Skip to content

We speak to Ciara Fitzgerald, Legal Counsel at Ward Solutions, to learn how the Irish Data Protection Commissioner’s (DPC) data transfer ruling against Meta/ Facebook could impact companies across Europe. 

What’s happened?

The DPC has issued a preliminary decision to Facebook’s parent company, Meta, that could stop the company from transferring data from Ireland to the US, as reported by the Irish Times last week.

This could have a knock-on effect for all companies since web services created by US companies, or that are hosted in the US, are so common. “The DPC hasn’t published details of the decision. It is with Meta for a response first and then the decision goes to the other supervisory authorities in the EU. Once the decision has been published, we’ll know to what extent this will impact the wider business community but it is a significant step to take,” explains Ciara.

What does this mean for companies transferring data to the US?

We don’t know yet. It depends on the response of the other Data Protection Authorities and why the DPC has decided Facebook can’t transfer data. If it comes to light that the DPC is stopping Meta from transferring data because of security concerns, for example, it will impact us all, Ciara adds: “The US government has broad powers to request access to data. If Meta can’t put the safeguards in place to keep the DPC and other regulators happy, then what chance does a small business have?”

On the flip side, the DPC’s role in this is to protect personal data, as Hylton Stewart, Information Security Manager at Ekco, explains, “The GDPR has always been out protecting personal data and raising the bar for data protection in general. Since the US regulations are far behind the GDPR, it seems the regulators feel that they have no choice but to be more restrictive to force a change in the policy of foreign regulation.”

Adding to this, Ciara says that a blanket ban would be damaging for all businesses: “We need a nuanced approach that recognises that some data is very important, very sensitive and needs to be encrypted and so on. But then there’s other data, you know, that the US Government simply won’t care about and isn’t hugely sensitive. All of that needs to be considered.”

What should IT teams do at this stage?

For now, we wait and see. “Even once we have more information,” Ciara says, “it’s not going to be possible for every individual company to fix this themselves. We’re all in the same boat. We need a broader solution between the EU and US so that business isn’t disrupted.”

With 101 Google Analytics cases in review across Europe right now, there will be lots more decisions across the EEA over the next year that will impact the outcome. “Every couple of months,” adds Ciara, “there’s a change in the law. So it’s very hard for businesses to know what to do at the moment!”

“This is a solution that needs to be created at government level but, realistically, if the DPC progress this, they’ll have to move things forward pretty quickly.”

At Ekco, our managed backup and security solutions ensure the security and integrity of your business’s most valuable asset – data. Contact us today to speak with a local specialist. We’re always happy to help.

Our specialists have the answer