May 12, 2023 is the deadline for Europe's main privacy regulator Meta to make a final decision on a nearly decade-old complaint against Facebook's transfers of personal data from the EU to the US that could force the company to stop the flow of data.
The Irish Data Protection Commission (DPC) confirmed that it will make its final decision today.
However, it is normal for there to be more delays (just over a week) before the decision is made public. The official release date is May 22, assuming the details don't leak.
The delay in the publication of the adopted decision is due to the fact that Meta will have time to review the document to identify confidential and/or commercially sensitive information that it might want to redact, on the one hand, and due to a public holiday that affects another regulator of the EU involved.
The May 12 date for the adoption of the DPC's final decision on the complaint follows a timetable established by a dispute resolution decision made by the DPC. European Data Protection Board last month.
Applying mechanisms built into the General Data Protection Regulation (GDPR), the Board intervened to resolve the disagreement between various EU regulators over the content of the decision: make a binding decision on Meta transfers and give the DPC one month to implement it.
The Board's dispute resolution decision is not yet known as it has not been made public pending the final decision of the DPC (which will implement it), so the fate of Facebook's European data streams still hangs in the balance. . .
That being said, it is expected that Meta will be ordered to suspend data streams, given that the company received a preliminary suspension order from the DPC, in the fall of 2020.
At that time, the company obtained a stay of proceedings from the DPC, which helped delay the implementation timeline for the GPRD until the Irish courts dismissed Meta's challenge. Further delays followed, when the DPC's draft decision on the case faced objections from other EU data protection authorities, which were finally resolved by the EDPB's binding decision last month.
This means that the process for objections to the regulation is running out of steam, but it is expected that Meta will challenge any suspension order in the Irish courts.
The company has continually tried to downplay the situation, claiming in its latest statement that it "relates to a historical conflict between EU and US law, which is in the process of being resolved." Which is a reference to a draft agreement between the two lawmakers for a new high-level transatlantic data transfer framework aimed at resolving the conflict between US surveillance practices and EU data protection rights.
However, this EU-US data privacy framework, as the agreement has been called, is still under review by the EU institutions, who have raised concerns that it does not have strong enough safeguards. And just this week, lawmakers in the European Parliament reiterated an appeal to the Commission to take more time to improve the proposal, suggesting that there could be further delays in adopting a deal that Meta seems to be banking on to save its data transfers.
While the issue of data suspension is the main issue of this GDPR case, other important elements to consider in Ireland's final decision include whether or not Meta will be ordered to delete European user data if it is discovers that they have been illegally transferred to the US.
In March, MLex reported that at least two data protection authorities were lobbying for it, and that Meta was lobbying the EU institutions against such a move.
On top of that, internal documents leaked last year suggested that the tech giant's data management practices are, to put it politely, a mess. So the ease with which Meta could identify and isolate European user data, if ordered to remove it, is a big (and very expensive) consideration/complication.
Why is this so important? Well, as a reminder, we recently learned of a federal court finding that Facebook appears to have no way to retroactively purge user data. They said it would take up to a year to get all the data on a user.
Jason Kint (@jason_kint) May 11th 2023
Meta, of course, could also be fined if it is found to have transferred data illegally.
The GPRD can impose fines of up to 4% of global annual turnover, although, to date, Meta has had considerable success in receiving fines well below the theoretical maximum.
The privacy rights advocacy group, noyb, whose founder Max Schrems is behind the complaint against Facebook's EU-US data transfer, wrote to the EDPB (European Data Protection Board) in January to complain about the amount of the fine the DPC received earlier this year. , on the illegal processing of ad data, arguing that the €390 million penalty was insignificant compared to the scale of the breaches (in fact, he suggested that it fell short of more than €3500 billion).
In fact, Ireland had proposed a much lower level of fine for that offence, between €28m and €36m, but the regulator was forced to increase it to implement the EDPB's binding decision.
Without that Board intervention, Meta would have faced an even more GDPR weak for illegally processing millions of data European personals for behavioral advertising. So it will be interesting to see what level of penalty (if any) is included in Ireland's final decision on Facebook's data transfers.
That said, financial penalties imposed on tech giants are often less interesting than operational orders that have the potential to force changes to abusive business models. And while Meta continues to mine data from European users for behavioral ad targeting, it was at least forced to offer an opt-out as a result of the aforementioned GPRD enforcement. Something he's never done before.
How Meta could be forced to modify its business model to correct illegal transatlantic data transfers is an open question.
But there is no doubt that he will do his best to fight any suspension order in court, so he may find a way to delay having to act long enough for the full frame of the goal to move with the arrival of a new US data adequacy agreement.
If not, the costs will be real and significant.
In an earnings presentation with investors last month, the company admitted that an order to suspend data flows from Europe could affect 10% of its global ad revenue.
He obviously hopes it doesn't come to that, and is confident that the new EU-US data transfer mechanism will be adopted just in time. A company spokesman declined to discuss the contingencies if it is ordered to suspend data flows, pointing to the "progress" politicians have made toward a new pact.
But even if the high-level agreement comes soon enough to prevent Facebook's shutdown in Europe this year, Schrems suggests the new high-level framework is "likely" to be struck down by the bloc's top court, as they were. the two previous agreements, so he estimates that Meta would only "buy another two years or so" of expansion before the matter arises again.
For a long-term solution, he suggested that Meta will need to federate Facebook's infrastructure. But such a major remodel of your business would obviously also be very expensive.
