- Ireland’s Data Protection Commission has reportedly sent Facebook a preliminary order to stop transferring user data from the EU to the U.S.
- The DPC could fine Facebook up to 4% of its annual revenue, or $2.8 billion if it failed to comply.
- It comes just a few months after the European Court of Justice ruled the data transfer standard between the EU and the U.S. doesn’t adequately protect European citizen’s privacy.
LONDON — Ireland’s data regulator has sent Facebook a preliminary order to stop transferring user data from the EU to the U.S., according to a report from The Wall Street Journal, citing sources familiar with the matter.
The preliminary order was sent to Facebook by Ireland’s Data Protection Commission in August, according to the report. CNBC has not been able to independently verify these sources.
Facebook declined to comment on the article when contacted by CNBC on Thursday. But, it referred to a blog post published Wednesday that states the DPC has started an inquiry into Facebook’s EU-U.S. data transfers. The post is authored by Nick Clegg, Facebook’s vice president of global affairs and communications.
The DPC also declined to comment.
The report comes just a few months after the European Court of Justice ruled the data transfer standard between the EU and the U.S. doesn’t adequately protect European citizen’s privacy.
The court, the EU’s highest legal authority, restricted how U.S. firms could send European user data to the U.S. after concluding EU citizens had no eﬀective way to challenge American government surveillance. U.S. agencies such as the NSA can theoretically ask internet companies like Facebook and Google to hand over data on an EU citizen and that EU citizen would be none-the-wiser.
The ECJ ruling came after Austrian privacy activist Max Schrems filed a law suit in light of the Edward Snowden revelations arguing that U.S. law did not offer sufficient protection against surveillance by public authorities. Schrems raised the complaint against Facebook which, like many other firms, was transferring his and other user data to the U.S.
The court ruling invalidated the EU-U.S. Privacy Shield agreement, which enabled firms to send EU citizen’s data across the Atlantic. As a result, companies have had to rely on Standard Contractual Clauses or SCCs.
Clegg, the former deputy prime minister of the U.K., wrote in a blog post: “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers.”
He added: “While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
If SCCs can’t be used as the legal basis for transferring data, Facebook would have to silo off the majority of the data it collects on European users. The DPC could fine Facebook up to 4% of its annual revenue, or $2.8 billion if it failed to comply.
While this order applies to Facebook, the DPC could also issue similar orders to other U.S. tech giants, potentially wreaking havoc on their businesses.
Clegg goes on to argue that the global economy would suffer if data couldn’t be sent across borders. “A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19,” he writes. “The impact would be felt by businesses large and small, across multiple sectors.”
“Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure, and we will continue to transfer data in compliance with the recent European Court ruling and until we receive further guidance. Businesses need clear, global rules to protect transatlantic data flows over the long term.”
— CNBC’s Silvia Amaro contributed to this article.