Facebook is threatening to pull the plug on its operations in Europe following a court order demanding it to stop transferring data to the US. But experts doubt that the strategy will be effective.
A Facebook court filing challenged Ireland’s Data Protection Commission (DPC) over the Schrems II ruling handed down in July. The landmark ruling invalidated the Privacy Shield – the agreement that supported the transfer of data between the EU and the US – due to the latter’s sweeping surveillance network, and the lack of guarantee that European citizens’ data doesn’t get caught up in it.
At the time of the announcement, both US secretary of state Mike Pompeo and secretary of commerce Wilbur Ross expressed their disappointment with the ruling, but emphasised a willingness to work with the EU to find a new, more sustainable solution.
Off the back of the ruling, Facebook received a preliminary order from the DPC that demanded the social media company stop sending data from the EU to the US – a move meaning Facebook is currently using country-specific data agreements known as model clauses or standard contractual clauses (SCCs) to facilitate data transfers, until a new agreement is reached.
Facebook’s court filing emphasises that it may have to shut down its European operations entirely if the current impasse is not rectified. Facebook Ireland’s head of data protection Yvonne Cunnane, writes in the affidavit: “It is not clear to [Facebook] how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU”.
The legal document also alleges bias against Facebook on the part of the data regulator, claiming that no other companies had been singled out in the same way.
Head of data protection at JMW law firm, Toni Vitale, says that he believes Facebook’s threat is a way to put pressure on the European Commission to more speedily devise an alternative solution to the defunct Privacy Shield. “At the moment, the effect of the judgement is that it’s left up to the individual country regulators to decide on whether transferring to the US using model clauses, for example, is permitted […] and the problem with that is there’s 27 of them, and each of them could come up with a different decision.”
Model clauses are a standardised method for transferring data to entities located in countries outside of the European Economic Area that are considered to have inadequate data protections by the EU.
This could lead to the situation where certain data transfers are permitted by Germany but not for France, for example.
Vitale believes that Facebook’s actions are “not necessarily because it thinks that the rules in Europe are too draconian”. “I would have thought that it’s the attempt by Facebook to try and light a fire under the regulators to say […] we need some certainty, we need something put in place, because at the moment, you’ve left it to the individual regulators to make their own rulings and they’re starting to do that, and we’re finding that just too difficult to cope with.”
Could the strategy successfully pressure the DPC to acquiesce? “The rest of the EU and the EDPB wouldn’t let them,” says professor of internet law at Newcastle University, Lilian Edwards. “At worst, Ireland could be sued again by the Commission or individuals for failing to properly implement [or] enforce the GDPR. The [Court of Justice for the European Union] has defined what the law is now, [and that] trumps Ireland.”
Edwards points out that Facebook is not being victimised as part of the ongoing techlash, because “Schrems II is still post-Snowden fallout”.
“I always thought the Privacy Shield was doomed anyway,” says Vitale, adding that the elements of the Privacy Shield ran counter to the way data was treated in the US, and that they didn’t really apply in other trade treaties that the US had signed.
Edwards is skeptical that such a new agreement can be reached at all. “Until the US reforms its surveillance law and decides to respect human rights for all, not just civil rights for US citizens, it’s hard to see how any Safe Harbor [or] Privacy Shield is going to survive.”