Facebook has been ordered to bring and end to its practice of sharing personal data transfer from Ireland to its databases located in the United States, following the issuing of a preliminary order by Ireland’s Data Protection Commission (DPC).
In July the European Union Court issued the Schrem II ruling in July, stating that the General Data Protection Regulation is being violated when any personal data is shared outside of the EU if the destination does not have the same data protection legal provisions in place to guarantee protection. As data being sent to US may be monitored by US authorities, the ruling means that this can no longer be carried out.
Facebook have been given until the end of September to make any case against order issued by the DPC to being an end to this activity. Following this, GDPR fines of up to 4% of global annual revenue for the previous financial year can be applied for illegally sending personal data transfer from Ireland to the United States. This would represent a huge fine for Facebook as the group reported global revenue of $70.7bn for 2019 meaning that a fine of 4% would be €2.9bn.
A statement was released following the trial in July by Facebook VP of global affairs and communications and former British politician Nick Clegg saying: “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
He added that the EU ruling “would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19. The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider.”
Also responding to the ruling Andrea Jelinek, chair of the European Data Protection Board (EDPB) commented: “The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility… We will prepare recommendations to support controllers and processors regarding their duty in identifying and implementing appropriate supplementary measures of a legal, technical and organizational nature to meet the essential equivalence standard when transferring personal data to third countries. However, the implications of the judgment are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick-fix solution. Each organization will need to evaluate its own data processing operations and transfers and take appropriate measures.”