It Happened Again (Part 2): The Facebook Playbook Post Schrems II
How the social media company may be trying to weather the storm without the Privacy Shield or SCCs
It has been over two months since the ECJ’s landmark Schrems II judgment. During that time there has been plenty of talk of how to deal with its implications. Questions remain over the use of standard contractual clauses (SCCs), a potential predecessor to the Privacy Shield and the future of transatlantic data flows.
Yet, one company that will be particularly concerned with the immediate impact of Schrems II is Facebook. The case stems from a complaint lodged with the Irish Data Protection Commissioner (IDPC) by Max Schrems, the eminent privacy activist, in light of the revelations by Edward Snowden of the State surveillance activities of the US and others. The complaint concerned data transfers from Facebook’s subsidiary in Ireland (FB Ireland) to its headquarters in California (FB Inc): the data transferred would be subject to US surveillance of which does not comply with EU data protection law.
On the day of the Schrems II judgment, the IDPC put out a statement in which it said that “the application of the SCCs transfer mechanism for transfers of personal data to the United States is now questionable”. A few months later, the IDPC sent a preliminary order to Facebook stating that transfers from FB Ireland to FB Inc must come to an end. Facebook responded by commencing legal proceedings against the IDPC claiming that its decision was a result of improper procedures and thus should be quashed.
Whether Facebook wins this case against the IDPC or not, it will have to somehow deal with the complexities that Schrems II presents. In doing so, it is likely that Facebook will be developing both short-term and long-term strategies to negate or at least mitigate the potential disruption caused by the ECJ and the IDPC.
Web of Data
One important question that can get lost in the discussions about Schrems II is why FB Ireland transfers personal data to FB Inc. The answer to this question would help to understand how, from an operational standpoint, the stipulations of Schrems II affects Facebook and what the consequences of complying the judgment might be.
Facebook has billions of users around the world. To serve all these users, the social media giant owns and operates 15 data centres around the world. Only four of these data centres are located outside of the US, which include Denmark, Sweden, Singapore and Ireland.
A typical approach in managing these many users across several data centres would be to have copies of user data located in each data centre. The reason for this generally is to improve system reliability and resistance. For example, if one data centre suffers from a power outage, users can still access their Facebook or Instagram profile as their data are retrieved from any one of the numerous data centres with the relevant copies.
However, maintaining this system becomes challenging when data centres are located across the globe. Such an arrangement can cause latency as data has to travel to different jurisdictions and the data retrieval system becomes more inefficient as more data centres are added to the network.
Thus, Facebook has developed a solution to this called Akkio. This is a data placement service that makes service delivery more efficient when working with multiple data centres in different geographic locations. Akkio identifies where users are accessing their data from to determine which data centre should store copies of their data. The data centres that are selected to store the copies are those which are most proximate to the user.
For example, when a user opens Instagram, the app communicates with Akkio to find out where their data resides before retrieving it from a data centre. Akkio them determines from where the users’ data are being accessed and how it has been accessed in the past. Such access patterns are stored in a distinct access database for several days. Akkio uses both the location data and access pattern data to decide where to place the data and whether the data storage needs to change.
Akkio thus avoids the duplication of data everywhere, meaning that international data transfers are less frequent. However, in order for this system to work effectively, all the data centres need to be connected as one network of data. This is so that the data can move freely according the decision-making process carried out by Akkio. The free flow of data is therefore vital to how Facebook operates its data centres.
If Facebook is subject to an order to prohibit transfers from the EU to the US, this could cause great disruption to service delivery. For example, if an EU-based user regularly accesses Facebook from Paris, their data is likely stored in the data centres in Europe. If that user then travels to the US and attempts to open their Facebook app from the US, their data would need to travel from the EU to the US with a copy potentially stored in a data centre in the US as well. Also, if a US-based user follows EU-based users, in order for the US user to view the EU users’ content on their feed, the EU users’ data would need to be accessed from an EU data centre and transferred to the US. Complying with Schrems II would mean that these transfers could not take place and thus limit the worldwide availability of Facebook to a great extent.
Apart from service delivery, another reason why data transfers from the EU to the US takes place is to support the work conducted at Facebook’s headquarters. It is in Menlo Park, California where “[p]eople specializing in engineering, product, communications and virtual reality are all scattered fairly randomly across the campus”. That is where most of the talent within the company resides and thus most likely where the brunt of the innovative work at Facebook takes place. Such innovative efforts may require the use of personal data, of which may be stored in data centres outside, as well as inside, the US.
Adhering to Schrems II, whereby transfers from the EU to the US are prohibited (or least are difficult to achieve legally), would likely cause great disruption to both Facebook’s service delivery and its innovative work. It thus likely explains why Facebook has suggested that operating in the EU may not be possible if the IDPC enforces its preliminary order.
Keeping Calm and Carrying On
There are, effectively, three ways in which an organisation can conduct transfers to non-EU Member States under Chapter V of the GDPR. These include relying on an adequacy decision (Article 45), using a mechanism that ensures appropriate safeguards (Article 46), or relying on derogations (Article 49).
For Facebook, relying on an adequacy decision by the European Commission is no longer an option for transfers from Ireland to the US. Schrems II saw the invalidation of the Privacy Shield in July with no grace period. Thus, other options will have to be sought for US transfers.
Facebook has a number of intra-group agreements within the Facebook group of companies. This includes a Data Hosting Services Agreement between FB Ireland and FB Inc.1 Facebook has also admitted that it “relies on SCCs to transfer data to countries outside the EU, including to the United States”. These SCCs likely supplement the Agreement between FB Ireland and FB Inc, and thus how Facebook justified US transfers prior to Schrems II.
However, reliance on SCCs adopted by the European Commission is now under threat after Schrems II, especially for transfers to the US. The judgment stated that when using SCCs, an assessment must be made of the third country’s legal framework and that the SCCs may require additional supplementary measures to ensure all of the appropriate safeguards required under Article 46. The European Data Protection Board (EDPB) is yet to issue guidance as to what these supplementary measures organisations may look like, particularly those pertaining to data requests from public authorities in third countries.
Even so, Max Schrems argues that, for Facebook, the SCCs would not be a sufficient mechanism. The ECJ in Schrems II made clear that the reason for the US not having data adequacy was because its surveillance laws (the FISA regime) is not accordance with EU data protection law. Therefore, since Facebook falls under the scope of the FISA regime and thus would be subject to requests from the NSA and others, there are no supplementary measures which could be implemented by Facebook to remedy the inadequacies. As such, transfers to the US cannot take place on the basis of the SCCs.
The IDPC, initially, did not go as far as Schrems, only merely stating that transfers to the US on the basis of SCCs were “questionable”. But in its preliminary order, the subject of Facebook’s current lawsuit, it stated that the company should not transfer data to the US. The ECJ made clear that supervisory authorities (SAs) must prohibit transfers to third countries that are not deemed adequate.2 In addition, the Court also stated that, if the IDPC thinks transfers to the US should be banned across the EU, it can ask the EDPB to issue a binding decision to that effect.3
Essentially, the SCCs, at some point, will cease to be a legitimate mechanism for Facebook to use for data transfers to the US. The last option for Facebook is therefore Article 49 and the derogations. However, this is unlikely to be a viable alternative.
Facebook could argue that the delivery of its services constitutes a contract between itself and its users. In its privacy policy, Facebook states that one of the legal bases it relies on to process personal data is that the processing is necessary to fulfil its terms of service. The policy also states that transfers of data outside of the EU form part of the processing necessary to deliver its services. Even the ECJ in Schrems II seemed to implicitly concur with this argument, stating in the background facts of the case that “[a]ny person residing in the European Union who wishes to use Facebook is required to conclude, at the time of his or her registration, a contract with Facebook Ireland”.4
With that being so, Facebook could attempt to rely on Article 49(1)(b) to justify transfers to the US on the basis that such transfers are necessary for the performance of the contract that it has with its users. However, the EDPB guidance on Article 49 would not support such a proposition. It refers to Recital 111 of the GDPR, which states that transfers made on a contractual basis must be both “necessary” and “occasional”. It is the second requirement that Facebook would struggle with the most: for the transfer to qualify as “occasional”, the transfer cannot be “regularly occurring within a stable relationship”. If it is, then it would be regarded as “systematic and repeated” and hence not occasional for the purposes of Recital 111.
Given how Facebook operates its service across its multiple global data centres, in terms of their inherent interconnectedness and the constant transfers taking place between them, the company would find it quite difficult to show that it can rely on Article 49(1)(b) for data transfers to the US. Facebook is therefore running out of options for data transfers.
Buying Time
In early September, The Wall Street Journal (WSJ) broke a story that the IDPC had sent Facebook a preliminary order suspending data transfers to the US. That order, which was sent to Facebook on 28 August, gave the social media company three weeks to respond after which the IDPC would submit a new draft decision to the other concerned supervisory authorities in the EU under the one-stop-shop mechanism (Article 60).
On the same day of the WSJ story, Facebook uploaded a blogpost about how the suspension of data transfers could be detrimental to its business and others. Hence, it urged regulators to “adopt a proportionate and pragmatic approach to minimise disruption” for the many businesses like Facebook who transfer data to the US. Soon after that blogpost, Facebook commenced proceedings against the IDPC in the Irish High Court. The company is seeking a judicial review of the IDPC’s order and there has been a pause on the one-stop-process.
In its initial submissions for the case, Facebook argues that the IDPC had acted ultra vires (beyond its powers) and thus unlawfully. The preliminary order and its accompanying letter to Facebook stated that the IDPC had commenced an inquiry on its own accord looking into the data processing activities of the social media company in light of the Schrems II judgment. The inquiry would have addressed, firstly, whether Facebook had complied with Article 46 and, secondly, what the appropriate action of the IDPC should be if Facebook had not complied with Article 46.
However, the draft decision comes to a “preliminary view” that Facebook was not compliant with Article 46 and thus transfers from FB Ireland to FB Inc should be prohibited by the IDPC (under Article 58(2)(j)). Accordingly, Facebook is seeking to challenge the IDPC’s actions on a number of grounds, four of which are particularly noteworthy.
To begin with, Facebook suggests that the IDPC had departed from the investigation procedure that it had outlined in its 2018 Annual Report. In that report, the IDPC detailed the various steps it would take when investigating an organisation’s compliance with data protection law. Among these steps include a commencement and notification phase, an information-gathering phase, a draft inquiry report preparation phase, and a submissions phase. According to Facebook, by departing from these early phases, the IDPC had deprived the company of the opportunity to provide relevant information and “answer specific questions posed by the IDPC”.5
On the second noteworthy ground, Facebook asserts that the IDPC should have waited for the EDPB to issue more guidance on the use of SCCs after Schrems II. Facebook argues that such guidance would constitute a “relevant consideration” for the IDPC’s investigation.6 This is especially the case given that the IDPC has previously stated that it was “looking forward to developing a common position with [its] European colleagues to give meaningful and practical effect to [the Schrems II judgment]”. Facebook thus points out that the EDPB “will be able to take a global view of reliance on the SCCs across a diversity of organisations” and help the IDPC decide whether Facebook’s particular use of SCCs is in compliance with the GDPR.7
In relation to the third noteworthy ground, Facebook contends that it has not been treated equally since there are no other known inquiries being “conducted into transatlantic data transfers on the part of other companies under the [IDPC’s] jurisdiction”.8 The SCCs “are used by many other companies to transfer data to the US” and thus Facebook should not “be the only entity subjected to investigation, and to face the possible suspension of data transfers to the US”.9
The fourth noteworthy ground largely sums up the proceeding grounds: “the process which has been adopted by the [IDPC] is not in accordance with [Facebooks’] rights to fair procedures”.10 In essence, by departing from the established procedure, failing to wait for EDPB guidance, and not treating all companies equally in relation to US data flows post-Schrems II, the IDPC has, in Facebook’s view, acted unfairly and thus unlawfully.
Facebook’s arguments may have been sufficient for the Irish High Court to grant it leave with a hearing in November, but it is possible that an ulterior motive is at play here. Facebook is clearly running out of options to justify transfers to the US and thus potentially faces significant disruption to its business. Thus, the judicial review proceedings against the IDPC are perhaps, more than anything else, an attempt to buy itself some time whilst it scrambles to work out a stable solution for US data transfers.
Light at the End of the Tunnel
So what solution could Facebook be hoping for? For now, there appears to be three ways in which Facebook could escape the stipulations of the Schrems II and the IDPC’s enforcement action.
One option is to delay enforcement action long enough for a predecessor to the Privacy Shield to be agreed and implemented. On August 10, the US Department of Commerce stated that both it and the European Commission “have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield”. Facebook has expressed support for these talks and the possibility of a “Privacy Shield plus”. Thus, much like how Facebook and others sought to quickly rely on the original Privacy Shield after the invalidation of the Safe Harbour, Facebook could be resting its hopes on the agreement of a new framework to justify transfers to the US and move away from its delicate reliance on SCCs. The risk of course is that such a framework is not agreed any time soon, which is likely given the scope of the changes required for it to work and not be struck down by the ECJ again.
Another option for Facebook is to wait for the European Commission to adopt new SCCs (of which may be finalised by the end of 2020) as well as guidance from the EDPB on the use of SCCs. Both could reveal a way for Facebook to make its case for US data transfers using some magical legal fudge. Yet, hoping that the Commission and the EDPB would give Facebook enough of a way out may be somewhat ambitious given the inevitable legal wrangling that would otherwise ensue.
A third option is that Facebook pushes for US surveillance law to be amended in conjunction with a new federal privacy law that bridges the gap between the EU and the US on data protection. The recent SAFE DATA Act represents the latest effort by the US to introduce such a law. However, any new legislation must come with the appropriate amendments to US surveillance law, for this remains the primary obstacle to transatlantic data flows as highlighted in both Schrems I and II.
Facebook is not the only one trying to weather the storm though: many other businesses will also be trying to cope with the perplexities of EU data protection and transatlantic transfers, of which has become even more precarious than when the Safe Harbour was invalidated five years ago. Who knows what will happen next.
[1] The Data Protection Commissioner v Facebook Ireland and Maximillian Schrems [2016 No. 4809 P.], [para. 31] (link).
[2] Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited [2020] ECLI:EU:C:2020, para. 113.
[3] Ibid, para. 147.
[4] Ibid, para. 51.
[5] Affidavit of Yvonne Cunnane in Facebook Ireland Limited v Data Protection Commission (2020), para. 43.
[6] Ibid, para. 69.
[7] Ibid, para. 66.
[8] Ibid, para. 70.
[9] Ibid, para. 72.
[10] Ibid, para. 74.
Other sources:
Ramifications of Ireland’s data transfer order to Facebook could be ‘profound’
Inside Facebook’s massive center storing your personal information
Top Facebook exec pushes back on talk of Europe withdrawal
How Facebook’s Homegrown Data Centers Serve Billions of Users, Now and in the Future
Cassandra solves Optimal Data Placement for Instagram’s Global Scale | DataStax Accelerate 2019