The Schrems II decision by the European Union’s Court of Justice rendered the EU-US Privacy Shield useless as the court felt that the Privacy Shield did not effectively protect EU data from spying by the US government. In the wake of that decision, entities looking to transfer data outside of the European Union are left with essentially three options: model clauses, binding corporate rules, or being located in a third country that has received an adequacy decision from the European Union. Even with these other transfer mechanisms, it may still be necessary to demonstrate how a given entity will keep European data secure and shield it from US spying. Facebook is now challenging the ruling and its law firm has filed a judicial review action with Ireland’s data commissioner (which makes sense, as Facebook’s presence in the EU is based out of Ireland).
Facebook appears to be trying to find some alternative that would allow it to continue to transfer data out of the European Union without relying on the existing transfer mechanisms, as Facebook is subject to data requests from the US government. What solution Facebook is hoping to find is unclear, as the Shcrems II decision found that the Privacy Shield did not adequately protect against US government spying. Facebook appears to be trying to assert that there is a middle ground that will allow it to continue to transfer data without telling the US government “no” which may land it in hot water in the US.