Thousands of European and US businesses rely on the safe and legal transfer of data between jurisdictions. International data transfers underpin the global economy and support many of the services that are fundamental to our daily lives.
In July, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, a legal framework regulating transfers of personal data from the EU to the US. At the same time, the CJEU stated that Standard Contractual Clauses, (SCCs), an alternative legal mechanism for transferring data from the EU to a third country, continue to be valid. But the rationale in invalidating Privacy Shield has nonetheless created significant uncertainty – not just for US tech companies, or even for all the European businesses who rely on online services to reach new customers, but for all European businesses with transatlantic data flows.
With the establishment of a European Data Protection Board taskforce to consider how to apply the CJEU ruling, as well as a joint statement from the EU Commission and US Department of Commerce that they have initiated discussions for an “enhanced” EU-US Privacy Shield, we are setting out our position on how to secure the long term stability of international data transfers. We support global rules that can ensure consistent treatment of data around the world.
A Safe, Secure Transfer Mechanism Upheld by the Courts
In its recent decision, the CJEU invalidated the Privacy Shield mechanism for transferring data between the EU and US, due to concerns over US national security laws. Before the ruling, more than 5,000 companies relied on Privacy Shield.
Although the court also ruled that Standard Contractual Clauses (SCCs) remain valid (providing the data exporter puts in place appropriate safeguards to ensure a high level of protection for data subjects), its rationale in invalidating Privacy Shield has prompted a discussion around businesses’ reliance on SCCs.
Like many other businesses, Facebook relies on SCCs to transfer data to countries outside the EU, including to the United States. Since the CJEU’s ruling in July, Facebook has been working hard to follow the steps set out by the Court to ensure that we can continue to transfer data in a safe and secure way. This includes ensuring that we have robust safeguards in place, such as industry standard encryption and security measures, and comprehensive policies governing how we respond to legal requests for data.
The Irish Data Protection Commission (IDPC) has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers. While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.
A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19. The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.
The effects would reach beyond the business world, and could impact critical public services such as health and education. Ireland’s Covid Tracking App states, in its terms, that it relies on SCCs as one of a number of mechanisms to transfer data to one of its processors in the US. International cloud providers and email platforms provide services to schools, Universities and hospitals across Europe. Millions of people use video conferencing software every day, to keep in touch with friends and family who live in different countries.
Clear Global Rules to Protect Consumers
Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.
The EU has led the way in establishing a framework for data protection that protects and empowers users. Privacy rules will continue to evolve, and global rules can ensure the consistent treatment of data wherever it is stored. Facebook therefore welcomes the efforts already underway between EU and US lawmakers to evaluate the potential for an “enhanced” EU-US framework – a Privacy Shield Plus. These efforts will need to recognise that EU Member States and the US are both democracies that share common values and the rule of law, are deeply culturally, socially and commercially interconnected, and have very similar data surveillance powers and practices
We recognize that building a sustainable framework that supports frictionless data flows to other countries and legal systems, while at the same time ensuring that the fundamental rights of EU users are respected, is not an easy task and will take time. While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.
Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure. We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.