Citing sources familiar with the matter, The Wall Street Journal reported Wednesday that Ireland’s Data Protection Commission sent the preliminary order to Facebook late last month, asking for the company’s response.
The move marks the first significant step EU regulators have taken to carry out a July ruling about data transfers. The decision limited how technology companies such as Facebook can send personal information to American soil after determining Europeans lack an effective way to challenge U.S. government surveillance, the Journal said.
To comply, Facebook would likely be required to re-engineer its service and compartmentalize most of the data it collects from European users.
In a blog post published Wednesday, Facebook's head of Global Affairs, Nick Clegg -- a one-time member of the British parliament-- wrote that the data commission had begun an inquiry into Facebook’s data transfers.
The Irish panel's order isn't yet final, Clegg noted, but "could have a far-reaching effect on businesses that rely on standard contractual clauses and on the online services many people and businesses rely on."
If the social media giant fails to comply, Ireland’s Data Protection Commission has the authority to fine Facebook up to $2.8 billion, or 4% of its annual revenue, the Journal noted.
The action is a victory for European privacy activists, who have haggled in court for almost a decade about storing European data in the U.S.
The order also serves as a warning for other large U.S. companies that operate in Europe. The Journal's source said such firms may be faced with similar orders in the near future, raising questions about whether American surveillance laws would be put on the chopping block.
Blocking data transfers from Europe to the U.S. could upend billions of dollars of trade, the newspaper reported.
The data commission told Facebook it plans to send a new draft of the order to the 26 privacy regulators in other EU countries for joint approval. Ireland's commission leads EU privacy enforcement for Facebook because it has its regional headquarters in the country, the Journal said.
While Facebook could potentially challenge the order in court, the European Commission and U.S. officials have started negotiations to establish a new system for companies to send data on Europeans to the U.S.
That said, the U.S. has asserted that its surveillance practices are proportionate, the Journal said.
This isn't the first time trans-Atlantic data flows have come under scrutiny. In 2015, the bloc's top court invalidated a major legal mechanism for transferring data, though no company faced a specific order.
It is illegal for a company to send personal information about EU residents to another part of the world that doesn't have comparable privacy protections. The U.S. has sector-specific regulations, but no national data-privacy law.