Ireland’s data watchdog is to consult with fellow EU regulators in April over Meta’s Facebook data transfers to the United States
Ireland’s data protection watchdog has provided an update into its efforts to gain a data transfer agreement in place for Facebook parent Meta.
Ireland’s Data Protection Commission (DPC) has been working on a data transfer agreement ever since July 2020, but Facebook’s patience with this process seems to be wearing thin.
Earlier this month, Meta buried a warning in its annual report that if it is not allowed to transfer, store and process European user data on US-based servers, it could shut down Facebook and Instagram in Europe.
The issue of transferring European user data to American servers has long been a bug bear for the European Commission and privacy campaigners.
Data used to be transferred to the US under the Safe Habour agreement, but the European Court of Justice in 2015 suspended the original Safe Harbour agreement.
It was suspended in the wake of the Edward Snowden revelations about the scale of US and its NSA agency spying on friends and allies.
The Privacy Shield (or Safe Harbour 2.0) was then drafted, but the United States and the European Union were forced to change it after an initial agreement submitted in February 2016 was rejected by European Watchdogs for not being robust enough.
The two sides then agreed to stricter rules for American companies holding information on Europeans and clearer limits on US surveillance. And this reworked Privacy Shield agreement was then approved by EU member states and adopted in July 2016.
The European Commission’s Privacy Shield data framework replaced the EU-US Safe Harbour deal which had been in place since 2000, but right from the start it proved controversial with ongoing concerns about US spying.
The Privacy Shield had been designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules.
Then in July 2020 the European Court of Justice struck down the transatlantic data transfer deal.
That promoted Ireland’s DPC to issue a provisional order that the mechanism Facebook uses to transfer data from European Union users to the United States “cannot in practice be used.”
The order was frozen following a challenge by Facebook in the Irish High Court but resumed last May when the court dismissed Facebook’s claims.
Since then, the EU and the US have been working on a new or updated version of the treaty.
It is understood that in addition to the Privacy Shield, Meta also uses so-called model agreements, or Standard Contractual Clauses, as the primary legal basis for processing data from European users on American servers.
These model agreements are equally under scrutiny in Brussels and other parts of the EU.
The Irish data protection watchdog has been acting in the lead role here, due to the fact that Meta’s European headquarters are based in Ireland.
Reuters on Tuesday quoted the DPC as saying that it expects to consult fellow EU regulators in April on its investigation into Facebook’s data transfers.
The DPC has issued its revised preliminary decision on Monday, which Meta Platforms has 28 days to respond to.
Under EU data protection rules, the DPC must then share the ruling with all concerned EU supervisory authorities and consider their views before issuing a final verdict.
A DPC spokesperson told Reuters that they anticipated the revised findings would be shared with other EU regulators in April.
“Suspending data transfers would be damaging not only to the millions of people, charities, and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service,” she said.
“A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected,” she reportedly said.