The key mechanism used by Facebook to transfer data from the European Union to the United States ”cannot in practice be used” for such transfers, according to Ireland's Data Protection Commission, Facebook said on Wednesday.
The U.S. social media giant said in a blog post that it believed the mechanism, Standard Contractual Clauses (SCCs), had been deemed valid by the Court of Justice of the European Union in July, adding:
“We will continue to transfer data in compliance with the recent CJEU ruling and until we receive further guidance.”
Facebook said the Irish Data Protection Commission, Facebook's lead regulator in the EU, had “commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers”.
The Wall Street Journal reported that the Commission had sent Facebook a preliminary order to suspend transfers to the United States of data about users in the European Union.
A spokesman for the Commission declined to comment on the report.
The transatlantic argument stems from EU concerns that the surveillance regime in the United States may not respect the privacy rights of EU citizens when their personal data is sent to the United States for commercial use.
Facebook said that, while the Commission's approach was subject to further process, “if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on”.
Europe's highest court in July ruled that the main transatlantic data transfer deal hammered out between Brussels and Washington - Privacy Shield - was invalid because of concerns about U.S. surveillance.
But the judges upheld the validity of the transfer mechanism known as Standard Contractual Clauses (SCCs).
These are used by thousands of companies to transfer Europeans' data around the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.
However, the court stressed that under SCCs, privacy watchdogs must suspend or prohibit transfers outside the EU if data protection in other countries cannot be assured.
Austrian privacy activist Max Schrems, who brought the legal proceedings, said at the time that this meant companies that fall under U.S. surveillance laws, such as Facebook, could not use the clauses to shift data to the United States.
In its post, Facebook said that “the rationale in invalidating Privacy Shield has nonetheless created significant uncertainty - not just for US tech companies”.
It said it was setting out its position on how to proceed with international data transfers in a European Data Protection Board taskforce considering how to apply the CJEU ruling.
It said it was also putting “robust safeguards” in place to protect user data, such as “industry standard encryption and security measures, and comprehensive policies governing how we respond to legal requests for data”.