EU-US data transfers by Meta owned Facebook and Instagram could be halted as soon as May but the move would not immediately hit other big tech companies, Ireland’s data privacy regulator said in an interview.
Europe’s highest court ruled in 2020 that an EU-US data transfer pact was invalid due to concerns that US government surveillance may not respect the privacy rights of EU citizens.
That prompted Ireland’s Data Protection Commission (DPC), Meta’s lead regulator in Europe, to issue a provisional order that the mechanism Facebook and Instagram uses to transfer data from European Union users to the United States “cannot in practice be used.”
The order, which does not apply to WhatsApp as it has a different data controller within the Meta group, was frozen following a legal challenge but resumed last May when the Irish High Court dismissed Meta’s claims.
An updated decision could be shared with fellow EU regulators in April and if none of them lodge an objection, “the earliest time we could have a final decision could be the end of May,” Helen Dixon told Reuters. Any objection could add some months to the timeline.
“If there were a scenario where data flows were deemed illegal and required a halt, obviously the impacts would be huge,” she said.
But there is no way that the probe could lead to an automatic halt of similar data flows at Meta’s large rivals, many of whom also have their European headquarters in Ireland.
“The decision that the DPC will ultimately make in relation to Facebook will be specific to Facebook and addressed only to Facebook,” Dixon said.
“The consequence of the CJEU (Court of Justice of the European Union) decision is that we can’t make a broader and more sweeping finding. We have to go company by company by company,” she said.
There are “hundreds of thousands of entities” that would potentially have to be looked at, Dixon added, starting with other large internet platforms.
Meta has warned a stoppage will likely leave it unable to offer significant services such as Facebook and Instagram in Europe without a new transatlantic data transfer framework.
There is a parallel political process between the US Commerce Department and the EU Commission on such remedies, but the Irish regulator has not been informed of progress.
Dixon’s office has so far completed just two investigations of multinationals under new EU privacy rules introduced in 2018, including hitting WhatsApp with a EUR 225 million (roughly Rs. 1,900 crore) fine last year.
In 2022 the DPC is likely to complete nine or 10 of the 30 open probes, Dixon said, an acceleration she attributed to the near doubling of its staff in three years and would act as an answer to critics who say her office is under-resourced to deal with the huge work flow.
Staffing is set to increase to 260 by the end of 2022 from 195 currently and just 27 in 2014 but will have to continue to rise for “years to come”, Dixon said.
© Thomson Reuters 2022