Following the Court of European Justice’s (CJEU) decision to invalidate the Privacy Shield and call on data protection authorities to use their enforcement powers, the Irish Data Protection Commission (DPC) issued a preliminary order directing Facebook to stop transferring data from the EU to the US. The obvious intent is to protect personal data from the far-reaching surveillance laws in the US that govern companies such as Facebook. However, the preliminary order implicates that the standard contractual clauses (SCCs) that Facebook was relying on in the wake of the Privacy Shield decision, are also invalid.
Facebook responded to the preliminary order with a strong rebuke, instilling fearful predictions of economic harm in the EU: “[I]t could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on. The effects would reach beyond the business world, and could impact critical public services such as health and education.”
Days later, Facebook appealed the preliminary order and sought a judicial review from the Irish High Court, which was granted. Facebook argued that the three weeks it was given to respond to the order was not enough time, that it was unfair for the DPC to only target Facebook, and that the order was issued prematurely because the European Data Protection Board has not released new privacy guidelines in the wake of the Privacy Shield decision.
Following the Irish High Court’s stay of the DPC’s Order, Max Shrems responded: “It does not come as a surprise that the DPC has again failed to run a proper procedure and was stopped by the Irish courts for now. At the same time it is not clear if Facebook will ultimately succeed with this case.”
While the preliminary order calls into question the validity of relying on SCCs to transfer data from the EU to the US, Facebook is simultaneously relying on the “necessary transfer” derogation listed under Article 49(1)(b) of the GDPR (“the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request”). Facebook believes that the company’s user agreements fall under this “necessary transfer,” however, the derogations under Article 49 are intended to be used
in limited situations. While the current judicial review is focused on the validity of Facebook’s use of SCCs for their EU-US data transfers, the company’s reliance on Article 49 will likely be another legal question for the courts to answer in the near future.
If the DPC’s preliminary order is upheld, the enforcement power to stop data transfers to the US will cause more of a shake-up than the invalidation of the Privacy Shield. First, there are the steep fines for violations: 4% of global revenue. According to the WSJ, this means Facebook could face up to $2.8 billion in penalties if they fail to comply. Additionally, if EU data protection authorities are able to suspend the transfer of data to the US, then the mounting pressure on the US government to pass privacy laws equal to those in the EU will reach an all- time high. For now, companies should continue to tighten their data protection measures and take additional steps to ensure transparency to their users regarding how their data is processed and transferred.