The Irish privacy watchdog DPC may continue to investigate Facebook data exchange between Europe and the US. The watchdog wants to stop these data transfers because the standard contractual clause under which data protection is regulated would not be sufficient.
The Irish Data Protection Commission ruled in 2020 that Facebook’s transfer of European user data to servers in the United States should stop due to an illegal declaration of the Privacy Shield treaty. That would not provide sufficient protection against disproportionate surveillance by US authorities.
After that assessment, only the so-called standard contractual clauses remained; the legality of such a clause varies on a case-by-case basis and depends on whether effective mechanisms are in place to ensure that the level of data protection desired by the EU is met. The Irish privacy watchdog doesn’t think so. Facebook appealed the order, which resulted in a postponement of the proceedings until now.
Following the judgment of the Irish High Court, the Data Protection Commission can resume its work. The watchdog must complete its investigation and the resulting suspension order, and the latter must also be approved by other privacy protectors in the EU. This could take months, and in that time there is still the possibility for Facebook to challenge the procedure further, writes The Wall Street Journal, among others.
Should the standard contractual clause for Facebook be declared invalid, the company may no longer store data of European users on American territory. That means bringing the data back to Europe or suspending services to Europeans. A new legal framework for data exchange between the two continents would solve this problem, but that is not the case at the moment.
Much depends on the procedure, as it could create a precedent that would have huge effects on numerous companies exchanging data between the two continents. Facebook is dealing with the Irish Data Protector because the company has its headquarters in that country.