A preliminary order has been handed down by Ireland’s Data Protection Commission (DPC) ordering Facebook to stop sending personal data transfers from Ireland to the United States.
This order is a result of the European Union Court ruling in July, referred to as Schrem II, that stated it is illegal for any personal data being transferred from the EU to the US if it can be monitored by US government agencies or federal authorities. What this means is that the non-EU countries where data is being sent need to be adhereing with GDPR or it would be considered as a breach of the same legislation.
Facebook has no been afforded the right to respond to the ruling of the DPC by the conclusion of September.
Due to the ruling the EU-US Privacy Shield was effectively rendered moot. Andrea Jelinek, chair of the European Data Protection Board (EDPB) said: “The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility… We will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries.
“However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick-fix solution. Each organization will need to evaluate its own data processing operations and transfers and take appropriate measures.”
Reacting to the establishment of the enquiry at the time, Facebook VP of global affairs and communications Nick Clegg said: “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
He went on to say that the EU ruling “would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19. The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider.”