Ireland's data regulator has said Facebook must suspend transferring EU users' data to the US.
This is a further blow after a July ruling by Europe's highest court, the Court of Justice of the European Union, which struck down the Privacy Shield transatlantic data transfer scheme negotiated by the EU and US.
One ray of sunshine for Facebook, though, was that the ruling left in place Standard Contractual Clauses (SCCs), the most widely used mechanism for international transfers of personal data.
Over 5,000 companies had used SCCs, says the Privacy Shield website.
But the Irish Data Protection Commission now says Facebook cannot in practice use these SCCs.
The US may not adequately respect the privacy rights of EU citizens when their data is transferred from Europe to America, say Irish regulators.
This decision could have "a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on," said Facebook's vice president, and former UK deputy prime minister, Nick Clegg, in a blog post.
He attempted an optimistic tone, though, saying the "approach is subject to further process."
Facebook's most awkward customer
All this began with a 32-year-old Austrian privacy activist and lawyer called Maximillian Schrems.
While a law student in the US, Schrems wrote a term paper on Facebook's lack of awareness of EU privacy law.
A Facebook lawyer, Edward Palmieri, had spoken to his class and Schrems wasn't impressed by his attitude toward EU data protection law.
Palmieri was, incidentally, Facebook's director of privacy.
Building on his term paper, Schrems decided to make an EU right of access to personal data request to Facebook for the company's records on him.
He received a CD containing over 1,200 pages of data.
Unimpressed, Schrems filed a first complaint with the Irish data regulators in 2011.
Facebook has had a European headquarters in Dublin since 2008, which puts it under the purview of Irish regulators and, especially, Irish courts which have proved very sympathetic to his arguments – namely, that the US doesn't provide adequate measures for individual data protection, and that European citizens therefore have a right not to have their data go to America.
The Irish data protection commissioner rejected Schrems' first complaint, but then the Irish High Court proved more sympathetic, and granted judicial review.
High Court judge Gerald Hogan then adjourned the case when it was referred to the EU's top court.
Ironically, the first serious blow landed on Facebook from the direction of European personal privacy was from a Bot.
Yves Bot, the court's advocate general, in 2015 declared the US-EU Safe Harbor agreements on data transfer made between 1998 and 2000 invalid. And added that national data protection authorities can suspend data transfers to third countries if they violate EU rights.
The Privacy Shield was a replacement framework in 2016 to transfer data from the EU to the US. It's this replacement that the European top court struck down in July.
No simple solutions
As far as the other template for data sharing, the Standard Contractual Clauses, their future now relies on whether they can be salvaged with extra guarantees European citizens' data will be safe from US government surveillance.
This is easier said than done.
"There cannot be a one-size-fits-all, quick-fix solution," said European Data Protection Board Chair Andrea Jelinek last week.
This pours cold water on hopes an additional sentence or two would let Facebook and the 5,000 other companies using the clauses carry on with business as usual.
Some have suggested bigger changes are needed, like the US amending laws like its Foreign Intelligence Surveillance Act and putting limits on US government surveillance of non-US citizens and their personal data.
"Maybe some legislative changes" are needed in the US, suggested EU justice commissioner Didier Reynders a week ago.
One thing is for sure: Data protection regulators and companies transferring data from the EU to the US are facing a busy autumn ahead.
- Vodafone Spain falls foul of GDPR regs (again)
- Facebook takes aim at Apple over '50% dip' in ad revenues
- Eurobites: Privacy Shield Gets EU Go-Ahead
— Padraig Belton, contributing editor, special to Light Reading