The social media giant could be forced to suspend trans-Atlantic data flows following a Friday court ruling that allowed Ireland’s data privacy watchdog to move forward with its review of the legality of Facebook’s handling of personal data on Europeans. Ireland’s High Court rejected Facebook’s complaints about the process the watchdog followed, setting up a potentially longer battle over the inquiry’s outcome.
The ruling comes after U.S. and European Union officials stepped up talks to resolve concerns that an EU court previously raised over privacy protections for trans-Atlantic data flows. It puts pressure on negotiators to push forward, according to Caitlin Fennessy. Now the research director at the International Association of Privacy Professionals, Fennessy previously served as U.S. director for the EU-U.S. Privacy Shield, formerly one of the main mechanisms governing data transfers from the EU to the U.S.
“The way in which this plays out will have much broader global implications,” she said of the Facebook case.
The case is being closely watched by other companies that process data on European citizens, especially other tech giants that are, like Facebook, subject to enforcement from Ireland’s Data Protection Commission and face hefty fines from European data regulators. Companies could be forced to follow in Microsoft Corp.'s footsteps and handle data in data centers local to Europe, though Facebook has said in the past that interconnected information on its platform can’t be easily split into “regional silos.”
“Companies and privacy professionals around the world are watching this play out and are so aware that everyone is proceeding around huge uncertainty,” Fennessy said.
The Facebook case is related to a larger legal battle over the Privacy Shield. Companies that must comply with European privacy rules have faced uncertainty since a July court ruling struck down the mechanism. The EU Court of Justice cited concerns that European citizens’ data would be subject to U.S. government surveillance.
The latest ruling in the Facebook case comes after U.S. Commerce Secretary Gina Raimondo and EU Justice Commissioner Didier Reynders said in a joint statement in March that their governments agreed to “intensify” negotiations on the Privacy Shield. Representatives for Raimondo and Reynders didn’t immediately respond to requests for comment on whether the ruling adds more urgency to the talks.
The ruling, while procedural, lets the Irish Data Protection Commission finalize a decision on the legality of Facebook’s EU-U.S. data transfers. The case stems from a 2013 complaint that privacy activist Max Schrems brought following revelations about U.S. surveillance practices that allow personal data to be shared with the government. Schrems said in a statement that he expects the Irish regulator to issue a decision stopping Facebook’s data transfers soon.
The privacy watchdog’s decision “could be damaging not only to Facebook, but also to users and other businesses,” according to a company statement.
“It speeds up the case and therefore puts more pressure on data transfers,” Aaron Cooper, vice president of global policy at BSA, a software industry group, said of the Irish court ruling. Cooper said the group’s members are putting in place added safeguards such as encryption in response to policy uncertainty around data flows.
The ruling could ramp up efforts to implement such safeguards as European officials finalize guidance on alternative ways to comply with the bloc’s data rules in the wake of the Privacy Shield’s invalidation.
“It’s another marker that will lead to more interest on both sides of the Atlantic to find an agreement,” he said of the Irish ruling.