Irish privacy watchdog DPC is allowed to continue investigating Facebook’s data exchange between Europe and the US. The watchdog wants to stop those data transfers because the standard contractual clause under which data protection is regulated would not be sufficient.
The Irish Data Protection Commission ruled in 2020 that Facebook should stop the transfer of European user data to servers in the United States following the declaration of the Privacy Shield agreement as illegal. It would not provide sufficient protection against disproportionate surveillance by US authorities.
After that judgment only the so-called standard contractual clauses about; the legality of such a clause varies from case to case and depends on whether there are effective mechanisms to ensure compliance with the level of data protection desired by the EU. The Irish privacy watchdog does not think so. Facebook appealed the injunction, delaying the proceedings until now.
After the judgment of the Irish Supreme Court, the Data Protection Commission can resume its work. The watchdog must complete its investigation and the resulting suspension order, and the latter must also be approved by other privacy protectors in the EU. That can take months and during that time there is still the possibility for Facebook to further challenge the procedure, writes The Wall Street Journal, among others.
If the standard contractual clause for Facebook is indeed declared invalid, the company will no longer be allowed to store data of European users on American soil. That means it must bring the data back to Europe or suspend services to Europeans. A new legal framework for data exchange between the two continents would provide a solution for this, but that is not available now.
Much depends on the procedure, as it can set a precedent that would have enormous effects on countless companies exchanging data between the two continents. Facebook is dealing with the Irish data protector because the company has established its headquarters in that country.