Facebook Addresses EU Court Ruling That Scuttled Privacy Shield Data-Transfer Framework

Standard contractual clauses are still valid, but the Irish Data Protection Commission is taking aim at them

The Irish Data Protection Commission also began an inquiry into Facebook-controlled data transfers between the EU and the U.S. BeeBright/iStock
Headshot of David Cohen

Facebook provided an update on steps it is taking in response to July’s ruling by the Court of Justice of the European Union that invalidated the Privacy Shield legal framework covering data transfers from the EU to the U.S.

Vice president of global affairs and communications Nick Clegg said in a Newsroom post that the ruling by the CJEU stated that standard contractual clauses—which he described as “an alternative legal mechanism for transferring data from the EU to a third country”—continued to be valid, but he added that the “significant uncertainty” created by the ruling impacted not just U.S. tech companies, but also all European businesses with trans-Atlantic data flows.

Clegg said Facebook supports global rules that ensure consistent treatment of data globally, and he pointed out the establishment of a European Data Protection Board task force earlier this month tasked with determining how to apply the CJEU ruling, as well as a joint statement in August from the European Commission and the U.S. Department of Commerce on discussions for an enhanced version of Privacy Shield.

On the topic of SCCs, Clegg said Facebook has been working to follow the steps outlined by the CJEU, putting robust safeguards in place, including industry-standard encryption and security measures, and implementing policies on responding to legal requests for data.

He also cautioned that the Irish Data Protection Commission began an inquiry into Facebook-controlled data transfers between the EU and the U.S., suggesting that SCCs cannot be used for this purposes, writing, “While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”

Facebook’s European headquarters is in Dublin.

Clegg concluded, “Businesses need clear, global rules, underpinned by the strong rule of law, to protect trans-Atlantic data flows over the long term … We recognize that building a sustainable framework that supports frictionless data flows to other countries and legal systems, while at the same time ensuring that the fundamental rights of EU users are respected, is not an easy task and will take time. While policymakers are working toward a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimize disruption to the many thousands of businesses that, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way. Our priority is to ensure that our users, advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure. We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”

david.cohen@adweek.com David Cohen is editor of Adweek's Social Pro Daily.