Schrems II – The Wall Street Journal reports that the Irish DPC will order Facebook to stop transfers of personal data to the United States
10 September 2020
In the first major supervisory authority action The Wall Street Journal reports that “Ireland to Order Facebook to Stop Sending User Data to U.S.”. We have previously written that the key to dealing with the fallout from Schrems II is to have a calm head, and not to panic; does this decision change things?
This is the fourth article we have written about the decision of the CJEU in Schrems II, and you can find those pieces here: The CJEU’s decision in Schrems II: Privacy Shield invalidated (and SCCs in jeopardy), EDPB doubles down on Schrems II and Practical Steps on what to do next.
On 9 September 2020, The Wall Street Journal reported that according to “people familiar with the matter” the Irish Data Protection Commission has sent Facebook Inc. a preliminary order to suspend data transfers to the U.S. As yet this is only a rumour and details are scant albeit Nick Clegg, former Deputy Prime Minister of the United Kingdom, and now VP of Global Affairs and Communications at Facebook, said in a wide ranging post on the same day that (Clegg FB post):
“The Irish Data Protection Commission (IDPC) has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers.”
As such we must assume the WSJ’s article is accurate and must ask what are the consequences of this and what should data controllers and data processors that transfer personal data out of the EEA do now?
Should data controllers and data processors take this as an indication of the direction of travel for all companies, for all industries and for all other data supervisory authorities? As such is the only solution to suspend all transfers of personal data from the EEA to the United States? What about to Singapore? What about to South Africa? What about to Brazil? Etc.
In our view that is not the right consequential analysis of this action by the Irish DPC.
Rather data controllers and data processors should continue to be sanguine and calm about this decision; what else, faced with such a decision from the CJEU about Facebook’s transference of personal data to the United States, could the Irish DPC do. The CJEU broadly had told the referrer in the case (namely the Irish DPC) that Facebook’s transfers to the United States were unlawful; and as such a natural and logical consequence of this for the Irish DPC is that they were bound to order Facebook to suspend transfers.
But data controllers and data processors should remember these 4 things:
- This Irish DPC’s decision (and indeed in some regards the CJEU’s decision in Schrems II) is specific to Facebook
- At present the actual details of the order are scant coming only from “people familiar with the matter” and Mr Clegg’s succinct comment in his post
- [One hopes] This does not mean that there will automatically be an avalanche of penalties and orders from other supervisory authorities around Europe and the UK in relation to extra-EEA transfers of personal data
- This is only a “preliminary order” and as such procedurally there are months if not more likely years of next steps for Facebook and the Irish DPC (challenges, appeals, possibly another CJEU case) before any concrete decision is made (and hopefully in the intervening period both the decision in Schrems II and the Irish DPC’s preliminary order will have been overtaken by other events, e.g. new SCCs from the European Commission and/or potentially Privacy Shield Mk II).Note Mr Clegg states in terms “…this approach is subject to further process…”.
Rather data controllers and data processors should have a calm head when analyzing this, and then of course ultimately keep it in mind and watch for further similar regulatory movements, but otherwise carry on with their current Schrems II compliance plans which we set out in our article - Practical Steps on what to do next – namely, and in summary:
- Don’t panic
- Analyse Schrems II as best you can, and put in place a good governance framework to show you are doing what you can (in almost impossible circumstances) i.e. as part of which:
- Review existing international data transfers and data transfer mechanisms (hopefully a lot of this was done as part of your GDPR compliance) and identify areas of current non-compliance (e.g. use of Privacy Shield to validate EEA/UK to US transfers)
- Where you are relying on SCCs for transfers to jurisdictions outside of the EEA including the US, consider putting together papers as to why you believe those territories offer adequate protection to data subjects so in the unlikely event you do come under challenge, you have the all-important written narrative to show the regulator
- Put in place any additional safeguards as far as possible (e.g. additional contractual wording; due diligence assurance on for instance encryption at rest and in transit etc.)
- Wait for further guidance from EU/UK regulators and the FTC (including the arrival of the new SCCs from the EC)
- Hope the EC and FTC come together quickly and create Privacy Shield Mark 2 for US transfers
We end with Mr Clegg’s summary of the potential difficulties created by the Schrems II decision:
“The Irish Data Protection Commission (IDPC) has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.
A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19. The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.
The effects would reach beyond the business world, and could impact critical public services such as health and education. Ireland’s Covid Tracking App states, in its terms, that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the US. International cloud providers and email platforms provide services to schools, Universities and hospitals across Europe. Millions of people use video conferencing software every day, to keep in touch with friends and family who live in different countries.”