Facebook has failed in its bid to forestall its lead EU knowledge safety regulator from pushing forward with a choice on whether or not to order suspension of its EU-U.S. knowledge flows.
The Irish High Court has simply issued a ruling dismissing the corporate’s problem to the Irish Data Protection Commission’s (DPC) procedures.
The case has big potential operational significance for Facebook, which can be compelled to retailer European customers’ knowledge regionally if it’s ordered to cease taking their info to the U.S. for processing.
Last September the Irish knowledge watchdog made a preliminary order warning Facebook it might need to droop EU-U.S. knowledge flows. Facebook responded by submitting for a judicial evaluation and acquiring a keep on the DPC’s process. That block is now being unblocked.
We perceive the concerned events have been given a number of days to learn the High Court judgement forward of one other listening to on Thursday — when the court docket is anticipated to formally raise Facebook’s keep on the DPC’s investigation (and settle the matter of case prices).
The DPC declined to touch upon at this time’s ruling in any element — or on the timeline for making a choice on Facebook’s EU-U.S. knowledge flows — however deputy commissioner Graham Doyle informed us it “welcomes today’s judgment”.
Its preliminary suspension order final fall adopted a landmark judgement by Europe’s high court docket in the summertime — when the CJEU struck down a flagship transatlantic settlement on knowledge flows, on the grounds that U.S. mass surveillance is incompatible with the EU’s knowledge safety regime.
The fall-out from the CJEU’s invalidation of Privacy Shield (in addition to an earlier ruling putting down its predecessor Safe Harbor) has been ongoing for years — as corporations that depend on shifting EU customers’ knowledge to the U.S. for processing have needed to scramble to search out legitimate authorized options.
While the CJEU didn’t outright ban knowledge transfers out of the EU, it made it crystal clear that knowledge safety businesses should step in and droop worldwide knowledge flows if they think EU knowledge is in danger. And EU to U.S. knowledge flows had been signalled as at clear danger given the court docket concurrently struck down Privacy Shield.
The drawback for some companies is subsequently that there might merely not be a sound authorized various. And that’s the place issues look significantly sticky for Facebook, since its service falls beneath NSA surveillance through Section 702 of the FISA (which is used to authorize mass surveillance packages like Prism).
Facebook misplaced 100% earlier than Irish High Court: “I refuse all of the reliefs sought by [Facebook Ireland] and dismiss the claims made by it in the proceedings”
➡️Judgment (Original) and first assertion right here: https://t.co/81C7pyCBTd
— Max Schrems 🇪🇺 (@maxschrems) May 14, 2021
So what occurs now for Facebook, following the Irish High Court ruling?
As ever on this advanced authorized saga — which has been happening in varied types since an unique 2013 grievance made by European privateness campaigner Max Schrems — there’s nonetheless some observe left to run.
After this unblocking the DPC could have two enquiries in practice: Both the unique one, associated to Schrems’ grievance, and an personal volition enquiry it determined to open final 12 months — when it mentioned it was pausing investigation of Schrems’ unique grievance.
Schrems, through his privateness not-for-profit noyb, filed for his personal judicial evaluation of the DPC’s proceedings. And the DPC rapidly agreed to settle — agreeing in January that it might “swiftly” finalize Schrems’ unique grievance. So issues had been already transferring.
The tl;dr of all that’s this: The final of the bungs which have been used to delay regulatory motion in Ireland over Facebook’s EU-U.S. knowledge flows are lastly being extracted — and the DPC should resolve on the grievance.
Or, to place it one other method, the clock is ticking for Facebook’s EU-U.S. knowledge flows. So count on one other wordy weblog put up from Nick Clegg very quickly.
Schrems beforehand informed TechSwitch he expects the DPC to situation a suspension order towards Facebook inside months — maybe as quickly as this summer time (and failing that by fall).
In an announcement reacting to the Court ruling at this time he reiterated that place, saying: “After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, likely before summer. Now we simply have two procedures instead of one.”
When Ireland (lastly) decides it received’t mark the tip of the regulatory procedures, although.
A call by the DPC on Facebook’s transfers would wish to go to the opposite EU DPAs for evaluation — and if there’s disagreement there (as appears extremely possible, given what’s occurred with draft DPC GDPR selections) it would set off an extra delay (weeks to months) because the European Data Protection Board seeks consensus.
If a majority of EU DPAs can’t agree the Board might itself need to forged a deciding vote. So that might lengthen the timeline round any suspension order. But an finish to the method is, in the end, in sight.
And, properly, if a vital mass of home stress is ever going to construct for pro-privacy reform of U.S. surveillance legal guidelines now appears to be like like a very good time…
“We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer,” added Schrems. “This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the US to change its surveillance laws.”
Facebook has been contacted for touch upon the Irish High Court ruling.
Update: The firm has now despatched us this assertion:
Today’s ruling was concerning the course of the IDPC adopted. The bigger situation of how knowledge can transfer all over the world stays of serious significance to 1000’s of European and American companies that join prospects, pals, household and staff throughout the Atlantic. Like different corporations, we have now adopted European guidelines and depend on Standard Contractual Clauses, and acceptable knowledge safeguards, to offer a worldwide service and join individuals, companies and charities. We stay up for defending our compliance to the IDPC, as their preliminary choice might be damaging not solely to Facebook, but additionally to customers and different companies.