The Irish data protection authority has asked Facebook to stop the transfer of personal data from EU citizens to the USA. The Wall Street Journal reports (Paywall) citing persons who are familiar with the matter. The preliminary order was issued to the social network by the Irish Data Protection Authority (DPC) last August. The background to this is a decision by the European Court of Justice (ECJ) on data transfer to the USA.
On July 16, 2020, the court declared the data protection agreement between the EU and the USA, the so-called Privacy Shield, to be inadmissible. According to the judgment, the Privacy Shield is not sufficient as a basis for transferring personal data to the USA. Because the surveillance programs of the USA, which are based on the local legislation, are “not limited to what is absolutely necessary”. Therefore, the requirements would be in EU law “according to the principle of proportionality” not fulfilled.
According to data protection experts, there is no transition period after the legal basis for data transfers to the USA has ceased to exist. According to the Berlin data protection officer Maja Smoltczyk, the ECJ “made clear in principle that the transfer of personal data to the USA is not possible with the Privacy Shield nor with standard contractual clauses or Binding Corporate Rules (BCR)”.
According to the report, the DPC first asked Facebook for a statement. Facebook manager Nick Clegg confirmed to the Wall Street Journal that the agency had proposed that EU citizens no longer transmit data on the basis of standard contractual clauses. Ireland is responsible for Facebook because the US company has its European headquarters there.
The order of the Irish could be revised again before it is finally issued, writes the paper. That could still take several months. After the end of the Privacy Shield, Facebook is said to have taken the position that it could continue to transmit data on the basis of the standard clauses.
The ECJ has not prohibited this option in principle. However, this does not mean a carte blanche for currently valid standard contractual clauses. Basically, they must also guarantee an appropriate level of protection for European data in a third country. And that is exactly what the ECJ denied in the case of the USA in July.
The DPC now apparently also takes this view. As a result, other US corporations are no longer allowed to transfer data from EU citizens to the USA on the basis of such clauses.
The order of the DPC should increase the pressure on the USA and the EU to improve the Privacy Shield according to the requirements of the ECJ. Corresponding negotiations were started at the beginning of August. It is unlikely that an agreement could be reached in the current US presidential election campaign. Because for this, the USA would have to be comparable to EU citizens
Guarantee data protection rights as in the EU and their data from
exclude any access by the secret services.