By Ben Rapp
It looks as though Meta, and by extension all other EU-US transfers, is to get a stay of execution. One month ago the Data Protection Commission Ireland notified its intent to enforce its decisions against Meta (Facebook) blocking transfers; in accordance with Article 60 of the GDPR, it gave a month for other supervisory authorities to object. Apparently some objections have been received; there is little information as yet – I’m basing this on an article in the Irish Business Post which came out last night and cites comment from Graham Doyle to that effect.
What now? The DPC will take some time to consider the objections and attempt to reach agreement with the objectors. If it cannot – unless it judges the objections to be unreasonable and simply enforces – the next step is to seek an opinion from the EDPB under Article 64. That can take up to 8 weeks, so we might be looking at as much as three more months in all. Is that enough time for the EU and US to conclude a revised #PrivacyShield, reinstating adequacy and making the problem go away?
I’m sure Max Schrems and noyb.eu will have a view. Ours at Securys Limited is that this continuing uncertainty over transfers to the US has a chilling effect on commerce and introduces substantial additional costs for business. Given the almost universal reliance on US cloud services for basic business operations, this puts most enterprises in the invidious position of being forced to make transfers in defiance of the European Data Protection Board guidance that they cannot be legitimised. We work with clients to minimise the associated residual risk, but it cannot be eliminated without ceasing to use services like Microsoft 365 and Google Workspace - as indeed for example Danish local government has recently done – something that brings substantial impact on productivity and cost.
We call on the EDPB and the Commission to bring clarity – either by supporting the DPC’s enforcement action or by accelerating the reinstatement of US adequacy. In doing so, it should consider whether exposure to US surveillance really is so harmful to EEA data subjects that it’s worth denying them – individually and as business users – access to US tech. Of course, if that is indeed the case, then we should expect the UK to lose adequacy also, given recent disclosures about the data collection practices of MI5. It should also look at the beam in its own eye – there’s no shortage of surveillance and opaque data collection by European governments either.
We continue to be concerned that the free flow of data across borders in pursuit of economic and social progress that was the primary goal of Convention 108 is being sacrificed not in the true interests of human rights but because of the growth of international tensions, factionalism and the resurgence of mercantilist ideas.
See below for links to other relevant material
Webinar: Brexit, adequacy and international data transfers -
A federated approach to privacy and shared services-
https://www.securys.co.uk/blog/a-federated-approach-to-privacy-and-shared-services