In support of this decision, Hamburg’s Commissioner, Johannes Caspar, explicitly mentioned some of the major privacy failures of Facebook. These included Cambridge Analytica, and the recent leak of 533 million personal data profiles. Caspar singled out one concern in particular: using profiling to influence voter decisions in order to manipulate democratic decision-making processes. “With nearly 60 million users of WhatsApp [in Germany], the danger is all the more concrete in view of the upcoming federal elections in Germany in September 2021, which will create desire to influence voters on the part of Facebook’s ad customers”, according to the Hamburg Commissioner. The press release concludes:
Due to the limited duration of the order in the emergency procedure of only three months, the HmbBfDI will bring this case to the European Data Protection Board (EDPB) in order to facilitate a binding decision at European level.
That’s a slap in the face for the Irish Data Protection Commission, implicitly criticizing it for not taking the initiative and prohibiting Facebook from using WhatsApp data across the whole of the EU. Someone who will doubtless be delighted by Hamburg’s act of rebellion is the privacy expert Max Schrems. As previous blog posts have explained, Schrems has been engaged in a battle with Facebook over its transfers of personal data across the Atlantic, something that Schrems believes contravenes the GDPR. Part of the problem is once more that it falls to the DPC to investigate this and impose fines where necessary.
As we reported last September, after seven years, Schrems’ original complaint to the DPC about Facebook’s data transfers has still not been decided. Moreover, the Irish data protection authority opened a second investigation into another aspect of transatlantic data flows. Schrems’ fear was that the DPC would get sidetracked with this new action, rather than coming to a decision about the old and arguably more important one. Schrems announced that he would seek an interlocutory injunction to ensure that the DPC takes action on all the alleged legal bases relied upon for data transfers by Facebook.
Last week, there was an important development in this long-running saga. Facebook had tried to get the second investigation thrown out, but the Irish High Court has refused. This means that the DPC can proceed with that work. Just as importantly, Schrems and the DPC have come to an agreement over the first investigation. In the settlement, the DPC pledged to run the complaints procedure swiftly once the High Court had made its ruling, and to allow Schrems to participate in the second investigation. According to the press release from Schrems’ organization NOYB.eu, he now expects a swift decision on Facebook’s EU-US transfers. He notes that any national decision by the DPC would probably need to be approved by the European Data Protection Board, which oversees data protection in the EU. Schrems seems confident about the outcome of the DPC’s investigations, and believes that the impact will be dramatic:
We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer. This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the US to change its surveillance laws.
Since the latter is unlikely, it could be that other companies currently transferring personal data of EU citizens to the US may also need to start thinking about holding the data locally – something they are keen to avoid.
Featured image by Facebook.