Facebook has warned that it may pull out of Europe if the Irish data protection commissioner enforces a ban on sharing data with the US, after a landmark ruling by the European court of justice found in July that there were insufficient safeguards against snooping by US intelligence agencies.
In a court filing in Dublin, Facebook’s associate general counsel wrote that enforcing the ban would leave the company unable to operate.
“In the event that [Facebook] were subject to a complete suspension of the transfer of users’ data to the US,” Yvonne Cunnane argued, “it is not clear … how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU.”
Facebook denied the filing was a threat, arguing in a statement that it was a simple reflection of reality. “Facebook is not threatening to withdraw from Europe,” a spokesperson said.
“Legal documents filed with the Irish high court set out the simple reality that Facebook, and many other businesses, organisations and services, rely on data transfers between the EU and the US in order to operate their services. A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19.”
The filing is the latest volley in a legal battle that has lasted almost a decade. In 2011, Max Schrems, an Austrian lawyer, began filing privacy complaints with the Irish data protection commissioner, which regulates Facebook in the EU, about the social network’s practices.
Those complaints gathered momentum two years later, when the Guardian revealed the NSA’s Prism program, a vast surveillance operation involving direct access to the systems of Google, Facebook, Apple and other US internet companies. Schrems filed a further privacy complaint, which was eventually referred to the European court of justice.
That court found in 2015 that, because of the existence of Prism, the “Safe Harbour” agreement, which allowed US companies to transfer the data of EU citizens back home, was invalid.
The EU then attempted a second legal agreement for the data transfers, a so-called privacy shield; that too was invalidated in July this year, with the court again ruling that the US does not limit surveillance of EU citizens.
In September, the Irish data protection commissioner began the process of enforcing that ruling. The commissioner issued a preliminary order compelling the social network to suspend data transfers overseas.
In response, Nick Clegg, the company’s head of global affairs and communications, published a blogpost that argued that “international data transfers underpin the global economy and support many of the services that are fundamental to our daily lives”.
“In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider,” he wrote. “A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.”
Clegg added: “We support global rules that can ensure consistent treatment of data around the world.”