A cross-border data transfer mechanism, deemed valid by the Court of Justice of the European Union (CJEU), cant be used in the case of Facebook, Irelands Data Protection Commission has ruled.
According to Facebook, a lack of safe, secure, and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU.
The Standard Contractual Clauses (SCCs), the alternative legal mechanism for transferring data from the EU to a third country, continue to be valid, according to CJEU.
“Like many other businesses, Facebook relies on SCCs to transfer data to countries outside the EU, including to the United States,” Nick Clegg, VP of Global Affairs and Communications, said in a blog post on Wednesday.
Since the CJEU’s ruling in July, Facebook has been working hard to follow the steps set out by the Court to ensure that it can continue to transfer data in a safe and secure way.
The Irish IDPC has commenced an inquiry into Facebook controlled EU-US data transfers, and “has suggested that SCCs cannot in practice be used for EU-US data transfers”.
“While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on,” Clegg said.
In July, the CJEU invalidated EU-US Privacy Shield, a legal framework regulating transfers of personal data from the EU to the US.
At the same time, the CJEU stated that SCCs continue to be valid.
“But the rationale in invalidating Privacy Shield has nonetheless created significant uncertainty – not just for US tech companies, or even for all the European businesses who rely on online services to reach new customers, but for all European businesses with transatlantic data flows,” Clegg commented.
The CJEU invalidated the Privacy Shield mechanism for transferring data between the EU and the US, due to concerns over US national security laws.
Before the ruling, more than 5,000 companies relied on Privacy Shield.
“Although the court also ruled that SCCs remain valid (providing the data exporter puts in place appropriate safeguards to ensure a high level of protection for data subjects), its rationale in invalidating Privacy Shield has prompted a discussion around businesses’ reliance on SCCs,” Facebook said.
The impact would be felt by businesses large and small, across multiple sectors.
In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider.
“A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call center in Morocco,” Clegg said.
The effects would reach beyond the business world, and could impact critical public services such as health and education.
Ireland’s COVID Tracking App states, in its terms, that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the US.
“Facebook, therefore, welcomes the efforts already underway between EU and US lawmakers to evaluate the potential for an ‘enhanced’ EU-US framework – a Privacy Shield Plus,” Clegg noted.