The Irish data protection commissioner has told Facebook to put a stop on the transfer of data of EU residents to the United States, stating that personal data protection and its judicial protection in the U.S. is not as per requirements of EU law.
Even though the Irish data regulator is yet to publish a statement in this regard, reports suggest that the Data Protection Commission informed Facebook in early August that the social media giant could no longer transfer the data of EU citizens to the U.S. This means that Facebook and many other companies may no longer be able to use ‘standard contractual clauses’ to transfer data to the US.
The regulator arrived at this decision not long after the European Court of Justice invalidated the EU- U.S. Privacy Shield that allowed the transfer of personal data between the two regions, stating that since the requirements of U.S. national security, public interest, and law enforcement have primacy, the Privacy Shield does not protect personal data from being accessed by U.S. public authorities for various reasons.
The court noted that the personal data of EU citizens can be processed outside the European Union only if a country has data protection rules and regulations that are essentially equivalent to those required under EU law. However, in the case of the United States, there is no such equivalence as the scope of surveillance programmes are not limited to what is strictly necessary.
It added that the limitations on the protection of personal data from the access and use by U.S. public authorities do not place any limitations on the power they confer to implement surveillance programmes and also do not offer any guarantees to potentially targeted non-U.S. persons.
Even though some of the provisions laid down requirements with which the US authorities must comply when implementing the surveillance programmes, the provisions do not grant data subjects actionable rights before the courts against the US authorities.
New privacy ruling will severely disrupt economic activity in the EU, says Facebook
Responding to the Irish data protection commissioner's assessment which is in sync with the decision of the European Court of Justice, Nick Clegg, Facebook's VP of Global Affairs and Communications and former deputy PM of the UK, said a ban on the use of standard contractual clauses for EU-US data transfers could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.
"A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek recovery from COVID-19. The impact would be felt by businesses large and small, across multiple sectors.
"In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.
"The effects would reach beyond the business world, and could impact critical public services such as health and education. Ireland’s Covid Tracking App states, in its terms, that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the US," he said.
Having warned about the impact of new privacy regulations on the EU economy, Clegg said efforts by EU and US lawmakers to evaluate the potential for an “enhanced” EU-US framework – a Privacy Shield Plus, is a welcome move and that Facebook would expect regulators to take a pragmatic approach to minimise disruption to thousands of businesses.
"We recognize that building a sustainable framework that supports frictionless data flows to other countries and legal systems, while at the same time ensuring that the fundamental rights of EU users are respected, is not an easy task and will take time.
"While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way," he added.