Meta faces push from EU regulators to delete data transferred to US since Schrems II ruling

Meta Platforms faces a regulatory push to have to delete data that it has transferred from the EU to the US since the watershed "Schrems II" ruling in July 2020, MLex has learned.

At least two European data protection authorities are seeking to get the deletion order — which would apply from July 2020 up to the date the new EU-US Data Privacy Framework enters force — added to major EU enforcement against Meta over its data transfers to the US, MLex understands.

They are pushing for the order via the General Data Protection Regulation’s “dispute resolution mechanism,” which is used when the bloc's privacy watchdogs can’t agree on the final outcome of a cross-border case.

The Irish Data Protection Commission's enforcement against Meta, in relation to its transfers of data from the EU to the US, is currently going through that process. The case, which deals with the transfer of user data by Meta's Facebook social-media platform, is due to be formally completed by mid-May.

In dispute resolution cases, the final decision is made by the European Data Protection Board, the umbrella group for national data regulators.

The EDPB has heard objections and suggestions from data protection authorities on the Irish regulator’s original decision, and is now in the process of making its ruling. At least two authorities have separately urged it to add deleting data to its final order, MLex understands.

What the board will conclude isn't clear, but the Irish regulator’s previous stance indicates it believes Meta cannot legally transfer EU data to the US using standard contractual clauses, or SCCs.

The EU Court of Justice struck down the EU-US Privacy Shield data transfer deal in a ruling in July 2020 that backed Austrian privacy activist Max Schrems, and the following month the Irish DPC said in a preliminary decision that Facebook couldn't use SCCs to underpin transfers. The company later failed in a court challenge of that decision.

The EDPB isn't obliged to follow the suggestions of other regulators, such as the request that Meta be ordered to delete data. But it has recently made several decisions in Irish enforcement cases against Meta that were much tougher than the Irish regulator originally proposed.

An order to delete data would likely involve significant logistical and practical difficulties for Meta, and would add a particularly onerous element to enforcement that Meta has already said could lead it to shut down some of its EU operations — although it has recently tempered that position due to the proposed new EU-US data-flows pact.

For example, it’s not clear how Meta would decide which data would be deleted. The company has data centers in Europe, and personal data on Facebook is constantly being accessed and exchanged between the EU and US, so untangling what would be covered by a deletion order would be very complicated.

A Meta spokesperson said: “This case relates to a historic conflict of EU and US law, which is in the process of being resolved via the new EU-US Data Privacy Framework. We welcome the progress that policymakers have made toward ensuring the continued transfer of data across borders, and await the regulator’s final decision on this matter.”