Ireland’s data protection watchdog, the Data Protection Commission (DPC), has given Facebook a preliminary order to suspend data transfers from the EU to the US.
The directive, sent late last month, said that the method Facebook uses to transfer data from outside the EU, Standard Contractual Clauses (SCCs), “cannot in practice be used” for such transfers.
SCCs are contractual terms signed between the sender and the receiver of personal data. They are designed to ensure data protection complies with GDPR requirements in territories outside the EU. They are used by thousands of companies other than Facebook to transfer data from EU countries around the world for various services.
Concerns about US surveillance led the Court of Justice of the European Union (CJEU) in July this year to rule that another method of transferring data outside the EU, Privacy Shield, was no longer valid. The same concerns are behind the new move to stop SCCs being used.
Facebook has replied to the order, with a statement from the company’s VP of Global Affairs and Communications, Nick Clegg, noting that the July judgement ruled that SCCs were still valid.
“But the rationale in invalidating Privacy Shield has nonetheless created significant uncertainty – not just for US tech companies, or even for all the European businesses who rely on online services to reach new customers, but for all European businesses with transatlantic data flows,” the statement said.
However, in the ruling, the court stressed that SCCs contain a provision allowing privacy watchdogs to suspend or prohibit transfers outside the EU if data protection in other countries cannot be assured.
- Facebook Threatens to Block News Sharing in Australia
- French Watchdog Probing TikTok Over Data Privacy
- Facebook to Restrict Political Ads In Week Ahead of US Elections
While the preliminary order was only sent to Facebook, the move could have far-reaching consequences for all companies that use SCCs, including some of the larger tech giants. Clegg made such a warning in his statement: “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19.
“In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider.
“A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.”
Should Facebook no longer be able to transfer EU data to the US, it may drive the company to develop infrastructure in European countries to house EU data. The other option is to risk a fine from the DPC, which could be up to 4% of Facebook’s $2.8 billion of annual revenue.
In the meantime, the Facebook statement said that the company will continue transferring data in compliance with the CJEU ruling and until it receives further guidance.