April,” said Deputy Commissioner of the Irish Data Protection Commission (DPC), Graham Doyle.
Doyle declined to detail the contents of the preliminary ruling.
However, in September 2020, the DPC sent a preliminary order telling Facebook to suspend data transfers, for a Wall Street Journal report at the time, citing people familiar with the matter.
Meta, as the tech giant recently renamed its data mining empire, has been signaling continued risk to its EU-US data transfers in investor calls.
It also immediately sought to challenge the DPC’s previous draft order in the courts – but that legal avenue ran out of steam in May of last year when the Irish High Court issued a decision dismissing the challenge to the procedures of the DPC.
It’s unclear whether there has been any material change in the facts of the case – which hinges on the clash between European data protection law and US surveillance powers – since the previous draft order telling the company to suspend transfers that would lead to the regulator come to a different conclusion now, regardless of what Meta comes up with in this next step.
Furthermore, in recent months, other European data protection agencies have been issuing rulings against other US services that involve the transfer of personal data to the US – such as Google Analytics – which is, at least from an optical point of view, increasing pressure on the DPC to finalize a decision against Meta.
The regulator also faced a procedural challenge from the original claimant, Max Schrems, who extracted an agreement from him in January 2021 that he would quickly end the long-running claim — so that’s another near-term at stake.
Under the terms of that settlement, the DPC agreed that Schrems would also be heard in his (parallel) “own will” procedure – which he opened in addition to his grievance-based inquiry related to his original grievance (2013), and which is now advancing through of this new preliminary decision issued to Meta.
Schrems confirmed that he received the DPC’s decision – but did not comment further.
(For even more twists, in November, the privacy advocacy group founded by Schrems filed a criminal corruption complaint against the DPC — accusing the regulator of “procedural blackmail” in relation to attempts to prevent the publication of other draft complaints… )
It remains unclear exactly how long this multi-year data transfer saga might drag on before a final decision hits Meta – potentially ordering it to suspend transfers.
But that we must be closer to months than years now.
The Article 60 process involves other interested data protection agencies – which have the ability to make reasoned objections to a draft decision by a lead authority within, initially, one month. Although there may be extensions. And if there is major disagreement between DPAs over a preliminary decision, that could add months to the final decision-making process – and could ultimately require the European Data Protection Board to step in and push a final decision.
All that is yet to come; for now the ball is back in Meta’s court to see what new words her lawyers can come up with.
The tech giant was contacted for comment on the latest development and in a statement a spokesperson for Meta told us:
“This is not a final decision and the IDPC has asked for more legal submissions. Suspending data transfers would be harmful not only to the millions of people, charities and companies in the EU that use our services, but also to the thousands of other companies that rely on EU-US data transfers to provide a global service. A long-term solution to EU-US data transfers is needed to keep people, businesses and economies connected.”
There is another poignant piece to this seemingly never-ending story – as negotiations between the European Commission and the US over replacing the defunct Privacy Shield data transfer agreement continue to progress.
In recent months, Facebook and Google have been making public calls for a new transatlantic data transfer agreement to be agreed – calling for a high-profile correction to the legal uncertainty now faced by dozens of U.S. cloud services (or at least those that refuse to give up their own access to people’s data).
However, the Commission has previously warned that there will be no ‘quick fix’ this time around – saying in 2020 that a replacement would only be possible if all the issues identified by the European Court of Justice in its July ruling invalidating the Privacy Shield could be resolved. (meaning a legal and affordable means of redress for Europeans and combating disproportionate US surveillance powers that rely on mass intercepts of Internet communications).
So, in short, Privacy Shield 3.0 seems like a tall order – certainly in the kind of short task that Meta’s usual business demands… So, lead lobbyist Nick Clegg certainly has his work cut out!