Facebook Data Transfer Ruling: EU-US Data Flows Upheld

Facebook's Data Transfer Challenge in the EU

Facebook’s attempt to prevent its primary EU data protection authority from proceeding with a ruling regarding the suspension of EU-U.S. data transfers has been unsuccessful.

The Irish High Court recently delivered a judgment dismissing the company’s challenge to the procedures established by the Irish Data Protection Commission (DPC).

Potential Operational Impact

This ruling carries significant operational implications for Facebook. The company could be compelled to store data belonging to European users within Europe if it is instructed to cease transferring this information to the U.S. for processing.

Last September, the Irish data protection agency issued a preliminary order suggesting Facebook might need to suspend EU-U.S. data flows. Facebook responded by requesting a judicial review and securing a temporary suspension of the DPC’s procedures. This suspension is now being lifted.

Relevant parties have been granted a short period to review the High Court’s judgment before a further hearing on Thursday. At this hearing, the court is anticipated to formally remove Facebook’s stay on the DPC’s investigation and determine associated legal costs.

The DPC has refrained from detailed commentary on today’s ruling or the timeline for a decision concerning Facebook’s EU-U.S. data transfers. However, Deputy Commissioner Graham Doyle stated the DPC “welcomes today’s judgment”.

Background: The CJEU Ruling

The preliminary suspension order issued last autumn followed a pivotal judgment from Europe’s highest court during the summer. The Court of Justice of the European Union (CJEU) invalidated a key transatlantic agreement governing data flows, citing incompatibility between U.S. mass surveillance practices and the EU’s data protection standards.

The consequences of the CJEU’s invalidation of Privacy Shield – and a prior ruling against Safe Harbor – have been unfolding for years. Companies relying on the transfer of EU user data to the U.S. for processing have been actively seeking legally sound alternatives.

While the CJEU did not impose a complete ban on data transfers outside the EU, it unequivocally stated that data protection agencies must intervene and suspend international data flows if they harbor concerns about the security of EU data. EU to U.S. data flows were immediately identified as being at risk following the Privacy Shield ruling.

Challenges and Potential Outcomes

Some businesses face the challenge that a viable legal alternative may not exist. This situation is particularly problematic for Facebook, as its operations are subject to NSA surveillance under Section 702 of the FISA, which authorizes mass surveillance programs like Prism.

Following the Irish High Court ruling, what is the next step for Facebook?

As is typical in this complex legal matter – which originated with a 2013 complaint from European privacy advocate Max Schrems – further proceedings are anticipated.

The DPC will now pursue two separate inquiries: the original inquiry related to Schrems’ complaint, and a separate inquiry initiated last year, which temporarily paused investigation of the original complaint.

Schrems, through his privacy not-for-profit noyb, also filed for a judicial review of the DPC’s procedures. The DPC agreed to settle this review in January, committing to “swiftly” finalize Schrems’ original complaint. Progress is therefore already underway.

Essentially, the delays that have hindered regulatory action in Ireland regarding Facebook’s EU-U.S. data flows are being removed, and the DPC must now render a decision.

In other words, time is running out for Facebook’s EU-U.S. data flows. A detailed statement from Nick Clegg is anticipated shortly.

Timeline and Expectations

Schrems previously indicated to TechCrunch that he expects the DPC to issue a suspension order against Facebook within months, potentially as early as this summer, or by fall at the latest.

In a statement responding to the Court ruling, Schrems reiterated this expectation, stating, “After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, likely before summer. Now we simply have two procedures instead of one.”

However, a decision by the DPC regarding Facebook’s data transfers will not be the final step. It will require review by other EU DPAs. Disagreement among these agencies – as seen with previous DPC GDPR decisions – could lead to further delays (weeks to months) as the European Data Protection Board seeks consensus.

If a majority of EU DPAs cannot reach an agreement, the Board itself may need to issue a deciding vote, potentially extending the timeline for any suspension order. However, an end to the process is finally within reach.

Furthermore, this situation may create momentum for pro-privacy reform of U.S. surveillance laws.

“We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer,” added Schrems. “This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the US to change its surveillance laws.”

Facebook has been contacted for comment on the Irish High Court ruling.

Update: The company has now sent us this statement: