Reminder: Today is the deadline for Europe’s leading Meta privacy regulator to make a final decision on a nearly decade-long complaint against Facebook’s transfer of personal data from the EU to the US, which could direct the company to stop data flow.
The Irish Data Protection Commission (DPC) has confirmed to TechCrunch that it will make its final decision today.
However, we understand that there will be further delays (of just over a week) before the decision is made public. The date we’re told the order will be officially published is May 22 – assuming details don’t leak ahead of time.
The delay in publishing the adopted decision is because Meta is given time to review the document to identify confidential and/or commercially sensitive information that may need redaction, we were told, and because of a public holiday that affected another concerned EU regulator.
The May 12 date for approval of the DPC’s final decision on the complaint follows a timetable established by a dispute resolution decision made by the European Data Protection Board last month.
Applying mechanisms baked into the General Data Protection Regulation (GDPR), the board stepped in to settle disagreements among a number of EU regulators over the substance of the decision – making a binding decision on Meta’s transfers and the DPC one month give it time to do it.
We don’t know what has been decided yet as the council’s dispute resolution decision has not been made public as we wait for the final DPC decision (which it will implement) – so the fate of Facebook’s European data streams still stands at stake .
That said, it is widely expected that Meta will be ordered to suspend data flows given tThe company received a preliminary suspension order from the DPC in the fall of 2020.
At the time, the company was granted a stay of its DPC proceedings, delaying its GDPR enforcement timetable until the Irish courts rejected Meta’s challenge. Further delays started later, when the DPA’s draft decision on the case was met with objections from other EU DPAs — with those disputes finally settled by the binding decision of the EDPB last month.
This means the regulatory process will at least run its course (but expect Meta to challenge any suspension order in the Irish courts).
The company has continually attempted to downplay the saga, claiming in its latest statement that it “relates to a historic conflict between EU and US law, which is currently being resolved.” This is a reference to a draft agreement between EU and US legislators for a new framework for high-level transatlantic data transfers, aimed at resolving the conflict between US surveillance practices and EU data protection rights.
However, this EU-US data privacy framework, as the agreement has been dubbed, is still under review by EU institutions who have expressed concerns that it does not provide sufficient safeguards. And, just this week, lawmakers in the European Parliament reiterated a call to the Commission to take more time to improve the proposal – suggesting there could be further delays in passing an agreement that Meta appears to be counting on to save its data transfer bacon.
While the data suspension issue is the most important issue for this GDPR case, oother key elements to look out for in Ireland’s final decision later this month include whether or not Meta will be ordered to delete data from European users if it is found to have been unlawfully transferred to the US.
Back in March, Mlex reported that at least two data protection authorities pushed for it – and that Meta lobbied EU institutions against such a move.
Add to that the fact that leaked internal documents from last year suggested that the tech giant’s data management practices are, to put it politely, a mess. So how easily Meta can identify and isolate European users’ data, if told to delete it, is one big (expensive) consideration/complication.
Meta can of course also be fined if it turns out that it has transferred data unlawfully.
The GDPR allows fines of up to 4% of global annual revenue, although Meta has had significant success so far with fines well below the theoretical maximum.
The privacy rights advocacy group, noyb – whose founder, Max Schrems, is behind the complaint against Facebook’s EU-US data flows – wrote to the EDPB in January to complain about the size of a fine the DPC had to pay early this years, over unlawful processing of advertising data, arguing that the €390 million fine was meager compared to the size of the breaches (he even suggested it was more than €3.5 billion short).
Ireland had actually proposed a much lower fine for that breach – of between €28 million and €36 million – but the regulator was forced to increase it in order to implement the EDPB’s binding decision.
Without that board intervention, Meta would have faced even weaker GDPR enforcement for illegally processing millions of personal data of Europeans for behavioral advertising. So it will be interesting to see what level of fine (if any) is included in Ireland’s final decision on Facebook’s data transfer.
That said, financial sanctions imposed on tech giants tend to be less interesting than operational orders that have the potential to force changes to abusive business models. And while Meta is still data mining European users for behavioral ad targeting, it was at least forced to offer an opt-out as a result of the aforementioned GDPR enforcement. Something it has never offered before.
How Meta could be forced to adjust its business model to resolve illicit transatlantic data transfers is an open question.
But there’s no doubt it will make every effort to challenge any suspension order in court, so it could well be a way to delay the action long enough for the goalposts to be moved by the arrival of a new US data adequacy agreement. .
If not, the costs are real.
In an earnings call with investors last month, the company admitted that an order to suspend data flows from Europe could boost 10% of its global advertising revenue.
It clearly hopes it doesn’t come to that – and counts on the new EU-US data transfer mechanism being adopted just in time. (A company spokesperson declined to discuss contingencies if it is ordered to suspend data flows, citing the “progress” policymakers have made toward a new pact.)
But even if the high-level deal comes soon enough to prevent Facebook from shutting down in Europe this year, Schrems suggests the new high-level framework will “likely” be struck down by the bloc’s top court, as the previous two arrangements were – so he estimates that Meta would only buy itself “about two more years” before the problem rears its ugly head again.
For a longer term solution, he has suggested that Meta should federate Facebook’s infrastructure. But such a radical adjustment of his company would of course also be very expensive.
