A ripple of shock must have swept across the corporate landscape over reports last week that the Irish Data Protection Commission (DPC) would order Facebook parent company Meta to halt data transfers to the US.
This was long believed by the vast majority of businesses – and clearly, their lawyers – to be the unthinkable, impossible and unlikely option. Certainly, at data security events I have attended over the years, businesses and corporate lawyers regularly dismissed this worst-case (for them) scenario.
Yet it is the only obvious outcome of years of inaction by the US to address the weak data protections offered its own citizens and the scant limits placed on US security services’ access to data troves.
And it was an end result regularly signalled in a growing number of decisions by data protection authorities (DPAs) in many EU states and to anyone paying attention to a decade of European Court of Justice (ECJ) decisions. And, of course, to the General Data Protection Regulation (GDPR).
The preliminary decision is, at long last, the beginning of the end of the winding journey on the way to deciding whether Meta – and by extension, any other company moving personal data between the EU and the US – can continue to use a legal format known as standard contractual clauses (SCCs) as the basis for such transfers. The DPC seems to have said no.
The decision is central to concluding a long-running complaint filed by Austrian privacy activist Max Schrems, who has argued that his data cannot be sufficiently protected to the standard required by the GDPR once it is sent to the US, regardless of the contractual virtual container in which it is sent.
And while the spotlight often shines on big tech multinationals and their mass consumption and monetisation of personal data, companies of all sizes in many business sectors also need to move data between the EU and the US.
But if Meta can’t do it, neither can anyone else. And Meta/Facebook has had the time, cash and extensive internal legal resources to throw at this issue and develop what it would have hoped would be watertight, GDPR-compliant contracts.
Smaller companies, the ones that aren’t among the wealthiest multinationals in history, lack that luxury. That they’re all on a level playing field in this difficult matter is of little consolation.
Preliminary decision
Details of the decision, sent to Meta for further response before it goes to a group of fellow EU regulators for consideration, so far remain unknown. The DPC’s office confirmed only that a preliminary decision had been issued to the social media giant. But a statement from Meta last week indicated that the substance of the decision was to suspend transfers.
“Suspending data transfers would be damaging not only to the millions of people, charities and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service,” a Meta spokesman said (a deft PR move, that, to add the more emotive appeal of charities to the list).
Meta has threatened to depart the EU if it got anything like this particular outcome, but that seems unlikely given the size and value of the European market. Instead, if this is indeed the DPC’s decision, Meta and other businesses should (and no doubt will) at long last accept that the EU is not for turning. They will have to double down on Stateside lobbying to address the real problem all along: the US.
The US still lacks a federal data protection law, and citizens in only a handful of states are given any clear data protection and privacy rights, with California leading the way, much to the fury and despite the intense lobbying focus of the tech sector calling the state its primary US home.
And US security agencies can still gain access to and utilise data in ways that remain invisible to almost everyone. As the European Court of Justice has noted, there is no way for EU citizens to know if their data has ended up in a scrutinised database.
Last hope
If Facebook and other data-driven mega-companies such as Amazon can't even send me appropriate ads, what chance that they can guarantee my EU-originating data doesn't end up mingling with US data that gets swallowed up into some NSA server somewhere?
The ECJ has already said that it cannot, though SCCs weren’t specifically addressed. So Max Schrems had to file another complaint about SCCs, and here we are. SCCs were the last hope for transfers. If they are inadequate – no transfers.
If a ‘no transfers’ decision gets the nod from other DPAs – an outcome more rather than less likely – the only possible solution is a ground-breaking data protection and privacy rights shift to emerge from the US. That would be yet another way in which the GDPR has raised the bar and elevated data protection rights internationally, to the benefit of all of us.