The Standard Contractual Clauses under which the transfers occur may no longer be valid after the demise of Privacy Shield.
The demise of Privacy Shield put data transfers at risk: In July 2020, the European Court of Justice (ECJ) invalidated the Privacy Shield framework under which the US was recognised as a safe destination for EU personal data. Since then, companies have continued to transfer data between EU and US thanks to the Standard Contractual Clauses approved by the EC in 2010. The ECJ maintained these clauses continue to be valid, however their validity could no longer be considered as automatic.
Ireland asks Facebook to suspend transfers: On 9 September 2020, Facebook confirmed that the Irish Data Protection Commissioner (DPC) had commenced an inquiry into the data transfers of the company from the EU to the US, and asked it to suspend the transfer of such data. Following the DPC’s concerns, the company said it had added additional safeguards such as data encryption. However, the DPC maintains the use of those clauses is still illegal because now the US lacks privacy protections. Facebook disagrees, saying Europe's data protection agencies must offer guidance on how these clauses can be tweaked to comply with EU privacy law, and warns of the potential highly disruptive effect for small and large businesses across multiple sectors.
Uncertainty is looming: It is expected that the company will challenge the DPC’s decision in court. After the demise of Privacy Shield, US and EU authorities started working on a new data sharing deal, but finalising a new agreement is likely to take time, and US authorities appear unwilling to embrace European privacy standards.