Earlier this week it was reported that the Irish Data Protection Commission had taken action to temporarily suspend data transfers from the EU to the US by Facebook. It has now been reported that Facebook is challenging that decision in the Irish Courts by way of judicial review proceedings.
Following the European Court of Justice invalidating the Privacy Shield agreement between the EU and the US, Facebook decided to switch its transfer mechanism to standard contractual clauses (SSCs). The judgment of the ECJ in Schrems II approved of the SSCs, but made it clear that simply relying upon SSCs was not enough. The effect of the Schrems II decision is that supervisory authorities are required to suspend or prohibit transfers of personal data transferred in reliance of standard contractual clauses where they are not being complied with or are incapable of being complied with.
There was always going to be some doubt about whether SSCs were an effective alternative to privacy shield because the same issues that resulted in the invalidation of privacy shield exist in relation to transfers to the US utilising SSCs The Irish DPC appears to have taken a preliminary view which cannot be a favourable one given the action it has taken.
Little is known at this stage about the basis of Facebook’s judicial review, more on this will likely come to light as matters progress before the courts in Ireland. This is a case that anyone involved in international transfers of personal data should keep an eye on; the Irish Courts may apply some gloss onto the additional layers that may need to be added to SSCs in order to make them effective in particular situations.
The ability to order a controller to stop processing personal data (in whole or in part) is probably the most overlooked of the powers that supervisory authorities have; the impact of such orders can be more immediate and painful to controllers than an administrative fine. If the preliminary decision by the Irish Data Protection Commission survives judicial review then the implications for Facebook (and other companies that rely significantly on international transfers of personal data to third countries) could be significant.