4th Advent Reading: Facebook fully ignores "Schrems" rulings by Court of Justice

Data Transfers
 /  19 December 2021

4th Advent Reading: Facebook's "Transfer Impact Assessment" fully ignores rulings by Court of Justice

In the last "Advent Reading" in protest against the Irish DPC's removal of noyb from a procedure, we will discuss Facebook's discarding of the European Court of Justice (CJEU) rulings on EU-US data transfers, in an allegedly "confidential" 86 pages "Transfer Impact Assessment". Since 2013, the issue of Facebook's cooperation with US government agencies on mass surveillance is pending before the Irish Data Protection Commission ("DPC"). A first decision by the Irish DPC is not even in sight - 8.5 years after the initial complaint and 1.5 years after the second clarification by the CJEU. Schrems: "Facebook fully ignores the Court of Justice, despite two explicit rulings."

"TIA": Facebook's ignorance of the CJEU in three steps. Following the clear rulings in "Schrems I" and "Schrems II", Facebook would have had to stop data transfers from the EU to the US immediately, as they were declared illegal twice. Today (1.5 years later), Facebook has not taken any steps to limit its data transfers. Instead, it produced a 86 pages "Transfer Impact Assessment" ("TIA") under Clause 14 of the newly introduced Standard Contract Clauses ("SCCs"), coming to the surprising result that the CJEU judgment would not apply to Facebook and transfers could continue as they are. According to the documents we received, absolutely no new or relevant measures were taken by Facebook on foot of the CJEU judgment of 16.6.2020.

Max Schrems, Chair of noyb.eu: "Facebook has been ignoring EU law for 8.5 years now. The newly released documents show that they simply take the view that the Court of Justice is wrong - and Facebook is right. It is an unbelievable ignorance of the rule of law, supported by the lack of enforcement action by the Irish DPC. No wonder that Facebook wants to keep this document confidential. However, it also shows that Facebook has no serious legeal defence when continuing to ship European's data to the US."

Four Documents. noyb is making the content of the four relevant documents transparent. The "Overview Document" clarifies that Facebook takes three steps to come to the conclusion that it may continue to transfer data to the Unites States, despite two CJEU judgments: First it directly contradicts two Court of Justice judgments, which held that US surveillance laws violate EU fundamental rights. Instead Facebook's "Equivalence Assessment" takes the view that EU and US laws are in fact equivalent. Secondly, Facebook's "Factors Assessment" says that the risk for users is minimal - again in direct contradiction to the Court of Justice. In a third step, Facebook's "Record of Safeguards" mentions various measures in place that would counterbalance any violation of EU law. In fact, none of these measures are actually relevant for Section 702 FISA surveillance. They are a list of industry minimal standards for security (under Article 32 GDPR) that are in place independent of US surveillance laws.

While the voluminous 86 pages are trying to give the impression of a sophisticated analysis, the core element of Facebook's assessment is summarized in the conclusion of Facebook's TIA:

In other words: Facebook simply says US law is "equivalent" to EU law, despite two Court of Justice decisions to the opposite.

Deeper Dive: noyb made four videos reading out summaries of all four documents as part of a "deep dive" into these documents, which also explains the contents of these documents in more detail. Click here for the deep dive. Given the risk of Facebook and the Irish DPC using frivolous litigation to retaliate against noyb via a "SLAPP suit", we have decided to read and describe the documents in detail, this will allow everyone to get a good understanding of the documents, while minimizing the risk of frivolous lawsuits by Facebook or the DPC.

No decision by Irish DPC despite legal duty. The underlying complaint is pending since 2013 and was the matter of five Irish procedures and two Court of Justice procedures, costing upwards of € 10 Million. You can find a rough overview over the case in the graphic below. In 2020 the CJEU has again explicitly held that the DPC "is required to suspend or prohibit a transfer of data" (para 121). Equally, in the latest settlement between the DPC and Mr Schrems a swift decision was promised on 12.1.2021. 8,5 years after the initial complaint there is still no decision in sight - despite the DPC repeatedly "welcoming" clarification that was provided by each loss in the courts. Even when a first decision by the DPC would be issued, it would be subject to multiple levels of appeals in Ireland. Nevertheless, the documents show that Facebook has in fact no credible legal basis to transfer European's data to the US - risking massive fines and a reorganization of the entire business.

Overview over procedure

European Commission SCC update abused by Facebook? The basis for Facebook's "Transfer Impact Assessment" is Clause 14 of the new "Standard Contract Clauses" adopted by the European Commission. This new set of rules became applicable as the DPC has not taken a decision on the case within a reasonable time frame. Until today, Facebook constantly switched from one legal ground for data transfers to another (first "Safe Harbor", then "Privacy Shield" and the old SCCs and now the new SCCs). In addition to these multiple grounds for transfer, Facebook also recently raised "contractual necessity" and "consent" for all data transfers under Article 49(1) GDPR. So far, it doesn't seem that the DPC investigated these new arguments at all.

Schrems: "The Irish DPC is extremely slow and is not in control of this procedures. Facebook constantly moves to another argument, while the DPC has not even decided on the decision from 2013. Facebook is dominating this procedure - instead of the DPC."

    Potential "SLAPP suit" by the DPC and Facebook. Given numerous threats despite a clear legal basis for these publications, noyb is now expecting baseless "SLAPP suits" (see a great summary by John Oliver, unfortunately only on YouTube) by the DPC and/or Facebook Ireland Limited. It is not unlikely that Facebook or the DPC would try to bring a case to Ireland or the UK, as these legal systems are extremely expensive and a perfect jurisdictions to ruin an NGO. We have therefore geoblocked the relevant documents in these jurisdictions.