The wheels of privacy enforcement are slowly turning against Facebook in Europe, where its top data protection regulator, the Irish Data Protection Commission (DPC), has taken a key procedural step in a nearly decade-old data breach complaint.
The DPC today confirmed that a draft ruling on the legality of Meta data transfers from the EU to the US has been sent to other data protection agencies for review. Deputy Commissioner Graham Doyle declined to give any details about the decision itself, only confirming that it had been sent.
“We sent it to our fellow data protection authorities for their opinion, and they have one month to get back to us,” he told TechCrunch.
Politicowhich reported it earlier today also reports that the draft DPC decision directs Meta to stop exporting data from the EU to the US, and the publication goes on to claim that the order could result in Europeans being disconnected from services such as Facebook and Instagram. already this summer, if the order is confirmed by other EU data protection agencies that are considering it.
A DPC order against Facebook to prevent it from exporting EU citizens’ data to the US for processing, which is essentially how its service currently operates, would come as no surprise: Back in September 2020The Wall Street Journal also reported that the DPC sent Meta a preliminary order to suspend data flows between the EU and the US.
The regulator did not confirm the content of the order even then, but the development followed the landmark decision of the block’s highest court in July 2020which made a new breach in the legal framework regarding the export of data to the US due to a conflict between US surveillance law and EU privacy rights, so the specific content of the order did not need to be clarified.
which would In this excruciatingly long and convoluted saga of data protection (lack of) enforcement, it would be a surprise if the wheels of European regulators were turning so fast that Facebook was actually ordered to stop data streams this summer.
Plus, considering parallel reports that talks between the EU and the US to complete the replacement of the defunct Privacy Shield data transfer mechanism stalled as a political deal was reached on it. back in Marchand can no longer be completed by the end of the year (because the block previously proposed ) — cynics might suggest that Facebook’s data stream blocking leak could be a strategic ploy to oil the wheels of these high-level negotiations.
Commission legislators will definitely not enjoy reading the summer headlines that Europeans’ access to Facebook is disabled, even if the company itself is still bad reputation in the wider EU institutionsafter years of privacy scandals.
Max Schrems, a lawyer and European privacy campaigner who filed an initial Facebook data sharing complaint back in 2013, also doubts that today’s developments will lead to a quick resolution.
AT statement Responding to press reports about the draft decision, he said he expected the procedural objections to continue spinning the enforcement process—perhaps for many more months or even a year.
“We expect other DPAs to raise objections as some important issues are not addressed in the draft DPC,” he wrote. “This will lead to another draft and then to a vote. In other cases, it took another year altogether because the DPC did not voluntarily implement the comments of other DPAs and it took more than half a year to send the case to a vote,” he wrote in a response posted on the DPA website. noebhis privacy rights are non-commercial.
So – tl; dr – Don’t bet that the Facebook farm will close in Europe before the new school year.
Schrems also points out that the draft decision submitted by the DPC to other EU DPAs is still not a decision on his original complaint. This is due to the fact that the regulator launched an investigation “of its own free will” along with its complaint, to which this draft decision relates. As such, his complaint remains unresolved to this day, highlighting the need for citizens to exercise the EU rights they have on paper against powerful tech giants.
That’s why Schrems is counting on his enforcing wait of nine years (that’s also two years since the landmark EU Court of Justice decision that violated the privacy protection mechanism between the EU and the US, and yet Facebook data is still being shared).
Schrems also expects even more delays in execution – predicting the tech giant will throw the kitchen sink in a lawsuit against any order; and asks why the DPC is not (apparently) seeking a financial penalty in this case, which he claims could actually be a useful enforcement lever here, especially if backdated by his original complaint…
“Facebook will use the Irish legal system to delay any de facto data transfer ban,” he predicts in prepared comments. “Ireland will have to send police to physically cut the cords before these transmissions actually stop. What would have been easy to do was to fine past years, where the CJEU clearly stated that the transfers were illegal. It is strange that the DPC seems to “forget” about the only effective punishment in this case. You might get the impression that the DPC just wants to keep this thing going around and around.”
Delays seem like a given.
Return to FebruaryWhen the DPC sent Meta a revised decision on the complaint, the regulator told us that it expects this procedural step to be completed in April, so even this step took months longer than anticipated for no apparent reason. (We asked, but Doyle simply said it took “a few weeks longer” than expected.)
A spokesperson for Meta, who was able to comment on a draft DPC decision sent to other DPAs for review, tried to downplay the entire complaint, suggesting that a new EU-US data transfer agreement would soon eliminate his legal headache.
Here is Meta’s statement:
“This draft decision, which is subject to review by the European Data Protection Authorities, concerns a conflict between EU and US law that is in the process of being resolved. We welcome the agreement between the EU and the US on a new legal framework that will allow data transfers to continue across borders, and we expect this framework to enable us to keep families, communities and economies connected.”
What Meta doesn’t mention is that once passed, any new EU-US data transfer deal is likely to face a new legal challenge.
Privacy experts also expect that such a challenge before the CJEU will take less time.third) from time to time, as well as pointing out that the court has also shown a willingness to expedite judgments when there are risks to fundamental rights of EU citizens – so if Meta is betting on a strategy of constantly tossing its regional privacy concerns into legal long grass, it may finally – finally! – it turns out that he leaves the road and is forced to stop abruptly.
But the chances of Facebook turning off its service lights in Europe this summer look vanishingly small.
Credit: techcrunch.com /