More Questions Raised Following EU Ruling on U.S. Data Transfer Privacy Shield

By | September 10, 2020

The key mechanism used by Facebook to transfer data from the European Union to the United States “cannot in practice be used” for such transfers, according to Ireland’s Data Protection Commission, Facebook said on Wednesday.

The U.S. social media giant said in a blog post that it believed the mechanism, Standard Contractual Clauses (SCCs), had been deemed valid by the Court of Justice of the European Union in July, adding: “We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”

Facebook said the Irish Data Protection Commission, Facebook’s lead regulator in the EU, had “commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers.”

The Wall Street Journal reported that the Commission had sent Facebook a preliminary order to suspend transfers to the United States of data about users in the European Union.

Firms Need Immediate Rethink on U.S. Data Transfers, Says EU Privacy Watchdog

European Union Court Invalidates Special Data Privacy Shield Granted U.S. Firms

A spokesman for the Commission declined to comment on the report.

The transatlantic argument stems from EU concerns that the surveillance regime in the United States may not respect the privacy rights of EU citizens when their personal data is sent to the United States for commercial use.

Facebook said that, while the Commission’s approach was subject to further process, “if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”

Swiss Join in Questioning of U.S. Privacy Protections

Swiss privacy officials have come out in agreement with their counterparts in the European Union that the U.S. does not satisfy the standards required to protect Swiss citizens when transferring their data. The officials cited concerns over U.S. surveillance activities.

In a policy position paper, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) said it reassessed the data protection policy following recent rulings by the EU court and concluded that “although it guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the U.S.” pursuant to Swiss law.

Switzerland is not a member of the EU. However, its decision tracked closely with the EU’s court opinion. The FDPIC said that while it does not have authority to void the U.S. pact, it has deleted the reference to “adequate data protection under certain conditions” for the U.S. in the FDPIC’s list of countries.

The FDPIC advised Swiss companies transferring data to countries where there is not adequate protection to redo their contracts to address the laws of the receiving country and consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data.


Europe’s highest court in July ruled that the main transatlantic data transfer deal hammered out between Brussels and Washington – Privacy Shield – was invalid because of concerns about U.S. surveillance.

But the judges upheld the validity of the transfer mechanism known as Standard Contractual Clauses (SCCs).

These are used by thousands of companies to transfer Europeans’ data around the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.

However, the court stressed that under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection in other countries cannot be assured.

Austrian privacy activist Max Schrems, who brought the legal proceedings, said at the time that this meant companies that fall under U.S. surveillance laws, such as Facebook, could not use the clauses to shift data to the United States.

In its post, Facebook said that “the rationale in invalidating Privacy Shield has nonetheless created significant uncertainty – not just for US tech companies.”

It said it was setting out its position on how to proceed with international data transfers in a European Data Protection Board taskforce considering how to apply the CJEU ruling.

It said it was also putting “robust safeguards” in place to protect user data, such as “industry standard encryption and security measures, and comprehensive policies governing how we respond to legal requests for data.”

(Reporting by Conor Humphries in Dublih and Neha Malara in Bengaluru; Editing by Kevin Liffey)

Topics USA Europe

Was this article valuable?

Here are more articles you may enjoy.