Ireland Orders Facebook to Stop Moving EU Data to the U.S.

Ireland’s Data Protection Commission sent Facebook a preliminary order to cease data transfers of its European Union users to the U.S., a move confirmed by Facebook vice president of global affairs Nick Clegg. In doing so, EU regulators have taken a major step to enact a July ruling forbidding such transfers. Facebook would have to partition the data it collects from European users or stop serving them altogether. Otherwise, Ireland’s commission can fine Facebook up to $2.8 billion, 4 percent of its annual revenue.

The Wall Street Journal reports that, according to Clegg, “a lack of safe, secure and legal international data transfers would damage the economy and prevent the emergence of data-driven businesses from the EU, just as we seek a recovery from COVID-19.”

Facebook, whose regional headquarters are in Ireland, may be only the “first among other U.S.-based tech companies to face similar orders,” said sources, one of whom added that, “at stake is whether the U.S. might have to change its surveillance laws for data transfers to resume.”

At risk should data transfers to the U.S. be blocked are “billions of dollars of trade from cross-border data activities, including cloud services, human resources and marketing, because they involve accessing or storing information about Europeans from U.S. soil.”

The Irish commission, which has given Facebook a deadline of mid-September to respond to the order, said that after it receives the responses, “it plans to send a new draft of the order to the 26 privacy regulators in other EU countries for joint approval under a cooperation provision of the bloc’s privacy law.”

The European Commission and U.S. officials have begun negotiations on “a new way to send data” that would comply with the July ruling but, said EU justice commissioner Didier Reynders, “there will be no quick fix.” In court, the U.S. — which stated its surveillance practices are “proportionate” — argued in court that the EU “shouldn’t exercise jurisdiction over U.S. national-security practices.” A board of EU privacy regulators created a task force to address how to enforce the July ruling.

A basic tenet of EU privacy law, dating to the 1990s, makes it “illegal for a company to send personal information about EU residents to another part of the world that doesn’t offer essentially equivalent privacy protections to the EU — except in certain circumscribed circumstances.” Since the U.S. doesn’t have a national data privacy law, it and the EU “negotiated a special system, called Safe Harbor, where companies sending European data to the U.S. could opt into EU-style rules, enforced by the U.S. government.”

Legal challenges to Safe Harbor began in 2013, when Edward Snowden leaked details of U.S. government surveillance practices. Privacy activist Max Schrems “argued that Safe Harbor exposed his Facebook information to the U.S. government … [and] the EU’s Court of Justice agreed and struck down the system in 2015.”

The EU and U.S. adopted Privacy Shield as a replacement framework, but “July’s Court of Justice decision struck that system down, too, saying that the U.S. still didn’t provide Europeans with actionable rights to challenge surveillance.”