clock menu more-arrow no yes

Filed under:

Facebook appealing order by Ireland’s privacy regulator that could halt EU-US data transfers

The social media company considers Ireland’s move premature

Illustration by Alex Castro / The Verge

Facebook is appealing a preliminary order from the Irish Data Protection Commission (IDPC) that the social media company says would require it to stop data transfers between the US and the European Union, Bloomberg reported.

“A lack of safe, secure and legal international data transfers would have damaging consequences for the European economy,” Facebook said in a statement to The Verge on Friday. “We urge regulators to adopt a pragmatic and proportionate approach until a sustainable long-term solution can be reached.”

The IDPC sent a preliminary order to Facebook last month directing the company to suspend data transfers to the US about EU users, The Wall Street Journal reported this week. The order is the first attempt by an EU regulator to enforce a surprise ruling in July by the EU’s Court of Justice, which invalidated Privacy Shield, a data-sharing protocol that allowed American companies to transfer personal information about EU citizens to the US for processing.

The EU court said in its July judgment that Privacy Shield doesn’t protect EU citizens from US intelligence agencies’ mass surveillance programs. However, the court upheld data transfer under standard contractual clauses, or SCCs. By contrast, Facebook says the IDPC order means SCCs “cannot in practice be used for EU-US data transfers,” according to a September 9th blog post by vice president of global affairs Nick Clegg.

SCCs are a widely used protocol for international data transfers, and they are used not only by big tech firms like Facebook and Microsoft but by banks, tech giants, airlines, and other companies as well. Clegg added in his post that the effects of the IDPC’s decision would have a “far reaching effect on businesses that rely on SCCs.”

The goal of the preliminary order is to make sure EU residents’ data isn’t stored or processed on American soil, where it could be subject to American surveillance programs. But Facebook argues it could have unpredictable results and would create practical problems for their operations in the EU. It could also signal broader privacy actions that would have wider-ranging effects for American social media companies operating in Europe.

Facebook is seeking a judicial review of the latest IDPC process since it argues the watchdog acted prematurely by issuing its conclusion ahead of expected regulatory guidance from the European Data Protection Board.

Failure to comply with the Irish preliminary order could mean fines of up to 4 percent of Facebook’s annual revenue, according to the WSJ, roughly $2.8 billion.