Ireland’s data protection commissioner has issued Facebook with a preliminary order to stop sending data transfers from EU users to the US.
The move, confirmed by Facebook, could spark a new transatlantic digital crisis.
The order, described to Independent.ie by people close to the situation as “well progressed”, is the result of a European Court decision in July, which struck down the transatlantic ‘Privacy Shield’ treaty.
It means that the validity of ‘standard contractual clauses’ (SCCs) used by thousands of Irish and European companies to transfer data, is now closer to being cancelled.
Facebook has reacted by claiming that a cancellation of SCCs could cause near-term chaos for the global economy.
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” said Nick Clegg, Facebook’s vice president of global affairs and communications and the former deputy prime minister of the UK.
“The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.”
Mr Clegg also claimed that the annulment of the data transfer mechanism could even affect Ireland’s Covid Tracker app.
“The effects would reach beyond the business world, and could impact critical public services such as health and education. Ireland’s Covid Tracking App states, in its terms, that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the US. International cloud providers and email platforms provide services to schools, Universities and hospitals across Europe. Millions of people use video conferencing software every day, to keep in touch with friends and family who live in different countries.”
A spokesperson for the Irish Data Protection Commissioner said that the agency would make no comment on the matter.
However, the Irish regulator has the power to fine giant companies such as Facebook ㈡20m or up to 4pc of global turnover for non-compliance of regulatory orders.
The decision has been long-predicted by many privacy campaigners after the European Court ruled that the US was not a trustworthy country to transfer personal data to.
“Supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means,” said Europe’s highest court in July.
The issue is likely to inflame cross-Atlantic tensions with just two months left until the US presidential election, already one of the most divisive in recent history.