The ability for data to be transferred across borders is fundamental to how the global open internet works. From finance and telecommunications to critical public services like healthcare or education, the free flow of data supports many of the services that we have come to rely on. Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day.
Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on. That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years.
In 2020, the Court of Justice of the European Union (CJEU) invalidated privacy Shield – a key legal mechanism for the transfer of personal data from the EU to the US. This decision created considerable regulatory and legal uncertainty for thousands of organisations, including Meta.
At the time of its decision in 2020, the CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards. As such, like thousands of other businesses, Meta used SCCs believing them to be compliant with the General Data Protection Regulation (GDPR).
Today, the Irish Data Protection Commission (DPC) has set out its findings into Meta’s use of this common legal instrument to transfer Facebook user data between the EU and the US. Despite acknowledging we had acted in good faith and that a fine was unjustified, the DPC was overruled at the last min ute by the European Data Protection Board (EDPB). We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day.
Meta Uses the Same Legal Mechanisms as Other Organisations
Ultimately, the invalidation of privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans. It is a conflict that neither Meta nor any other business could resolve on its own. We are therefore disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe.
The DPC initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate. However, this was overruled by the EDPB, which also chose to disregard the clear progress that policymakers are making to resolve this underlying issue. This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.
It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.
There is Already a Political Agreement to Solve the Underlying Conflict of Law
Policymakers in both the EU and the US are on a clear path to resolving this conflict with the new Data privacy Framework (DPF). In March 2022, President Biden and Commission President Von der Leyen announced that they reached an agreement on the principles of a new framework to enable the free flow of transatlantic data. Policymakers on both sides of the Atlantic have committed to fully implementing the DPF “as quickly as possible.”
Regulators, including the EDPB, have welcomed the improvements made by the DPF. We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved. This will mean that if the DPF comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users.
At a time where the internet is fracturing under pressure from authoritarian regimes, like-minded democracies should work together to promote and defend the idea of the open internet. No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.
Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook while keeping their data safe and secure. There is no immediate disruption to Facebook because the decision includes implementation periods that run until later this year. We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.