Will the EU finally deny the right to transfer any personal data from its shores to the United States? Its privacy decisions have been inching closer to this determination for years, and an Irish case against Facebook may tip the balance.
For fifteen years, personal data being sent from the European Union (“EU”) to the United States were accepted under “Safe Harbor” principles. The Safe Harbor emerged in part to the EU’s 1995 Data Protection Directive being implemented and concerns that with the emergence of the internet, that the United States could not guarantee a sufficient level of protection for European citizens’ personal data.
In 2013, however, the Safe Harbor was challenged, due to Edward Snowden’s intelligence leak which indicated a significant American government surveillance program. The challenge to the Safe Harbor was rooted in the belief that the information of EU citizens stored in the US would be at risk of government surveillance. An Austrian citizen, Maximilian Schrems (“Schrems”), filed a complaint against Facebook with the Irish Data Protection Commission (“DPC”). The DPC declined to investigate the complaint because the data transfer at issue was in adherence to the Safe Harbor.
Schrems proceeded to challenge the Irish DPC’s refusal to investigate the complaint in court. The Irish High Court referred this challenge to the Court of Justice of the European Union (“CJEU”). Facebook, like many companies, relied on Safe Harbor to process and transfer EU personal data. In October 2015, the CJEU declared the Safe Harbor invalid. In response, the United States and EU replaced the Safe Harbor with the U.S.-EU Privacy Shield, in order to allow companies to continue to transfer EU citizen’s personal data to the United States while still complying with the requirements outlined by the CJEU in the Schrems decision.
Recently, the CJEU invalidated the Privacy Shield mechanism for transferring data between the EU and the United States. The basis for the decision was once again governmental access to personal data. The recent decision (“Schrems II”) preserved an alternate legal mechanism for companies, Standard Contractual Clauses (“SCC”), when the data exporter puts in place appropriate safeguards to ensure a high level of protection for data subjects. Some local European data authority decisions and recent actions by the DPC against Facebook created concern around the use of SCCs as well.
In the DPC’s annual report last year, it disclosed that it had launched 8 investigations involving Facebook for GDPR violations. A September 9, 2020 article in the Wall Street Journal reported that the DPC had issued Facebook a preliminary order to suspend transfers of EU personal data to the United States.
A spokesman for the Commission declined to comment on the report. Ireland’s data regulator has sent Facebook a preliminary order to stop transferring user data from the EU to the U.S. Though the DPC did not provide comment, Facebook stated that the DPC had "commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers." Facebook is also seeking judicial review of the Irish Data Protection Commission’s preliminary decision because the SCC is a widely accepted tool for transferring EU data to the United States, sans Safe Harbor, or Privacy Shield. This legal challenge will be significant to monitor as it has the potential to implicate every transfer of EU personal data to the United States going forward.