Facebook has avoided the risk of being forced to shut its service down in Europe this summer as a result of the latest twist in a long-running data protection complaint saga that relates to a clash between EU privacy and US surveillance law.
The delay — in what’s still widely expected to be a suspension order to Meta, Facebook’s parent company, to stop illegal data exports — follows objections to a draft decision by its lead data protection authority by other regional DPAs who have been reviewing it.
The Irish Business Post picked up on the development earlier.
Under the bloc’s General Data Protection Regulation (GDPR), cross-border complaints typically require cooperation and at least consensus from DPAs in affected regions so it provides a right for interested authorities to weight in on draft decisions by a lead data supervisor.
“We have received some objections from a small number of Data Protection Authorities in this case,” confirmed the Irish Data Protection Commission (DPC)’s deputy commissioner, Graham Doyle. “We are currently assessing the objections and will engage with the relevant authorities to try and resolve the issues raised.”
Doyle declined to provide details of specific objections received.
The development means that a final decision on the (seemingly) neverending saga over the legality of Facebook’s data transfers — and the fate of its service in Europe — will be kicked down the road for several more months at least.
In a previous cross-border GDPR complaint, related to WhatsApp, where objections were similarly raised to Ireland’s proposed enforcement, it took a total of around nine months before a final decision (and hefty fine) was issued.
Meta will also very likely challenge a suspension order in the Irish courts — and could also seek a stay, as it did previously, to try to keep operating as is in the meanwhile.
Back in September 2020, the DPC sent a preliminary suspension order to Facebook over the data transfers issue — triggering a legal challenge. Facebook won a stay but its bid to roll back the regulator’s decision via judicial review, challenging its procedure, was, eventually, dismissed in May 2021 reviving the enforcement process — which has been grinding on ever since.
The DPC would not comment on an expected timeframe for a final decision to be issued in light of the objections to its draft.
That will, in any case, depend on whether differing views on enforcement between DPAs can be settled without requiring a formal dispute resolution mechanism in the GDPR — which can require the European Data Protection Board to step in (as happened in the WhatsApp case).
If DPAs can’t come to agreement among themselves and the EDPB has to get involved it’s not beyond the bounds of possibility that a final decision gets pushed into 2023.
Max Schrems, the privacy campaigner and lawyer who originally raised the Facebook data transfers complaint (all the way back in 2013!), has said he expects considerable further delays in enforcement of any suspension order — including by Meta lodging appeals — as we reported previously.
The tech giant has a specific incentive to delay enforcement as long as possible as it may be banking on (or, well, hoping for) a fresh data transfer deal between the EU and the US landing to save Facebook’s service bacon in Europe.
A preliminary agreement on a new high level EU-US accord on data transfers — replacing the defunct Privacy Shield (which is one very tangible casualty of this Facebook data transfers complaint saga thus far; its predecessor Safe Harbor is another) — was reached back in March. And, earlier this year, the European Commission was suggesting it could be finalized by the end of this year.
Since then some reports have suggested progress towards agreeing a final text may not be going as smoothly as hoped, so a replacement deal may not arrive so quick — which would complicate Meta’s ‘strategy’ (if we can call it that) of banking on further delays to enforcement buying it enough time to switch its European data transfers onto a fresh, unchallenged legal basis.
The latter outcome would of course reset the whole game of legal and regulatory whack-a-mole yet again. So, well, it’s possible this saga could still have years, plural, to run…
This article was originally published on TechCrunch.com. Read More on their website.