Bad news for Facebook on two fronts – and for Ireland’s role as EU’s privacy enforcer

Posted on May 18, 2021 by Glyn Moody
Facebook on the hook US-EU data transfers

Back in February, Privacy News Online wrote about a major change to the way WhatsApp and Facebook accounts would be managed. New terms and conditions for WhatsApp users meant that the service is granting itself the right to share users’ data with other Facebook companies. Since Facebook’s privacy policy also allows a more general cross-company use, this means personal data would be shared more widely. Many users were unhappy with the move, as was one of the most interventionist of the data protection agencies in the EU, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). Last month, the Commissioner issued what it called an “Urgency procedure” against Facebook. This was unusual, because under the EU’s GDPR privacy law, it would normally be the data protection agency of the country where Facebook has its European headquarters that took action against the company – that is, Ireland’s Data Protection Commission (DPC). However, as the HmbBfDI explained, Article 66 of the GDPR allows other national data protection authorities to intervene in “exceptional circumstances”. The Hamburg Commissioner has now gone further, and issued an order prohibiting Facebook from processing personal data from WhatsApp for its own purposes, with immediate effect. Here’s why the HmbBfDI said it acted:

On evaluation of the facts and after having heard Facebook Ireland Ltd., there is no legal basis for processing by Facebook for its own purposes, notwithstanding the approval of the terms of use currently obtained by WhatsApp. The provisions on data transfers are scattered at different levels of the privacy policy, they are unclear and hard to distinguish in their European and international versions. In addition, the contents are misleading and show considerable contradictions. Even after close analysis, it is not clear what consequences approval has for users. Furthermore, consent is not freely given, since WhatsApp demands acceptance of the new provisions as a condition for the continued use of the service’s functionalities.

In support of this decision, Hamburg’s Commissioner, Johannes Caspar, explicitly mentioned some of the major privacy failures of Facebook. These included Cambridge Analytica, and the recent leak of 533 million personal data profiles. Caspar singled out one concern in particular: using profiling to influence voter decisions in order to manipulate democratic decision-making processes. “With nearly 60 million users of WhatsApp [in Germany], the danger is all the more concrete in view of the upcoming federal elections in Germany in September 2021, which will create desire to influence voters on the part of Facebook’s ad customers”, according to the Hamburg Commissioner. The press release concludes:

Due to the limited duration of the order in the emergency procedure of only three months, the HmbBfDI will bring this case to the European Data Protection Board (EDPB) in order to facilitate a binding decision at European level.

That’s a slap in the face for the Irish Data Protection Commission, implicitly criticizing it for not taking the initiative and prohibiting Facebook from using WhatsApp data across the whole of the EU. Someone who will doubtless be delighted by Hamburg’s act of rebellion is the privacy expert Max Schrems. As previous blog posts have explained, Schrems has been engaged in a battle with Facebook over its transfers of personal data across the Atlantic, something that Schrems believes contravenes the GDPR. Part of the problem is once more that it falls to the DPC to investigate this and impose fines where necessary.

As we reported last September, after seven years, Schrems’ original complaint to the DPC about Facebook’s data transfers has still not been decided. Moreover, the Irish data protection authority opened a second investigation into another aspect of transatlantic data flows. Schrems’ fear was that the DPC would get sidetracked with this new action, rather than coming to a decision about the old and arguably more important one. Schrems announced that he would seek an interlocutory injunction to ensure that the DPC takes action on all the alleged legal bases relied upon for data transfers by Facebook.

Last week, there was an important development in this long-running saga. Facebook had tried to get the second investigation thrown out, but the Irish High Court has refused. This means that the DPC can proceed with that work. Just as importantly, Schrems and the DPC have come to an agreement over the first investigation. In the settlement, the DPC pledged to run the complaints procedure swiftly once the High Court had made its ruling, and to allow Schrems to participate in the second investigation. According to the press release from Schrems’ organization, he now expects a swift decision on Facebook’s EU-US transfers. He notes that any national decision by the DPC would probably need to be approved by the European Data Protection Board, which oversees data protection in the EU. Schrems seems confident about the outcome of the DPC’s investigations, and believes that the impact will be dramatic:

We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer. This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the US to change its surveillance laws.

Since the latter is unlikely, it could be that other companies currently transferring personal data of EU citizens to the US may also need to start thinking about holding the data locally – something they are keen to avoid.

Featured image by Facebook.