META Meta Platforms Inc

By Sam Schechner and Emily Glazer 

A European Union privacy regulator has sent Facebook Inc. a preliminary order to suspend data transfers to the U.S. about its EU users, according to people familiar with the matter, an operational and legal challenge for the company that could set a precedent for other tech giants.

The preliminary order, the people said, was sent by Ireland's Data Protection Commission to Facebook late last month, asking for the company's response. It's the first significant step EU regulators have taken to enforce a July ruling about data transfers from the bloc's top court. That ruling restricted how companies like Facebook can send personal information about Europeans to U.S. soil, because it found that Europeans have no effective way to challenge American government surveillance.

To comply with Ireland's preliminary order, Facebook would likely have to re-engineer its service to silo off most data it collects from European users, or stop serving them entirely, at least temporarily. If it fails to comply with an order, Ireland's data commission has the power to fine Facebook up to 4% of its annual revenue, or $2.8 billion.

Nick Clegg, Facebook's top policy and communications executive, confirmed that Ireland's privacy regulator has suggested, as part of an inquiry, that Facebook can no longer in practice conduct EU-U.S. data transfers using a widely used type of contract.

"A lack of safe, secure and legal international data transfers would damage the economy and prevent the emergence of data-driven businesses from the EU, just as we seek a recovery from Covid-19," Mr. Clegg said.

Ireland's Data Protection Commission declined to comment.

The preliminary order is a victory for European privacy activists, who have been arguing before regulators and in court for the better part of a decade that their data shouldn't be sent to or kept in the U.S. because it could be turned over to the government under secret requests.

It is also a warning for big tech companies with operations in Europe, and for the trans-Atlantic trade they facilitate. Though the order applies to Facebook, the company may be the first in the queue in front of other U.S.-based tech companies to face similar orders, one of the people familiar with the matter said. At stake is whether the U.S. might have to change its surveillance laws for data transfers to resume, the person added.

Blocking big tech companies' data transfers to the U.S. could upend billions of dollars of trade from cross-border data activities, including cloud services, human resources and marketing, because they involve accessing or storing information about Europeans from U.S. soil, tech advocates say. Similar logic could also be used to block transfers to other countries with surveillance laws deemed invasive by EU courts, advocates add.

To be sure, Ireland's order is preliminary and could be revised before it is finalized, a process that could take several months. Ireland's data commission leads EU privacy enforcement for Facebook because it has its regional headquarters in the country, but Ireland's privacy regulator must coordinate with counterparts in other EU countries in cross-border cases.

Ireland's data commission has given Facebook until mid-September to respond to the order, the people familiar with the matter said. After considering Facebook's responses, the data commission told the company it plans to send a new draft of the order to the 26 privacy regulators in other EU countries for joint approval under a cooperation provision of the bloc's privacy law, the people added.

Facebook could also potentially challenge the order in court. Internally, Facebook considers the preliminary order and its future implications a big deal, one of the people said. Because of its sensitivity, the existence of the order is being held closely inside Facebook while executives and lawyers determine how to respond, that person and another person familiar with the matter said.

Since the July ruling, the European Commission, the EU's executive arm, and U.S. officials have started negotiations to establish a new way for companies to send data on Europeans to the U.S. that would comply with the court's requirements. But "there will be no quick fix," EU Justice Commissioner Didier Reynders said in European Parliament last week.

Some privacy lawyers have said that the U.S. would need to change its surveillance laws to address the court's concerns. The U.S. for its part has said that its surveillance practices are proportionate, and in court argued that the EU shouldn't exercise jurisdiction over U.S. national security practices.

The focus now is on EU's privacy regulators to see how they enforce the July ruling. A board representing EU privacy regulators last week announced a task force to tackle the topic. Ireland's data commission has been closely watched because, in addition to Facebook, it also leads EU privacy enforcement for several big tech companies, including Alphabet Inc.'s Google, Apple Inc. and Twitter Inc.

Ireland's plan to order Facebook to stop sending data to the U.S. -- even if only preliminary -- marks a major shift in more than two decades of wrangling between the EU and U.S. over how to balance privacy and commerce when it comes to trans-Atlantic data flows. In 2015, the EU's top court invalidated a major legal mechanism for transferring such information to the U.S. But the threat ended up being mostly theoretical: No company actually faced a specific order to stop sending personal information, and the data flows never stopped.

At issue is a basic precept of EU privacy law dating back to the 1990s. It is illegal for a company to send personal information about EU residents to another part of the world that doesn't offer essentially equivalent privacy protections to the EU -- except in certain circumscribed circumstances. The U.S., which doesn't have a national data-privacy law but rather more sector specific regulations in some areas, such as health care, didn't make the EU cut.

To keep data flowing, the U.S. and EU in the late 1990s negotiated a special system, called Safe Harbor, where companies sending European data to the U.S. could opt into EU-style rules, enforced by the U.S. government. Companies also had other options to send data overseas, such as using preapproved EU contractual language, called standard contractual clauses, in which companies promise to uphold European privacy standards.

Legal challenges to those systems began in 2013, after former National Security Agency contractor Edward Snowden leaked details of U.S. government surveillance practices. A privacy activist named Max Schrems argued that Safe Harbor exposed his Facebook information to the U.S. government. The EU's Court of Justice agreed, and struck down the system in 2015.

The EU and U.S. quickly worked out a replacement framework, dubbed Privacy Shield, which added some additional protections such as an ombudsperson at the U.S. State Department to field complaints from Europeans. But July's Court of Justice decision struck that system down, too, saying that the U.S. still didn't provide Europeans with actionable rights to challenge surveillance.

Businesses were initially comforted that the July decision stopped short of invalidating the so-called standard contractual clauses as well, and instead said that companies must assess whether the laws of the countries where they are sending data allow them to ensure adequate protection under EU law. Facebook was among several companies that said over the summer that they would rely on those standard contractual clauses to transfer data to the U.S., now that Privacy Shield was no longer valid.

But Ireland's sending of the preliminary order to suspend data transfers suggests that it found such standard clauses aren't sufficient under the ruling, at least in Facebook's case. If that reasoning stands, such clauses might also be ruled invalid for other large technology and telecommunications companies that, like Facebook, fall under the purview of the U.S. surveillance laws discussed in the EU court ruling, including Section 702 of the Foreign Intelligence Surveillance Act.

Noyb, a privacy advocacy group founded by Mr. Schrems, used that reasoning in August when it filed privacy complaints to various EU privacy regulators against 101 European websites, using the EU court ruling to argue that they must stop sending data using U.S.-based tech providers.

The potential that Facebook and other large tech companies might have to stop sending data to the U.S. raises the stakes on efforts to come up with replacement frameworks to allow such transfers. In addition to talks with the U.S. to replace Privacy Shield with a new system, the European Commission says it is also updating the language of the standard contractual clauses. But it isn't clear how such updates would address the court's surveillance concerns.

Write to Sam Schechner at sam.schechner@wsj.com and Emily Glazer at emily.glazer@wsj.com

(END) Dow Jones Newswires

September 09, 2020 13:34 ET (17:34 GMT)

Copyright (c) 2020 Dow Jones & Company, Inc.