Ireland's Data Protection Commission (DPC) has committed to promptly resolve a protracted complaint concerning Facebook’s international data transmission practices, potentially compelling the technology company to halt data transfers from the European Union to the United States in the coming months.

The complaint, initially submitted in 2013 by privacy advocate Max Schrems, centers on the conflict between EU privacy regulations and the ability of US intelligence agencies to access Facebook user data through surveillance programs, details of which were extensively revealed by Edward Snowden.

The DPC’s pledge to expedite a resolution of Schrems’ complaint is a result of settling a judicial review of its procedures, filed last year by noyb, Schrems’ privacy organization, in response to the DPC’s decision to suspend the original complaint and initiate a new investigation process.

As part of the agreement, Schrems will also participate in the DPC’s “own volition” procedure and gain access to all documents submitted by Facebook, contingent upon approval from the Irish courts to proceed with the investigation, according to noyb.

While noyb recognizes a further delay is possible should the DPC await a High Court ruling on Facebook’s own judicial review of its processes before revisiting the initial complaint, Schrems believes his complaint, over 7.5 years old, may finally be nearing a conclusive decision within months.

“The courts in Ireland generally avoid setting firm deadlines, and the DPC utilized this by stating they cannot provide a timeline… Therefore, we achieved the most favorable outcome possible under Irish law, which is ‘swift’,” he explained to TechCrunch, characterizing this as “disappointing yet the best achievable result”.

When asked for his prediction regarding the timing of a final decision, he suggested it could arrive as early as this summer, but more realistically anticipates a resolution in the fall.

Schrems has consistently voiced criticism regarding the DPC’s handling of his complaint, and more broadly, the sluggish enforcement of the EU’s data protection regulations compared to the rapid evolution of technology companies, with Ireland’s regulator focusing on broader concerns about the legality of data transfer mechanisms between the EU and the US, rather than immediately ordering Facebook to cease data flows as Schrems requested.

This situation has already yielded significant consequences, culminating in a pivotal ruling last summer by Europe’s highest court, the CJEU, which invalidated a key EU-US data transfer agreement after determining that the US does not offer equivalent data protection standards to those of the EU.

The CJEU also clarified that EU data protection authorities are obligated to intervene and suspend transfers to countries where data is at risk, effectively returning the responsibility to Ireland.

The DPC, when contacted for comment on these developments, indicated it would provide a response later today. This report will be updated accordingly.

As Facebook’s primary data regulator within the EU under the General Data Protection Regulation (GDPR), the DPC issued a preliminary order in September to suspend data transfers, following the CJEU’s landmark decision.

However, Facebook promptly challenged this order in court, characterizing it as premature despite the complaint’s age exceeding seven years.

noyb stated today that it anticipates Facebook will continue to leverage the Irish courts to obstruct the enforcement of EU law. Last year, Facebook acknowledged using the courts to “send a signal” to legislators, seeking a political resolution to an issue impacting numerous businesses transferring data between the EU and the US, and to gain time for a new US administration to address the matter.

However, the timeframe for Facebook to continue this strategy is diminishing, and a final determination regarding its EU data flows could occur within six months.

This establishes a relatively short window for negotiations between EU and US lawmakers regarding a replacement for the defunct EU-US Privacy Shield.

European commissioners stated last fall that a replacement would require reforms to US surveillance laws. Whether such substantial changes to US law can be implemented by summer or fall appears unlikely, unless US companies actively lobby their representatives for the necessary modifications.

In court filings last year related to its challenge of the DPC’s preliminary order, Facebook suggested it might be forced to discontinue services in Europe if EU law is enforced against its data transfers.

However, Facebook’s chief communications officer, Nick Clegg, quickly refuted this possibility, instead urging EU lawmakers to consider the importance of its data-dependent business model to the EU’s post-COVID-19 economic recovery, emphasizing the necessity of “personalized advertising”.

The prevailing view among EU digital lawmakers, however, is that technology companies require increased regulation, not less.

Concurrently, an opinion from an advisor to the CJEU could influence the speed of GDPR enforcement across Europe if the court aligns with Advocate General Bobek’s assessment, as he appears to be addressing obstacles that have arisen in key jurisdictions like Ireland due to the GDPR’s one-stop-shop mechanism for managing cross-border cases.

While Bobek affirms the authority of a lead regulator to investigate cross-border cases, he also asserts that “the lead data protection authority cannot be considered the sole enforcer of the GDPR in cross-border situations and must, in accordance with the relevant rules and time limits stipulated by the GDPR, closely collaborate with the other data protection authorities involved, whose input is essential in this area”.

He also outlines specific conditions under which national DPAs could initiate their own proceedings, including for the purpose of implementing “urgent measures” or intervening “following the lead data protection authority’s decision not to handle a case”, among other defined reasons.

Responding to the AG’s opinion, the DPC’s deputy commissioner, Graham Doyle, stated: “We, along with our fellow EU DPAs, acknowledge the Advocate General’s opinion and await the Court’s final judgment regarding its interpretation of any pertinent One Stop Shop rules.”

Jef Ausloos, a postdoctoral researcher in data privacy at the University of Amsterdam, commented that the opinion demonstrates “a clear recognition that actual protection and enforcement may be hindered by the [one-stop-shop] mechanism”.

However, he suggested that any new avenues for DPAs to circumvent a lead regulator resulting from the opinion are unlikely to cause immediate disruption. “I believe the possibility exists for some changes/bypassing the DPC. BUT, only in the long term,” he noted.