December 22, 2021
Facebook continues to feud with the European Union over data transfers to the U.S., which the EU’s highest court twice prohibited. “Facebook has been ignoring EU law for 8.5 years now,” says privacy advocate Max Schrems, whose 2013 complaint against Facebook prompted the Court of Justice of the European Union (CJEU) to conclude that the U.S. did not offer sufficient protection for EU data and transfers should stop. Schrems says the social giant takes “the view that the Court of Justice is wrong — and Facebook is right. It is an unbelievable ignorance of the rule of law.” Schrems has now obtained an internal Facebook document that explains the company’s justification.
In July of last year, the CJEU “struck down a U.S.-EU data transfer instrument called Privacy Shield,” Politico writes. “The court concluded Washington did not offer adequate protection for EU data shipped overseas because U.S. surveillance law was too intrusive for European standards.”
However, “in the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the U.S.”
Politico notes that “the CJEU had reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe’s top judges categorically stated Washington did not have sufficiently high privacy standards.” Those decisions became known as Schrems I and Schrems II.
On December 19, Schrems revealed in a blog entry for NOYB, an advocacy group he founded in 2017, that he had obtained Facebook’s internal 86-page Transfer Impact Assessment (TIA) offering their legal justification for ignoring the EU court rulings: Facebook’s transfers fall under the Standard Contractual Clauses, not the more onerous Privacy Shield data pact.
While the 2020 SCC ruling “did allow the possibility that data can be legally moved out of the EU to third countries, it made it clear that DPAs must step in and suspend data flows where they suspect people’s information is going somewhere where it’s at risk,” TechCrunch writes.
The Irish Data Protection Authorities in a preliminary September 2020 decision “suggested Facebook would have to stop transferring data to the U.S. following last July’s ruling, but has yet to finalize the decision despite overturning Facebook’s challenge to the agency’s investigation in May.
Dublin now holds the power to stop Facebook from moving EU data to the U.S.,” Politico writes, adding, that “if the Irish watchdog follows through with that decision, it would mark a serious blow to Facebook’s efforts to keep the data taps flowing amid the ongoing EU-U.S. discussions on a new data-transfer pact.”