Our mission to help you navigate the new normal is fueled by subscribers. To enjoy unlimited access to our journalism, subscribe today.
A slow-motion train wreck has been unfolding over the last half-decade in the wonkish but fundamental field of data privacy, as one Facebook user’s crusade against U.S. surveillance practices has slowly closed off the American tech industry’s legal options for importing European users’ personal information.
Now, it looks like the moment of impact is finally about to arrive, leaving Big Tech unable to process European users’ data in the U.S.
Facebook said Wednesday that the Irish privacy regulator (which governs all of Facebook’s European activities) has “suggested” it will no longer be able to use the legal mechanism it currently uses to make Europe-to-U.S. transfers of personal data—that is, any data that can be connected with an identifiable person in Europe, from names and email addresses to photos and comments.
This followed a Wall Street Journal report that said the watchdog had hit Facebook with “a preliminary order to suspend data transfers to the U.S. about its EU users.”
The EU’s top court ruled a couple months ago that the legal mechanism, known as “standard contractual clauses” or SCCs, is in principle legally valid. However, it said the use of SCCs can be invalidated by privacy regulators in cases where Europeans’ data is made vulnerable by sending it to a country without good privacy protections.
It was always clear that this was likely to affect transfers to the U.S., because the same ruling—by the Court of Justice of the EU (CJEU)—struck down a separate, specifically U.S.-EU arrangement called Privacy Shield, which gave companies a simpler and cheaper way to keep their trans-Atlantic transfers legal.
The court’s reasoning was that U.S. surveillance laws make it impossible for Big Tech to keep Europeans’ data out of the hands of U.S. intelligence agencies. The same problem applies whatever legal mechanism companies are using for those transfers.
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-U.S. data transfers, and has suggested that SCCs cannot in practice be used for EU-U.S. data transfers,” Facebook’s chief lobbyist, the former U.K. deputy prime minister Nick Clegg, wrote in a Wednesday blog post. “While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
Clegg argued that “a lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU,” because they will no longer be able to use U.S.-based cloud providers to process their customers’ data.
He even suggested the end of U.S.-oriented SCCs would impact email platforms that service European universities and hospitals. This is a questionable claim, because EU privacy law allows data transfers to anywhere as long as they are “necessary” to fulfil the contract between the user and provider—and the processing of emails is pretty …read more