Shortly after the Irish data protection commissioner told Facebook to put a stop on the transfer of data of EU residents to the United States, Facebook had filed a lawsuit against the Irish DPC, stating that the decision will have significant adverse effects on its business and millions of users who rely on its services.
Earlier this month, it came to light that the Irish DPC told Facebook it could no longer use ‘standard contractual clauses’ to transfer the data of EU residents to the US. With the European Court of Justice invalidating the EU- U.S. Privacy Shield that allowed the transfer of personal data between the two regions, businesses could still use standard contractual clauses to transfer data to the US.
In a lawsuit filed this week, Facebook said the Irish DPC sent the company a Preliminary Draft Decision on 28th August, stating that it would conduct an inquiry on whether Facebook Ireland could continue to transfer the data of EU residents to the US in light of the verdict of the ECJ which invalidated the EU-US Privacy Shield in July.
The letter sent by the Irish DPC also contained a "preliminary view" of "the sole decision-maker of the Commission", Facebook told the Court. The preliminary view was that Facebook's data transfers failed to guarantee the level of protection to data subjects that is afforded by the GDPR and that pursuant to the DPC's powers under Article 58 of GDPR, the data transfers should be suspended. The sole decision-maker in this regard is Helen Dixon, the data protection commissioner.
The lawsuit was initiated by Yvonne Cunnane, Facebook's Head of Data Protection and Privacy, who said the preliminary decision reached by the Irish DPC, if adopted, "are likely to have significant adverse effects upon the Applicant, its business and on the many millions of individuals and businesses who use its services."
Cunnane added that DPC gave Facebook only three weeks to respond to the Preliminary Draft Decision which was "manifestly inadequate, particularly in view of its complexity and of the seriousness of its potential adverse consequences" and refused to grant Facebook an extension despite a representation being made by the company to that effect.
These actions, Cunnane alleged, gave the impression that the Irish DPC had already formed an opinion and did not expect Facebook to be in a position to persuade it via a detailed response to the Preliminary Draft Decision. The granting of just three weeks to respond and the fact that the DPC also intended to arrive at a draft decision within 21 days after serving the letter to Facebook also amounted to a breach of fair procedures.
Stating that the Irish DPC did not make any attempt to gather information from Facebook prior to or after sending the letter on 28th August, Cunnane said it also did not follow its own "12-stages" of a statutory inquiry which were mentioned in the DPC's 2018 Annual Report.
In the lawsuit, filed by Facebook Ireland Ltd in the High Court in Dublin, Cunnane also alleged that the DPC chose to initiate the new inquiry even though a previous broad-based inquiry, based on similar data protection concerns, was in process. The Commissioner also chose to arrive at a preliminary view even though the European Data Protection Board (EPDB) has set up a task-force to examine the ECJ's judgment and to support data controllers to identify and implement measures to ensure adequate protection when transferring data to third countries.
Lastly, Cunnane also alleged that the Irish DPC has not initiated a similar inquiry into data transfers conducted by other companies within its jurisdiction, indicating Facebook is being singled out as a lot of companies are presently using ‘standard contractual clauses’ to transfer the data of EU residents to the US.
Earlier this month, Facebook also published a blog post, stating that the inquiry initiated by the Irish DPC could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.
"A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19. The impact would be felt by businesses large and small, across multiple sectors.
"The effects would reach beyond the business world, and could impact critical public services such as health and education. Ireland’s Covid Tracking App states, in its terms, that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the US," the company said.
"We recognize that building a sustainable framework that supports frictionless data flows to other countries and legal systems, while at the same time ensuring that the fundamental rights of EU users are respected, is not an easy task and will take time.
"While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.
"Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure. We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance," it added.
Commenting on the challenges faced by Facebook and other companies, that transfer data from the EU to the US, due to the ban placed on the EU-US Privacy Shield, Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, says invalidation of the EU-US Privacy Shield isn’t the first occurrence of major waves in international data transfers and therefore, restrictions on international trade or data sharing should be part of the risk model used by the business.
"So while Facebook, and many other multinationals, may wish for clear guidance permitting data transfers, the reality is that unless the core concern of US Surveillance raised by the Schrems cases is resolved, clarity could be short lived. To mitigate risks, businesses should look to incorporating a more rigorous due diligence process that tracks legislative activity related to both data privacy and cybersecurity within the jurisdictions where they have users and operate.
"This diligence process should include a comprehensive understanding of how data is collected, manipulated, transferred, and retained throughout the software and digital supply chains used by the business. Such a review process will necessarily include software development teams and those from IT operations as key stakeholders. The goal of the diligence effort would be to identify implementation changes and operational practices that directly impact the data risk management exposure for the business," he adds.