Schrems II: Facebook won’t like what Ireland has just done

In the aftermath of the judgment of the Court of Justice of the European Union (CJEU) ruling over the invalidity of the Privacy Shield, it was just a matter of time until a move from one of the EU data protection authorities was taken. Indeed, until today, only the Baden-Württemberg Commissioner for Data Protection and Freedom of Information had issued a guidance note related to the matter.

Despite the fact that the CJEU’s wording was clear in stating that (a) the invalidity of the Privacy Shield was effective immediately and (b) the legal bases for data transfer to the US were Standard Contractual Clauses (SCCs) with the requirement of additional language providing for further security measures to be implemented, and despite the fact that for over a month EU companies and US service providers issued statements saying that the matter of compliance was under their attention, nothing really happened. Until yesterday. 

According to the Wall Street Journal, the Irish Data Protection Authority sent a preliminary order to Facebook aimed at requesting the suspension of the transfer of personal data of EU citizens to the US. Besides the risk that Facebook might be subject to a (very) conspicuous fine, it is undeniable that the results and the countermeasures that will be adopted by either party will be seen with great interest and attention from EU companies and US service providers, since, as of today, neither the EU or national data protection authorities had clarified concretely how EU companies should act as data controllers.

Facebook and most other US service providers and social networks’ position was further complicated two days ago, when the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland (where a system similar to the one of the Commission’s adequacy decisions is implemented, pursuant to which the transfer of personal data might occur without any special safeguards) stated that the words “Adequate level of protection under certain circumstances” had to be removed for the US in the FDPIC’s list of countries benefitting from the Swiss adequacy transfer system.

Essentially, data protection authorities appear to be seriously throwing down the gauntlet to US tech companies after the issuing of the CJEU’s ruling. European parties, left scrambling as the bloc does not yet have homegrown alternatives to the American providers, can’t do much else done beyond contacting their service providers with inquiries about the state of adjustment of their policies.


Read more on the topic:

Part I

Part II

Photo by Mika Baumeister