The fate of Meta's data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland's Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision.
Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor.
"We haven't been able to resolve the objections raised on our draft decision and have to trigger the Article 65 process," DPC Deputy Commissioner, Head of Corporate Affairs, Media and Communications Graham Doyle said. "We have sent the file to the Secretariat, and once they've completed the administrative work on their end, the Article 65 process will be officially triggered."
The DPC originally sent the draft decision, which would have halted Meta from transferring personal data from the EU to the U.S. through its use of standard contractual clauses, to its EU counterparts in July 2022.
Meta said, if the DPC's original approach were taken, Meta-owned services Facebook and Instagram may be shuttered in the EU.
In July 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield Framework and cast a shadow over the use of SCCs in what is commonly known as the "Schrems II" decision. In the wake of the CJEU decision, the DPC initiated an "own volition" inquiry under Ireland's Data Protection Act to consider whether Facebook's data transfers to the U.S. were legal.
With Shield's invalidation, many companies, including Meta, relied on SCCs to complete data transfers.
The dispute resolution procedure comes as the EU considers an adequacy decision for the EU-U.S. Data Privacy Framework. The DPF was negotiated in response to concerns raised by the CJEU in the "Schrems II" decision after it invalidated the EU-U.S. Privacy Shield. Between the EDPB's binding decision concluding the dispute resolution procedure and the European Commission's adequacy decision, it is not clear which will come first.
As part of the adequacy process, the EDPB still must issue its non-binding opinion on the agreement, the European Parliament can weigh in with a non-binding resolution and EU Member States must also consider the framework in what's called the "comitology procedure." IAPP Research & Insights Director Joe Jones discussed the process in a Twitter thread Thursday.
Jones noted the "quickest the EU has adopted adequacy was for the U.K. [which] started Feb. 19 and adequacy was adopted June 28. For that, there was an effective deadline of the end of June . . . this Meta case may provide a working deadline for the EU to adopt U.S. adequacy by [the] EU's process for Korea, [which] was mid-June to mid-December."
European Commission's Bruno Gencarelli discussed the adequacy timeline during the IAPP Data Protection Congress in Brussels in November. At the time, Gencarelli confirmed the six-month target for finalization, though no firm deadline was given.
"How long this process will take will depend very much on the different interactions we have to have with our institutional interlocuters," Gencarelli said. "With recent adequacy decisions, it took about four to six months. I'm sure there will be lively discussion . . . and this is important for (involved parties), so they'll probably (finish) sometime in the spring of next year."