The decision from the EU's privacy regulator has implications for Facebook's ability to continue to export user data to the US.
Meta has 28 days to make submissions on the preliminary decision and we will make a draft decision for other CSAs. The deputy commissioner at the Irish Data Protection Commission told us that this would happen in April.
The contents of the preliminary decision were not disclosed.
According to a Wall Street Journal report at the time, the DPC sent a preliminary order telling Facebook to stop data transfers.
Meta, as the tech giant has recently rebranded its data-mining empire, has been warning investors about the risk of its EU-US data transfers.
The legal avenue to challenge the DPC procedures was dismissed by the Irish High Court in May last year.
There has been no change to the facts of the case since the earlier draft order telling the company to suspend transfers that would lead to the clash between European data protection law and US surveillance powers.
In recent months, other European data protection agencies have been issuing decisions against other US services that involve the transfers of personal data to the US
The original complainter, Max Schrems, who obtained an agreement from it in January 2021, had a procedural challenge against the regulator.
Under the terms of the settlement, the DPC agreed that Schrems would also be heard in its parallel procedure, which it opened in addition to its complaint-based enquiry related to his original complaint.
He confirmed that the decision was sent to him by the DPC.
The privacy advocacy group founded by Schrems filed a complaint of criminal corruption against the DPC in relation to attempts to blackmail them.
On Meta’s ‘regulatory headwinds’ and adtech’s privacy reckoning
It's not clear how long the data transfer saga will last before a final decision is made.
It should be closer to months now.
Other interested data protection agencies can make reasoned objections to a draft decision by a lead authority within a month. There can be extensions. The European Data Protection Board can step in and push a final decision if there is a major disagreement over a preliminary decision.
The ball is back in Meta's court to see what fresh blather its lawyers can come up with.
A Meta spokesman told us that the tech giant was contacted for comment on the latest development.
“This is not a final decision and the IDPC have asked for further legal submissions. Suspending data transfers would be damaging not only to the millions of people, charities, and businesses in the EU who use our services, but also to thousands of other companies who rely on EU-US data transfers to provide a global service. A long-term solution on EU-US data transfers is needed to keep people, businesses and economies connected.”
As negotiations between the European Commission and the US on a replacement for the Privacy Shield data transfer arrangement remain ongoing, there is another moving piece to this apparently neverending story.
In recent months, Facebook and Google have been making public calls for a new transatlantic data transfer deal to be agreed, urging a high level fix for the legal uncertainty now facing scores of US cloud services.
The Commission warned back in 2020 that a replacement would only be possible if all the issues identified by the European Court of Justice in its July ruling were fixed.
In short, Privacy Shield 3.0 looks like a tall order, and the chief lobbyist, Nick Clegg, certainly has his work cut out.
Facebook told it may have to suspend EU data transfers after Schrems II ruling
As its data flows woes grow, Google lobbies for quickie fix to EU-US transfers