Major decision on the legality of Facebook's EU-US data transfers is due to be adopted today
Reminder: Today is the deadline for the Meta's lead privacy regulator in Europe to adopt a final decision on a nearly decade-long complaint against Facebook's transfers of personal data from the EU to the U.S. that could see the company ordered to stop the flow of data.
The Irish Data Protection Commission (DPC) confirmed to TechCrunch it will adopt its final decision today.
However we understand there will be further delay (of just over a week) before the decision is made public. The date we've been told the order will officially be published is May 22 -- assuming details do not leak out beforehand.
The delay in publishing the adopted decision is because Meta will be given time to review the document to identify confidential and/or commercially sensitive info it may want redacted, we were told, and owing to a public holiday affecting another involved EU regulator.
The May 12th date for adoption of the DPC's final decision on the complaint follows a timetable set by a dispute resolution decision taken by the European Data Protection Board last month.
Applying mechanisms baked into the General Data Protection Regulation (GDPR), the Board stepped in to settle disagreement between a number of EU regulators over the substance of the decision -- taking a binding decision on Meta's transfers and giving the DPC one month to implement it.
We don't yet know what's been decided since the Board's dispute resolution decision has not been made public as we're waiting on the final DPC decision (which will implement it) -- so the fate of Facebook's European data flows still hangs in the balance.
That said, Meta is widely expected to be ordered to suspend data flows, given the company received a preliminary suspension order from the DPC, back in fall 2020.
At that time the company obtained a stay on the DPC's procedure which helped delay the GDPR enforcement timetable until the Irish courts dismissed Meta's challenge. Further delays kicked in later, when the DPC's draft decision on the case faced objections from other EU data protection authorities -- with those disputes settled finally by the EDPB's binding decision last month.
This means the regulatory process is at least running out of road (but expect Meta to challenge any suspension order in the Irish courts).
The company has continuously sought to play down the saga -- claiming in its last statement that it "relates to a historic conflict of EU and US law, which is in the process of being resolved". Which is a reference to a draft agreement between EU and U.S. lawmakers for a new high level transatlantic data transfer framework aimed at resolving the conflict between U.S. surveillance practices and EU data protection rights.
However this EU-U.S. Data Privacy Framework, as the agreement has been named, is still in the process of being reviewed by EU institutions which have raised concerns that it does not have strong enough safeguards. And, just this week lawmakers, in the European Parliament reiterated a call for the Commission to take more time to improve the proposal -- suggesting there could be further delays in adoption of an agreement Meta appears to be banking on to save its data transfers bacon.
While the data suspension question is the headline issue for this GDPR case, other major elements to look out for in Ireland's final decision later this month include whether or not Meta will be ordered to delete European users data if it's found to have been unlawfully transferred to the U.S.
Back in March, MLex reported that at least two data protection authorities were pushing for that -- and that Meta was lobbying EU institutions against any such move.
Add to that, leaked internal documents last year suggested the tech giant's data management practices are, to put it politely, a mess. So how easily Meta could identify and isolate European users' data, if ordered to delete it, is one big (expensive) consideration/complication.
Why is this such a huge deal? Well as a reminder, we've recently learned in federal court discovery that Facebook appears to have no way to retroactively fully purge users' data. They said it will take as much as a year to pull all data for a user. This leaked doc got to it. 2/4 pic.twitter.com/g9kTTsYklY
— Jason Kint (@jason_kint) May 11, 2023
Meta could also of course be issued with a fine if it's found to have unlawfully transferred data.
The GDPR allows for penalties of up to 4% of global annual turnover, although -- to date -- Meta has had considerable success at being fined far less than the theoretical maximum.
Privacy rights advocacy group, noyb -- whose founder, Max Schrems, is behind the complaint against Facebook's EU-U.S. data flows -- wrote to the EDPB in January to complain over the size of a fine the DPC hit it with at the start of this year, over unlawful ads data processing, arguing the €390 million penalty was paltry vs the scale of the infringements (in fact he suggested it fell short by more than €3.5 billion).
Ireland had actually proposed a far lower level of fine for that breach -- of between €28 million to €36 million -- but the regulator was forced to increase it in order to implement the EDPB's binding decision.
Without that Board intervention Meta would have faced even weaker GDPR enforcement for unlawfully processing millions of Europeans' personal data for behavioral advertising. So it will be interesting to see what level of penalty (if any) is included in Ireland's final decision on Facebook's data transfers.
That said, financial penalties imposed on tech giants are typically less interesting than operational orders which have the chance to force changes to abusive business models. And while Meta is still data-mining European users for behavioral ad targeting it was at least forced to offer an opt out as a result of the aforementioned GDPR enforcement. Something it has never offered before.
How Meta might be forced to amend its business model to fix unlawful transatlantic data transfers is an open question.
But there's no doubt it will throw everything it's got at fighting any order to suspend in the courts so it may well find a way to delay having to for act long enough for the goalposts to be moved by the arrival of a new U.S. data adequacy agreement.
If not, the costs will be real.
In an earnings call with investors last month the company admitted that an order to suspend data flows from Europe could hit 10% of its global ad revenue.
Obviously it's hoping it does not come to that -- and banking on the new EU-U.S. data transfer mechanism being adopted just in the nick of time. (A company spokesman declined to discuss contingencies if it is ordered to suspend data flows, pointing back to the "progress" policymakers have made towards a new pact.)
But even if the high level deal arrives soon enough to prevent a Facebook shut down in Europe from happening this year, Schrems suggests the new high level framework is "likely" to be struck down by the bloc's top court, as the two predecessor arrangements were -- so he estimates Meta would only buy itself another "two years or so" before the issue rears its head again.
For a longer term solution, he has suggested Meta will need to federate Facebook's infrastructure. But such a major retooling of its business would obviously be very expensive too.