Facebook may be forced to stop sending data about its European users to the U.S., in the first major fallout from a recent court ruling that found some trans-Atlantic data transfers don’t protect users from American government snooping.
The social network said Wednesday that Ireland’s Data Protection Commission has started an inquiry into how Facebook shifts data from the European Union to the United States.
The news was first reported by the Wall Street Journal, which said Ireland’s data commission gave Facebook until mid-September to respond to a preliminary order to suspend the transfers.
The result could be that the U.S. tech giant, which has data centers around the world, is forced to undertake a costly and complex revamp of its operations to ensure that European user data is kept out of the U.S.
“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19,” Facebook’s vice-president of global affairs and communications, Nick Clegg, wrote in a blog post.
The Irish data commission suggested that a type of legal mechanism governing the data transfers, known as standard contractual clauses, “cannot in practice be used for EU-U.S. data transfers,” Clegg said.
The commission, which did not reply to a request for comment, is Facebook’s lead privacy regulator in Europe and can fine companies up to 4% of annual revenue for data breaches.
It’s the first major move by a European regulator after the EU’s top court issued a ruling in July on the two types of legal mechanisms used to govern data transfers.
The European Court of Justice invalidated an agreement known as Privacy Shield and decided that the standard legal clauses were still OK. But in cases where there are concerns about data privacy, EU regulators should vet, and if needed block, the transfer of data.
It’s the latest development in a case that originated more than seven years ago, when Max Schrems, an Austrian privacy activist, filed a complaint about the handling of his Facebook data after former U.S. National Security Agency contractor Edward Snowden revealed the American government was eavesdropping on people’s online data and communications. The revelations included detail on how Facebook gave U.S. security agencies access to the personal data of Europeans.
Though the case specifically targets Facebook, it could have far-reaching implications for other tech giants’ operations in Europe. In Facebook’s case, for example, messages between Europeans would have to stay in Europe, which can be complicated and require the platform to be split up, Schrems has said.