Privacy concerns prompt Irish regulators to ask Facebook to stop sending EU user data to the US

A preliminary order brings to light concerns over US surveillance activities.
Written by Charlie Osborne, Contributing Writer

Facebook says that Irish regulators believe current user data exchange methods between the US and EU "cannot in practice be used," leading to an inquiry into the data transfer practices employed by the company. 

The Irish Data Protection Commission (IDPC) is referring to Standard Contractual Clauses (SCCs), mechanisms designed to facilitate data transfers between the EU and non-EU countries. 

In Facebook's case, SCCs are used to maintain transatlantic data flows including the exchange of EU user data. 

The Wall Street Journal reports that the IDPC sent a preliminary order to the social media giant last month to suspend the transfer of EU user data to the US.

See also: European court strikes down EU-US Privacy Shield user data exchange agreement as invalid

In a blog post penned by Nick Clegg, Facebook's VP of Global Affairs and Communications on September 9, Clegg said that the IDPC has launched an inquiry into such data transfers and "suggested that SCCs cannot in practice be used for EU-US data transfers," resulting in what could be a "far-reaching" impact on businesses. 

The EU-US Data Privacy Shield framework, established to enforce high protection standards when information is transferred out of EU borders, was the subject of a case brought to the Court of Justice of the European Union (CJEU) by Max Schrems.

The activist argued that the system could subject EU citizen data to abuse by US law enforcement, which is known to operate widespread surveillance programs. 

In July, the court deemed Privacy Shield as invalid due to GDPR standards, but SCCs -- case-by-case data exchange systems that enforce "essential equivalence" to EU data protection standards -- are still considered valid by the CJEU. 

Data controllers are required to maintain stringent data protection measures if they use SCCs and if they are found to be in breach, EU regulators have the power to suspend SCC programs.

CNET: Security keys to thwart hackers are now easier to use on all your devices

However, if Facebook complies with the Irish regulators' stance on SCCs rather than the CJEU, without a way to legally exchange data between EU and US digital borders, the company claims economic damage will follow, and data-driven companies in Europe will also suffer when it comes to growth. 

"In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider," Clegg says. "A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call center in Morocco."

TechRepublic: Backing up data is more important as people work from home during COVID-19

The executive added that since the CJEU's ruling in July, Facebook has been "working hard to follow the steps set out by the court to ensure that we can continue to transfer data in a safe and secure way."

Facebook has created a European Data Protection Board task force to consider how best to apply the CJEU ruling, and both the EU Commission and the US Department of Commerce are in talks to create an "enhanced" EU-US Privacy Shield. 

Facebook says it will continue to comply with the CJEU ruling "until we receive further guidance."

Facebook's worst privacy scandals and data disasters

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards