In the wake of the decision made by the European Court of Justice (ECJ) on the validity of the mechanisms to transfer personal data outside of the EU, the Data Protection Commissioner (DPC) has launched an investigation into how Facebook transfers the personal data of its European users to the United States.
The DPC revealed late last month that it had arrived at a draft preliminary decision that data transfers outside of the EU by Facebook should be suspended as the methods used to transfer the data fail to guarantee a level of protection to data subjects equivalent to those provided for in EU law.
Under the General Data Protection Regulation 2016/679 (the GDPR), the transfer of personal data outside of the EU is prohibited unless certain limited circumstances apply; such as if the consent from the data subject was received or if the transfer of data was necessary for the performance of a contract with the individual.
The prohibition on transferring data was implemented as European citizens have a right to have their personal data protected, and it was found that outside of the EU, generally, a lower standard of protection on personal data was accepted. For example, in the US, a citizen’s constitutional right to privacy is limited by national security interests.
Previously, there were three main methods relied upon by corporations for the transfer of data outside of the EU:
- Binding Corporate Rules (BCRs):
- This allows the transfer of data within a company group where the companies have binding rules in place which for the protection of data throughout the organization and these rules have been approved by a data regulator in the EU.
- The Privacy Shield:
- This permitted the transfer of data to certain US companies who were deemed to have an adequate level of protection for personal data and were signatories to the Privacy Shield.
- In July 2020 in what became known as “Schrems II”, the ECJ ruled that the Privacy Shield was invalid and could not be used to transfer personal data outside of the EU.
- Click here to read our full analysis on the Schrems II case.
- Standard Contractual Clauses (SCC):
- Data controllers are currently able to transfer data outside of the EU by ensuring they have an agreement in place with the data processor or non-EU data controller which includes the standard contractual clauses.
- These model clauses are very detailed and may be used as a stand-alone document or as part of a wider agreement.
- Neither party to the agreement may materially amend the clauses, and if they wish to do so, it will require regulatory approval.
- It should be noted that an EU processor may not rely upon the SCC’s when transferring data to a non-EU processor. The SCCs must be signed directly by the data controller.
The DPC’s investigation into Facebook concerned their use of SCCs and the standard of protection this afforded Facebook’s EU users. While deemed valid by the ECJ in Schrems II, it was determined that organisers must take a proactive role in evaluating whether there is adequate protection when relying on SCCs. The data controller must also verify the existence of appropriate safeguards.
Since the announcement of the DPC’s preliminary decision, Facebook has launched High Court proceedings to judicially review the DPC’s decision making process. Counsel for Facebook stated that it has not be afforded fair procedures nor provided sufficient time to respond to the DPC’s investigation. Facebook has 400 million European users and 25 million businesses in Europe use apps under Facebook’s control. The matter will next be before the court in November.
About the author: Katie Oakes
For more informationFacebook or advice on this impact of this case, or any other commercial law queries, please contact Katie Oakes, solicitor on the Corporate and Commercial Team, at [email protected]; Grìana O’Kelly, Head of Corporate and Commercial at [email protected] or call 01 644 5800.