The Irish regulator is expected to stop the social media giant from moving data to the US because of privacy concerns.
Ireland’s privacy watchdog has told Facebook that it will soon have to stop transferring its European users’ data to the United States because the social media giant’s current procedures fall foul of EU law.
Facebook was told in early August that the Irish privacy regulator was reviewing how it moved data to the U.S., according to two people with knowledge of the case who spoke on the condition of anonymity because they were not authorized to speak publicly.
In a statement, Nick Clegg, Facebook’s head lobbyist, confirmed Ireland’s expected decision, saying that the pending ruling would be felt across the transatlantic economy.
“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU,” Clegg said. “We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”
Facebook still has an opportunity to put its case to Ireland’s Data Protection Commissioner before a final judgment — but the order will likely set a precedent for how billions of euros of data should be handled and moved across the Atlantic.
The order may force other tech giants like Google to reconsider transferring EU data to the U.S. after the 27-country bloc’s highest court ruled in July that the U.S. did not sufficiently protect Europeans’ privacy rights when their data was accessed by American national security agencies.
Privacy campaigners have long accused the U.S. of mishandling people’s personal data, and several legal challenges that found their way to Europe’s highest court confirmed that Washington was not seen as sufficiently protecting EU data protection rights under the bloc’s tough privacy standards.
“Facebook is knowingly in violation of the law since 2013,” Max Schrems, the privacy campaigner who brought the initial complaint against the company, told POLITICO. “It seems now not even the DPC can deny that Facebook’s international data transfers are built on sand.”
The privacy decision involving Facebook relates to so-called standard contractual clauses, or complex legal mechanisms that allow companies to move data from the EU to other parts of the world.
These clauses had come under threat in the July decision from the Court of Justice of the European Union, which stated that companies and national EU privacy agencies were required to review if such data-transfer mechanisms were still legal when countries like the United States did not have sufficient privacy protections in place.
Because Europe’s highest court had ruled that data transfers to the U.S. were no longer legal, Dublin was eager to push forward with a decision that could be shared with its European counterparts as early as possible, according to a person with knowledge of the case, who also spoke on the condition of anonymity.
A final ruling in Facebook’s case will come after the company responds to the agency’s initial ruling and after that decision is shared with other EU data protection authorities. That final decision could come by October, though it could be pushed further back.
Matt Sanders, a Facebook spokesman, said the company planned to continue using standard contractual clauses to move data from Europe to the U.S., adding that further privacy protections, including the use of data encryption, would be put in place to meet Europe’s privacy standards. Legal experts have said that such a solution would unlikely constitute sufficient protections under the region’s law.
Graham Doyle, a spokesman for Ireland’s Data Protection Commissioner, declined to comment.