Facebook and its subsidiary Instagram have engaged in an arm wrestling match with the Data Protection Commission (the Irish CNIL), which has ordered them to suspend data transfers from Europe to its data centers in the United States. At issue was the invalidation last July by the Court of Justice of the European Union (CJEU) of the Privacy Shield, the agreement that governed personal data transfers between the European Union and the United States.
This agreement provided a simple legal framework for all companies that host and process European user data in the United States. Nevertheless, the CJEU considered that it did not provide European citizens with a level of protection compliant with GDPR, due to the communication monitoring tools used by the US security services.
The major digital companies have continued to transfer data to the United States, relying on another legal mechanism: the “contractual clauses”. They consider that agreements with their users, for example when they accept the general terms and conditions of use of a service, constitute a sufficient legal basis for sending data to the United States.
The CJEU thus specified in its decision that these clauses can constitute an appropriate legal framework provided that they offer a “high level of guarantees”, in particular against abusive surveillance. Each company may therefore be required to demonstrate that the “guarantees” it offers are sufficient, which is what the Data Protection Commission is asking Facebook to do.
The Californian firm had until mid-September to respond to the preliminary injunction from the Irish Data Protection Authority. However, it decided to take the case to the High Court of Justice of Ireland, arguing the practical complexity of the request. It would indeed be forced to completely isolate the storage of personal data of European users. This is a major challenge, since it is the servers based in the United States that manage the distribution of the group’s targeted advertisements. Facebook risks a fine of up to 4% of its annual turnover, or nearly 2.8 billion dollars.
If the decision of the Irish Data Protection Authority were to be confirmed, it would have major consequences on the functioning of Facebook, but also of Google or Twitter, whose European headquarters are also located in Ireland, and which are therefore also concerned by this data transfer issue.
See our article on the invalidation of the Privacy Shield here: