GDPR Ruling Results in Ireland Directing Facebook to Cease Data Transfers to US

A preliminary order has been issued by Ireland’s Data Protection Commission (DPC) directing Facebook to cease transferring personal data transfer from Ireland to the United States.

This order comes following the European Union Court ruling in July, known as Schrem II, that it is a breach of legislation for any personal data being transferred from the EU to the US if it can be monitored by US authorities. The ruling, in essence, requires the non-EU countries where data is being sent to be in compliance with the European Union’s General Data Protection Regulation (GDPR). Allowing the monitoring of data,  even by government agencies, would represent a breach of this legislation.

Facebook can respond to the ruling of the DPC by the end of September. If is fails to comply with the order at that point that it could be subject to a fine as high a 4% of global annual revenue for the previous financial year. Given that Facebook’s annual global revenue for 2019 was reported as $70.7bn then fine could potentially be as high as €2.9bn.

Following the initial ruling by the European Court, which you can read more about here, the the DPC established an official inquiry which led to this preliminary order being issued.

Responding to the establishment of the enquiry at the time, Facebook VP of global affairs and communications Nick Clegg said: “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”

He went on to say that the EU ruling “would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19. The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider.”

Due to the ruling the EU-US Privacy Shield was effectively rendered moot. Andrea Jelinek, chair of the European Data Protection Board (EDPB) said: “The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility… We will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries.

“However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick-fix solution. Each organization will need to evaluate its own data processing operations and transfers and take appropriate measures.”