Facebook will be forced to stop moving data from its European users to the United States as early as next month after Ireland’s data protection watchdog told the social networking giant that its current means of transferring digital information across the Atlantic is illegal.
The company still has a few weeks to appeal the preliminary ruling. But the decision deals a blow to billions of euros in digital trade annually between two of the world’s largest trading blocs. The moratorium on Facebook’s data transfers to the U.S. will also likely apply to other companies that regularly move such digital information from Europe to outside the bloc.
For Facebook users in Europe, the pending decision could allow them greater security that their data is not collected by U.S. intelligence agencies, and their use of the world’s largest social network is not likely to be affected — at least in the short term. Yet questions remained about how their data will be handled when they interact with other users outside the 27-country bloc, say, sending a friend request or Instagram comment to a friend or family member in the U.S.
Ireland’s move also represents a victory for a years-long campaign by privacy activists who claim that U.S. national security agencies play fast and loose with data from non-American citizens when it’s moved to the U.S. by companies like Facebook and Google. Washington denies those allegations.
But as with everything to do with Europe’s privacy regime, things are a little complicated. Here’s what you need to know:
1. Data transfers will continue, but for how long?
Facebook is adamant that its data transfers are legal. In a statement, Nick Clegg, the company’s chief lobbyist, said: “We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”
The company currently uses so-called standard contractual clauses, or complex legal mechanisms, to move data across the Atlantic. After Ireland raised concerns about these clauses in the wake of the July judgment from Europe’s highest court, the company said it had added additional safeguards like data encryption to comply with the region’s privacy standards. Facebook says such changes mean it can still use these data-transfer mechanisms to send information to the U.S.
But Ireland’s privacy regulator has told the company the use of such clauses is still illegal because of the lack of privacy protections in the U.S. as outlined by Europe’s highest court. Facebook disagrees, saying Europe’s data protection agencies must offer guidance on how these clauses can be tweaked to comply with EU privacy law.
2. Privacy campaigner not happy
Strangely, Max Schrems, the Austrian privacy lawyer who brought the initial complaint in Ireland against Facebook, is not a happy man.
After Facebook publicly confirmed Dublin’s preliminary decision to outlaw its transatlantic data transfers, he published a series of documents alleging the company was trying to find alternatives to keep moving digital information to the U.S. Schrems also claimed that Ireland’s Data Protection Commissioner was not investigating Facebook’s new data-transfer arrangements, but did not provide concrete evidence to prove that assertion.
3. First Facebook, second everyone else
Other companies are keeping a close eye on what happens with the social network’s data transfers because many are also reliant on standard contractual clauses to move digital information from Europe to the U.S. and elsewhere.
If Dublin’s preliminary decision against Facebook is approved, it will set a precedent and force tech giants like Google and smaller firms across the region to reconsider how they move digital information to the U.S.
4. Keeping data in Europe looks more and more alluring
Though data transfers out of Europe haven’t themselves been banned, the insistence by Europe’s highest court that they involve “supplementary measures,” and assessment of destination countries’ data protection regimes has had companies and regulators alike scratching their heads.
So far, talk of additional safeguards has revolved mostly around encryption, but there are question marks over whether this would really halt U.S. snooping in practice.
A once-taboo option that is gaining traction is to halt transfers altogether and to keep data in Europe.
5. Another transatlantic data deal looks unlikely (for now)
Both Europe and the U.S. were quick to the negotiating table following the annulment of the Privacy Shield. A joint press release in July from EU justice chief Didier Reynders and U.S. Secretary of Commerce Wilbur Ross said that they were working toward an “enhanced” data-sharing deal.
But that may be a long time coming, if at all.
Any deal that does not significantly bolster the protection of European’s data from U.S. snooping is likely to get struck down in court. Reynders, the EU official, has said that a new deal may need “legislative changes” from the U.S. to avoid further legal uncertainty.
Global Repository for Internet Studies is focused on creating a social enterprise platform that builds innovation and technological support systems and advocates rights in order to improve youth livelihoods in Africa.