Facebook has received a “revised” preliminary ruling from its top European privacy regulator with implications for its ability to continue exporting user data to the United States, TechCrunch has learned.
“Meta has 28 days to comment on this preliminary decision, after which we will prepare a draft Article 60 decision for the other relevant supervisory authorities (CSAs). I expect this to happen. happen in April,” a deputy commissioner at the Irish Data Protection Commission (DPC), Graham Doyle, told us.
Doyle declined to detail the contents of the preliminary ruling.
However, in September 2020, the DPC sent a preliminary order asking Facebook to suspend data transfers, according to a Wall Street Journal report at the time, citing people familiar with the matter.
Meta, as the tech giant recently rebranded its data mining empire, flagged the continued risk to its EU-US data transfers during calls with investors.
He also immediately sought to challenge the DPC’s earlier draft order in court – but that legal avenue ran out in May last year when the Irish High Court issued a ruling dismissing the challenge to the DPC’s proceedings .
It is not clear that there has been a significant change in the facts of the case – which hinges on the clash between EU data protection law and US surveillance powers – since the previous draft. order directing the company to suspend transfers that would lead the regulator to come to a different conclusion now, regardless of what Meta submits for this next step.
In addition, in recent months other European data protection agencies have issued rulings against other US services involving transfers of personal data to the US, such as Google Analytics, which less optically, increases the pressure on the DPC to finalize a decision against Meta.
The regulator also faced a procedural challenge from original complainant Max Schrems, who extracted an agreement from it, in January 2021, that it would quickly finalize the long-running complaint – so that’s another near-delay at stake. .
Under the terms of this agreement, the DPC agreed that Schrems would also be heard in its (parallel) proceeding on its own accord – which it opened in addition to its complaint-based investigation related to its original complaint (2013) , and which is now moving forward via this new preliminary ruling issued to Meta.
Schrems confirmed he had received the DPC’s decision – but made no further comment.
(For even more twists, in November the Schrems-founded privacy group filed a criminal bribery complaint against the DPC — accusing the regulator of “procedural blackmail” over attempts to prevent the publication of other draft complaints…)
It’s still unclear exactly how long this multi-year data transfer saga could drag on before a final decision reaches Meta – potentially ordering him to suspend the transfers.
But he should be closer to months than years, now.
The Section 60 process loops through other interested data protection agencies – who have the ability to make reasoned objections to a proposed decision by a principal authority within an initial one-month period. Although there may be extensions. And if there is a major disagreement between DPAs over a preliminary decision, it can add months to the final decision-making process – and could ultimately require the European Data Protection Board to step in and push for a final decision. .
All this is yet to come; for now, the ball is back in Meta’s court to see what new nonsense his lawyers can come up with.
The tech giant has been contacted to comment on the latest development and in a statement, a Meta spokesperson told us:
“This is not a final decision and the IDPC has requested further legal submissions. Suspending data transfers would harm not only the millions of people, charities and businesses in the EU who use our services, but also the thousands of other businesses who rely on data transfers between ‘EU and the United States to provide global service. A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected. »
There is another poignant element to this seemingly never-ending story – as negotiations between the European Commission and the United States over the replacement of the old Privacy Shield data transfer agreement continue.
Over the past few months, Facebook and Google have made public calls for a new transatlantic data transfer agreement – asking for a high-level solution to the legal uncertainty currently facing dozens of US cloud services. (or at least those who refuse to give up their own access to people’s plain data).
However, the Commission has previously warned that there will be no “silver bullet” this time around – saying in 2020 that a replacement would only be possible if all the issues identified by the European Court of Justice in its ruling of July invalidating the Privacy Shield could be resolved. (meaning both a legal and accessible means of recourse for Europeans and the fight against the disproportionate surveillance powers of the United States which rely on mass interceptions of Internet communications).
So, in short, Privacy Shield 3.0 looks like a tall order – certainly in the kind of fast ordering business-as-usual demands of Meta… So Chief Lobbyist Nick Clegg certainly has his work cut out for him!