A European Union privacy regulator has sent Facebook Inc. a preliminary order to suspend data transfers to the U.S. about its EU users, according to people familiar with the matter, an operational and legal challenge for the company that could set a precedent for other tech giants.
The preliminary order, the people said, was sent by Ireland’s Data Protection Commission to Facebook
late last month, asking for the company’s response. It’s the first significant step EU regulators have taken to enforce a July ruling about data transfers from the bloc’s top court. That ruling restricted how companies like Facebook can send personal information about Europeans to U.S. soil, because it found that Europeans have no effective way to challenge American government surveillance.
To comply with Ireland’s preliminary order, Facebook would likely have to re-engineer its service to silo off most data it collects from European users, or stop serving them entirely, at least temporarily. If it fails to comply with an order, Ireland’s data commission has the power to fine Facebook up to 4% of its annual revenue, or $2.8 billion.
Nick Clegg, Facebook’s top policy and communications executive, confirmed that Ireland’s privacy regulator has suggested, as part of an inquiry, that Facebook can no longer in practice conduct EU-U.S. data transfers using a widely used type of contract.
The preliminary order is a victory for European privacy activists, who have been arguing before regulators and in court for the better part of a decade that their data shouldn’t be sent to or kept in the U.S. because it could be turned over to the government under secret requests.
Also popular on WSJ.com: