Is the DPC actually stopping Facebook's EU-US data transfers?! ..maybe half-way!

Sep 09, 2020

Is the DPC actually stopping Facebook's EU-US data transfers?! ..maybe half-way!

The WSJ reported on Wednesday night that the Irish Data Protection Commission ("DPC") has allegedly issued a "preliminary order" for Facebook to stop EU-US data transfers. Earlier this week, we informed the DPC that we plan to file an interlocutory injunction over their decision to instigate a "second" investigation into the matter, as doing so would breach a 2015 court order.

At the same time, Facebook seems to have (yet again) shifted the legal basis it relies on for EU-US data transfers in the aftermath of the judgment by the CJEU on "Privacy Shield" and the use of Standard Contractual Clauses ("SCCs").  Facebook is now using an alleged "need" to outsource data processing operations to the US under the user agreement and Article 49(1)(b) GDPR. According to our knowledge, this new legal basis is outside of the scope of the 'preliminary order' of the DPC.

noyb is now publishing three letters that may allow members of the public to get a better understanding of the dealings of Facebook and the DPC.

DPC opened a "parallel" case to a complaint that has been ongoing for 7 years on the use of SCCs under Article 46(1) GDPR only

We had a number of exchanges with the DPC in which we requested a swift implementation of the Judgment by the CJEU on EU-US data transfers. The DPC did not indicate that it will take any such swift action. On 31 August 2020, the DPC informed us in a letter (PDF) that it will open a second case (independent from the complaints procedure that lead to the judgment of the CJEU) to investigate Facbeook's reliance on the Standard Contractual Clauses (SCCs). At the same time, the DPC decided to pause the ongoing complaints procedure initiated by Mr Schrems seven years ago, despite being under an undertaking to the Irish High Court from 2015 to decide on the case swiftly. The DPC highlighted that this second investigation is strictly limited to Facebook's use of SCC under Article 46(1) GDPR.

Max Schrems, honorary chair of noyb.eu: "We obviously welcome the notion that the Irish DPC is finally moving towards doing it's job after seven years of procedures and five court decisions, all of which upheld our position. However, this move by the DPC may lead to another half-hearted decision after all."

Facebook now argues "parallel" legal basis under Article 49 GDPR that is not subject to the DPC's limited investigation

This limited case by the DPC is especially interesting, as Facebook has indicated in a letter from 19 August 2020 (PDF, page 3) that (after the end of Safe Harbor, Privacy Shield and the SCCs) it is now relying on a fourth legal basis for data transfers: the alleged "necessity" to outsource processing to the US under the contract with its users (see Article 49(1)(b) GDPR). This means that any "preliminary order" or "second investigation" by the DPC on the SCCs alone will in fact not stop Facebook from arguing that its EU-US data transfers continue to be legal. In practice Article 49(1)(b) GDPR may be an appropriate legal basis for very limited data transfers (e.g. when an EU user is sending an message to a US user), but cannot be used to outsource all data processing to the US.

Max Schrems: "The DPC is again only investigating one slice of the problem - as they have done twice already in the investigations on Safe Harbor and the SCCs. Facebook seems to want the DPC to only focus on the SCCs as well, so that they can just pull out the next legal basis at the end of this procedure. This legal edition of 'whac-a-mole' has been ongoing for seven years now. I therefore suspect that the alleged preliminary order against Facebook is another useless step that will not solve the issue fully."

noyb is planning an interlocutory injunction to stop mismanagement by the DPC

In response to this situation, the Solicitor representing Mr Schrems sent a letter to the DPC on Monday this week (PDF), highlighting that Facebook also uses Article 49 and the DPC is clearly in breach of a court order by (once more) pausing the complaints procedure from 2013, just to open an unnecessary second investigation into only a sub-issue of the initial complaint. Under Irish law, the DPC is likely to be in "contempt of court" - a very serious matter which can lead to severe consequences for the head of the DPC.

noyb has informed the DPC that we are planning to file an interlocutory injunction to ensure that the DPC takes action on all alleged legal basis relied upon for data transfers by Facebook (the SCCs under Article 46 and the alleged "contract" under Article 49 GDPR) and to do so within the ongoing complaints procedure, as foreseen by the law.

Schrems: "The leak about a secret 'preliminary order' against Facebook shows that the DPC was trying to run a secret procedure without the complainant. While such an order should have been issued in 2013, we are very concerned that the DPC is again only embarking on a limited investigation that will not fully determine all aspects of the case. We will therefore take the appropriate legal action in Ireland to ensure that the rights of users are fully upheld - no matter which legal basis Facebook claims. After seven years, all cards have to be put on the table."

It is unclear how the leak on the 'preliminary order' relates to this background of the case. The DPC has agreed on Wedneday night to come back on the possible interlocutory injunction by Friday 11 September 2020. Lawyers for Mr Schrems will request all documents that were mentioned in the WSJ exclusive from the DPC.