In its latest (and last) pre-Christmas document reveal, European privacy advocacy group, noyb, has published details of an 86-page internal assessment by Facebook of its (continued) transfers of European’s personal data to the US — and the resulting conclusion can be best summed up as ‘The Emperor, Mark Zuckerberg, Has No Clothes’.
The convoluted back story here is that Facebook’s transfers of EU users’ data to the US remain ongoing — in spite of two rulings by the bloc’s top court finding the US is a risky jurisdiction for such data (aka Schrems I and Schrems II); and a preliminary order by Facebook’s lead EU DPA, over a year ago, saying it must suspend EU-US transfers in the wake of the aforementioned Schrems II ruling.
And if that wasn’t enough, it’s also almost a year since Facebook’s lead EU DPA, the Irish Data Protection Commission (DPC), settled a legal challenge from noyb — agreeing last January to “swiftly” finalize the complaint in question.
Yet there’s still no final decision from Ireland on the legality of Facebook’s EU-US data transfers — some 8.5 years after the complaint was first filed by noyb founder and chair, Max Schrems. (noyb didn’t even exist when he filed this complaint!)
Asked whether a decision on Facebook’s data transfers will — at long, long last — be issued this year, the DPC’s deputy commissioner, Graham Doyle, told us the inquiry is “fairly well progressed at this stage” but he admitted it will not be finalized in the next few weeks.
Asked if a decision will be issued in January, Doyle ducked specifying a timeframe — saying that the DPC is unsure “exactly when” the decision will be made.
So perhaps 2022 will — finally — be the year of reckoning for Facebook.
But, if not, 2022 may well be a year of substantial reckoning for the Irish DPC which is now facing intense scrutiny over the sedate pace and convoluted form of its enforcements in major cases against tech giants like Facebook.
The European Commission warned earlier this month that unless “effective” enforcement arrives soon it will step in and move the bloc toward a system of centralized oversight.
So the message from EU lawmakers to DPAs such as Ireland (and, really, especially to Ireland) is simple: Use your enforcement powers soon — or you’ll lose them.
Returning to Facebook, if an EU data transfer suspension order does ever actually get enforced, the tech giant faces having to make drastic changes to its infrastructure and/or its business model.
Or it could even shut down service in Europe — a possibility Facebook has floated in an earlier legal submission — although its chief spin doctor, Nick Clegg, quickly denied it would ever actually do that.
Facebook and Clegg have preferred to resort to economic scare tactics to lobby the bloc’s lawmakers against enforcing the rule of law against the national-state-sized data-mining empire — suggesting that any suspension order against Facebook’s data flows would wreak economic damage against European SMEs that use its ad tools to target consumers.
It’s a classic big tech tactic to lobby against tighter regulation of its own market power by claiming that limits on its operations will be far more damaging for the smaller businesses that rely on powerful platforms to reach potential buyers.
The adtech industry also likes to imply that you can either have privacy or competition, not both.
However, on that front, regional competition authorities are becoming increasingly sophisticated in their assessment of adtech platform power — including understanding how data abuse by tech giants can itself be a lever to lock in market power. (See, for example Germany’s Federal Cartel Office’s antitrust case against Facebook’s consentless ‘superprofiling of users.)
So how much runway such self-serving framing has left, as the bloc hastens to pass ex ante rules to boss tech giants, is up for debate.
Facebook has managed to use the courts to defer a final countdown on its data transfers issues for years. But its business model is now under attack on multiple fronts — with the European Parliament, for example, pushing for tighter restrictions on behavioral ads and an outright ban on dark patterns in the Digital Markets Act.
In recent weeks, noyb has also been shining more disinfecting sunlight onto the EU’s enforcement failures — where Facebook is concerned — by protesting at being removed from an ongoing procedure against it by the Irish DPC, after the regulator tried to get it to sign a gag order in exchange for remaining a party to the proceeding.
The DPC has been accused of acting in Facebook’s interests in trying to keep procedural documents confidential without a valid legal basis for ordering third parties not to publish information related to ongoing procedures.
(And other pre-Christmas document-reveals by noyb have made especially awkward reading for the DPC — which can be seen apparently trying to insert a notorious Facebook GDPR consent bypass tactic into European Data Protection Board (EDPB) guidance — by arguing for allowing T&Cs to be laundered via contract clause — and getting roundly slapped back by other EU DPAs.)
Last month, the not-for-profit also took the further step of filing a complaint of criminal corruption against the DPC — in another sign of how frustrated European privacy campaigners have gotten at inaction against rights-trampling tech giants.
As noted above, despite a complaint that dates back to the Snowden disclosures, two landmark CJEU rulings and countless court challenges, Facebook continues to pass Europeans’ data to the US — as if the rule of law can’t touch it.
Yet, back in May, the company lost in the Irish High Court after trying (and failing) to challenge the DPC’s procedure; including by arguing the DPC was being too hasty and did not properly investigate before it sent the preliminary suspension order. (NB: The original complaint dates back to June 2013 so it’s fast approaching a decade old at this point.)
Details of Facebook’s Transfer Impact Assessment (TIA) revealed by noyb yesterday are long on claimed justifications for Facebook to ignore the CJEU — and short on substantive arguments to stand up Facebook’s claim that it’s totally not a problem for it to continue to take European’s data to the US for processing despite the CJEU ruling that there are huge legal implications if you do that.
The CJEU has — not once — but twice struck down flagship transfer agreements between the EU and the US on the grounds that US surveillance law is in fatal conflict with European privacy rights.
And while, back in July 2020, the court did allow the possibility that data can be legally moved out of the EU to third countries, it made it clear that DPAs must step in and suspend data flows where they suspect people’s information is going somewhere where it’s at risk.
Given the court simultaneously struck down the EU-US Privacy Shield, the US was clearly identified as a problem third country.
Add to that, Facebook has the additional problem of its data processing being subject to US surveillance law (via NSA programs like PRISM). So there’s no easy fix for Facebook’s EU data transfers, as we’ve said before.
However having a friendly regulator that doesn’t rush to do anything about really obvious problems is sure to help, though…
The convoluted back story here is that Facebook’s transfers of EU users’ data to the US remain ongoing — in spite of two rulings by the bloc’s top court finding the US is a risky jurisdiction for such data (aka Schrems I and Schrems II); and a preliminary order by Facebook’s lead EU DPA, over a year ago, saying it must suspend EU-US transfers in the wake of the aforementioned Schrems II ruling.
And if that wasn’t enough, it’s also almost a year since Facebook’s lead EU DPA, the Irish Data Protection Commission (DPC), settled a legal challenge from noyb — agreeing last January to “swiftly” finalize the complaint in question.
Yet there’s still no final decision from Ireland on the legality of Facebook’s EU-US data transfers — some 8.5 years after the complaint was first filed by noyb founder and chair, Max Schrems. (noyb didn’t even exist when he filed this complaint!)
Asked whether a decision on Facebook’s data transfers will — at long, long last — be issued this year, the DPC’s deputy commissioner, Graham Doyle, told us the inquiry is “fairly well progressed at this stage” but he admitted it will not be finalized in the next few weeks.
Asked if a decision will be issued in January, Doyle ducked specifying a timeframe — saying that the DPC is unsure “exactly when” the decision will be made.
So perhaps 2022 will — finally — be the year of reckoning for Facebook.
But, if not, 2022 may well be a year of substantial reckoning for the Irish DPC which is now facing intense scrutiny over the sedate pace and convoluted form of its enforcements in major cases against tech giants like Facebook.
The European Commission warned earlier this month that unless “effective” enforcement arrives soon it will step in and move the bloc toward a system of centralized oversight.
So the message from EU lawmakers to DPAs such as Ireland (and, really, especially to Ireland) is simple: Use your enforcement powers soon — or you’ll lose them.
Returning to Facebook, if an EU data transfer suspension order does ever actually get enforced, the tech giant faces having to make drastic changes to its infrastructure and/or its business model.
Or it could even shut down service in Europe — a possibility Facebook has floated in an earlier legal submission — although its chief spin doctor, Nick Clegg, quickly denied it would ever actually do that.
Facebook and Clegg have preferred to resort to economic scare tactics to lobby the bloc’s lawmakers against enforcing the rule of law against the national-state-sized data-mining empire — suggesting that any suspension order against Facebook’s data flows would wreak economic damage against European SMEs that use its ad tools to target consumers.
It’s a classic big tech tactic to lobby against tighter regulation of its own market power by claiming that limits on its operations will be far more damaging for the smaller businesses that rely on powerful platforms to reach potential buyers.
The adtech industry also likes to imply that you can either have privacy or competition, not both.
However, on that front, regional competition authorities are becoming increasingly sophisticated in their assessment of adtech platform power — including understanding how data abuse by tech giants can itself be a lever to lock in market power. (See, for example Germany’s Federal Cartel Office’s antitrust case against Facebook’s consentless ‘superprofiling of users.)
So how much runway such self-serving framing has left, as the bloc hastens to pass ex ante rules to boss tech giants, is up for debate.
Facebook has managed to use the courts to defer a final countdown on its data transfers issues for years. But its business model is now under attack on multiple fronts — with the European Parliament, for example, pushing for tighter restrictions on behavioral ads and an outright ban on dark patterns in the Digital Markets Act.
In recent weeks, noyb has also been shining more disinfecting sunlight onto the EU’s enforcement failures — where Facebook is concerned — by protesting at being removed from an ongoing procedure against it by the Irish DPC, after the regulator tried to get it to sign a gag order in exchange for remaining a party to the proceeding.
The DPC has been accused of acting in Facebook’s interests in trying to keep procedural documents confidential without a valid legal basis for ordering third parties not to publish information related to ongoing procedures.
(And other pre-Christmas document-reveals by noyb have made especially awkward reading for the DPC — which can be seen apparently trying to insert a notorious Facebook GDPR consent bypass tactic into European Data Protection Board (EDPB) guidance — by arguing for allowing T&Cs to be laundered via contract clause — and getting roundly slapped back by other EU DPAs.)
Last month, the not-for-profit also took the further step of filing a complaint of criminal corruption against the DPC — in another sign of how frustrated European privacy campaigners have gotten at inaction against rights-trampling tech giants.
As noted above, despite a complaint that dates back to the Snowden disclosures, two landmark CJEU rulings and countless court challenges, Facebook continues to pass Europeans’ data to the US — as if the rule of law can’t touch it.
Yet, back in May, the company lost in the Irish High Court after trying (and failing) to challenge the DPC’s procedure; including by arguing the DPC was being too hasty and did not properly investigate before it sent the preliminary suspension order. (NB: The original complaint dates back to June 2013 so it’s fast approaching a decade old at this point.)
Details of Facebook’s Transfer Impact Assessment (TIA) revealed by noyb yesterday are long on claimed justifications for Facebook to ignore the CJEU — and short on substantive arguments to stand up Facebook’s claim that it’s totally not a problem for it to continue to take European’s data to the US for processing despite the CJEU ruling that there are huge legal implications if you do that.
The CJEU has — not once — but twice struck down flagship transfer agreements between the EU and the US on the grounds that US surveillance law is in fatal conflict with European privacy rights.
And while, back in July 2020, the court did allow the possibility that data can be legally moved out of the EU to third countries, it made it clear that DPAs must step in and suspend data flows where they suspect people’s information is going somewhere where it’s at risk.
Given the court simultaneously struck down the EU-US Privacy Shield, the US was clearly identified as a problem third country.
Add to that, Facebook has the additional problem of its data processing being subject to US surveillance law (via NSA programs like PRISM). So there’s no easy fix for Facebook’s EU data transfers, as we’ve said before.
However having a friendly regulator that doesn’t rush to do anything about really obvious problems is sure to help, though…