Facebook Inc. FB 3.40% lost a bid to block a European Union privacy decision that could suspend its ability to send information about European users to U.S. computer servers, opening a pathway toward a precedent-setting interruption of its data flows.
Ireland’s High Court dismissed Friday all of Facebook’s procedural complaints about a preliminary decision on data flows that it received in August from the country’s Data Protection Commission. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.
The preliminary decision, which the court stayed in September pending its decision, could, if finalized, force the social-media company to suspend sending personal information about EU users to Facebook’s servers in the U.S.
While Friday’s court decision is a procedural one, the underlying questions are central to trans-Atlantic trade and the digital economy. Legal experts say the logic in Ireland’s provisional order could apply to other large tech companies that are subject to U.S. surveillance laws, such as cloud services and email providers—potentially leading to widespread disruption of trans-Atlantic data flows. In the balance are potentially billions of dollars of business in the cloud-computing, social-media and advertising industries.
Ireland’s DPC leads enforcement of EU privacy law for Facebook and other companies that have their European headquarters in the country. The commission still needs to finalize its draft decision ordering a suspension of data transfers and submit it to other EU privacy regulators for approval before it becomes effective. That process could take months, before counting any further court challenges.
If the order is put into effect, Facebook will likely have to re-engineer its service to silo off most data it collects from European users, or stop serving them entirely, at least temporarily.
The social-media company said that Friday’s court decision was procedural and that it planned to defend its data transfers before the DPC. It added that the regulator’s preliminary decision could be “damaging not only to Facebook, but also to users and other businesses.”
The DPC said it welcomed the judgment.
The Wall Street Journal reported on Ireland’s move in September. Facebook challenged the decision in court days later, arguing that the regulator had suggested a preliminary conclusion too hastily, without awaiting guidance from other EU regulators.
The move was the first significant step EU regulators had taken to enforce a July ruling from the bloc’s top court about data transfers. That ruling restricted how companies like Facebook could send personal information about Europeans to the U.S., because it found that Europeans had no effective way to challenge American government surveillance.
How Ireland’s DPC enforces the ruling is being closely watched, because it leads EU privacy enforcement for several other big tech companies, including Alphabet Inc.’s Google, Apple Inc. and Twitter Inc., which have their European headquarters in the country.
SHARE YOUR THOUGHTS
How do you expect the battle over big-tech privacy protections to play out? Join the conversation below.
Friday’s decision comes as countries world-wide increase measures to take control of where data flows. Last year, the U.S., under former President Donald Trump, attempted to force the Chinese parent of video-sharing app TikTok to divest the company to prevent data on American users being shared with Beijing. The plan was shelved under President Biden.
After the EU’s Court of Justice decision last summer, tech lobbyists initially signaled optimism that data flows might remain largely unaffected, with only contractual changes necessary. But since then, EU regulators, in addition to Ireland, have started issuing orders to suspend some data transfers. In April, Portugal’s privacy regulator ordered the national statistics agency to stop sending census data to the U.S., where it was being processed by Cloudflare Inc.
“The preliminary order from the DPC is concerning as it could jeopardize data flows from Europe to the U.S. for a wide range of companies,” said Alexandre Roure a senior manager of public policy for the Computer & Communications Industry Association, which represents companies including Facebook, Amazon.com Inc. and Google. “Europe is unlikely to meet its digital aspirations and become a ‘world-class data hub’ if it can’t even connect with its main trading partners in the first place.”
Orders, even if only preliminary ones, to stop sending data to the U.S. are a major shift in more than two decades of wrangling over how to balance privacy and commerce when it comes to trans-Atlantic data flows. In 2015, the EU’s top court invalidated a major legal mechanism for transferring such information to the U.S. But the threat ended up being mostly theoretical: No company faced a specific order to stop sending personal information, and the data flows never stopped.
Now, some lawyers say resolving the issue could require changes to U.S. surveillance laws to give more legal rights to Europeans. It could also become a spur for the U.S. to adopt broader privacy legislation.
“With trans-Atlantic data flows vital to both economies, the EU cannot afford to become a data island, nor the U.S. a data pariah,” Cameron Kerry, a former general counsel and acting secretary of the U.S. Department of Commerce, said earlier this year.
Write to Sam Schechner at firstname.lastname@example.org
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8