The Wall Street Journal reported Sept. 9 that Ireland's Data Protection Commissioner issued a preliminary order that Facebook must stop transferring user data to the U.S. The order, which was reported based on anonymous sources "according to people familiar with the matter," follows the Court of Justice of the European Union's ruling on the Schrems v. DPC case in July, in which the court struck down the Privacy Shield agreement between the EU and U.S. citing problems with U.S. surveillance policies, as well as a lack of effective remedies for EU data subjects as required under the EU General Data Protection Regulation.
While the DPC's preliminary order on its face looks like it could wildly disrupt data transfers for myriad companies like Facebook who rely on legal data transfers from the EU to the U.S. to conduct business, some say the ruling doesn't deserve the visceral reaction Wednesday's headline seemed to illicit.
It's understandable that privacy professionals whose companies rely on EU-U.S. data transfers might take the DPC's preliminary order as an indication they should immediately forego all sleep and feeding times to seek a more stable operational solution. But that's not the right takeaway, privacy experts told The Privacy Advisor.
Instead, the basic reaction from folks with corporate client interests in mind: What did you expect?
"This feels like one of those situations where you want to tell everyone in the room to take a moment, calm down, and think about the consequences of their actions," said Fieldfisher's Phil Lee, CIPP/E, CIPM, FIP. "Right now, much of the world has been watching and waiting to see what action the supervisory authorities will take in the wake of the 'Schrems II' ruling. Pending any enforcement, transfers are — albeit with more friction — largely continuing on a 'business-as-normal' basis."
Now, Lee concedes, that could change if DPAs start to drop penalties left and right based on data transfers' legality given the Privacy Shield's demise.
In that case, "the consequences could be seismic," he said. "Businesses will be trapped between a rock and a hard place — told they mustn’t export data unlawfully on the one hand, without having any meaningful regulatory solutions to enable lawful transfers on the other. In effect, it would be shutting U.S. companies, and wider international businesses, out of the EU market. How can any business operate in an internet world without data transfers? A Fortress Europe mentality is not what we need right now."
Miriam Wugmeister of Morrison & Foerster agrees with Lee's "take a deep breath" assessment. That's because, she said, the CJEU's ruling was pretty clear that EU companies need to start looking at the surveillance practices of third-party countries they're aiming to send the data, and the DPC's order maps to that.
"I'm not shocked by this" decision, she said, "I don't know this means that DPAs all around Europe are all of a sudden going to start investigating companies and stop their data flows. I don't think those two things follow from each other."
Christopher Kuner, professor at the Brussels Privacy Hub and senior counsel at Wilson Sonsini Goodrich & Rosati, agrees with his non-plussed peers.
"This action by the Irish DPC seems to be the logical consequence of the 'Schrems II' judgment since it was inevitable that the DPC would take enforcement action against Facebook following the judgment," he said. "I don’t think that privacy professionals should panic, since the case is specific to Facebook, and it will take some time before appeals are exhausted."
Wugmeister said the real conundrum for companies here — and one that's being overlooked — is twofold. First, the CJEU is telling companies, bolstered by the Irish DPC's order, that they must put supplemental measures in place to ensure data transferred by mechanisms still legal, like standard contractual clauses, is adequately protected.
"Where’s the quick list of the supplemental measures?" she asked. "Crickets, right? There are real crickets. I definitely think companies should be evaluating how the two U.S. regimes' Executive Orders apply to them, and you need to be looking at other countries. That’s what the court said. What are the surveillance laws of the other countries where you’re trying to send data outside of Europe?"
She said doing that is a "phenomenally difficult" task to ask of small- or medium-sized companies in the EU. And she'd know because she's doing that grunt work on behalf of clients.
"If you’re a European medium-size company and you share information with your service provider in India, how are you, a little French company, supposed to do an evaluation of the surveillance laws outside the EU? With what resources? It took the (CJEU) three years to do that just with the U.S," and that was only because of the Snowden revelations, she said. What of countries who haven't had massive surreptitious reveals?
Wugmeister added that, second, while reactions to the CJEU ruling have started conversations like "what's a company to do?" the real pressure should be on governments on both sides of the Atlantic to come up with a political solution.
"To be totally candid, I think this is the part that’s kind of unfair about the (CJEU) decision. The (CJEU) basically said, 'The real problem here is not the agreement between companies; the real problem is with the government, it’s the surveillance.' But because the court has no jurisdiction over intelligence services, even in Europe, they didn’t say, 'OK, intelligence services, you need to change what you’re doing.' They put all the burden on the companies. How are the companies going to influence the intelligence services in the U.S. and Europe?"
Kuner doesn't totally agree with Wugmeister's assessment here.
“I don’t think fairness enters into it. Companies make huge amounts of money on transferring data, and in the course of doing so may get entangled in conflicts between different legal regimes, that has been the case since time immemorial and is even more true now on the internet," he said. "Courts are supposed to apply the law, and that is what the ECJ did in Schrems II; the problem rests with governments around the world, which have proved unable to find a balance between security and privacy that can resolve these conflicts."
OK, but what about data silos? While Facebook has allegedly recently said it is going to transfer data to the U.S. under another GDPR provision, Article 49 of the GDPR, what if companies nervous about legally transferring data simply begin to use data silos and store geographical data locally?
Lee said that's the wrong move, that they simply don't work in practice.
"If you apply data export rules strictly, there can be no remote access to data outside of the region concerned — so the idea of utilizing offshore resource for development or customer support, whether for cost reasons or ensuring 24/7 coverage, goes out the window."
For its part, Facebook has responded to news of the preliminary order, reportedly sent to the company last month, saying it welcomes ongoing talks between the EU and U.S. on an "enhanced" Privacy Shield framework in the name of securing cross-border data flows.
In the interim, the post reads, "Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure. We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance."
NOYB, the organization Max Schrems heads, issued a lengthy statement responding to the leaked order and taking issue with Facebook's new proposed data transfers under Article 49 of the GDPR.
Photo by Kon Karampelas on Unsplash