Already facing multiple serious challenges, Facebook’s problems may soon be growing as the Irish Data Protection Commission (DPC) is about to issue a draft decision that will determine the fate of its EU-US data transfers.
The issue has been up in the air for some time, but Facebook has just received a draft decision from the Irish DPC and has four weeks to file comments on it before it is sent on to Europe’s other data protection authorities (DPAs) in April for a final decision. The draft decision is confidential at present, but public statements on the matter by Meta indicate that the DPC has decided to suspend Facebook’s EU-US data transfers.
Meta indicates loss of EU-US data transfers could end its presence in Europe
The whole issue traces back to the Schrems II decision of two years ago, in which the EU’s highest court determined that the US was an “inadequate” data transfer partner in the view of General Data Protection Regulation (GDPR) rules.
The issue extends beyond just Facebook; whatever the Irish DPC has decided could have ramifications for all EU-US data transfers, but a special focus has been put on Facebook by Max Schrems and his privacy group noyb. Noyb’s complaints in the wake of the 2020 high court decision led to an initial provisional order to Facebook to stop EU-US data transfers, but that was frozen by Facebook upon appeal before being upheld in a decision in May of last year.
Meta is also particularly vulnerable given that it relies almost entirely on revenue from targeted advertising. It has already taken substantial losses due to Apple’s privacy changes, which have put the majority of that market beyond its reach for ad tracking purposes.
All of this has led Meta to issue statements indicating that a stoppage of EU-US data transfers would be “devastating” to its business and could cause it to pull services from the region, even specifically naming Facebook and Instagram as products that could become inaccessible to residents of the EU.
Facebook received the notice of the draft decision on February 22 and has 28 days to respond with comments, at which time the Irish DPC will take the issue to other EU data protection authorities to review. This process is expected to begin in April, and a final decision could come as soon as May.
Meta’s prospects in Europe if EU-US data transfers are suspended
Several pieces of indirect evidence indicate that Meta is bracing for its EU-US data transfers to be banned when the review process comes to an end. Calls with investors since the beginning of the month have made a point to highlight the impact of regulation on expected future growth. There have also been statements to the media, in which Facebook representatives have stressed the damage expected if EU-US data transfers become impossible for the company.
There are also recent decisions against other ad tech companies in the business of harvesting vast quantities of personal information, most notably the judgment by France’s CNIL against Google Analytics earlier in February. If Ireland comes down on the side of banning Meta’s EU-US data transfers, there is a general expectation that there will be no major dissent from the EU’s other DPAs based on their general patterns of decisions.
Companies engaging in EU-US data transfers have continued to do business either via stronger standard contractual clauses (SCCs), beefed up to require additional security such as encryption, or by relocating data processing to inside of the EU. Facebook is in a tougher position than most in terms of pivoting in this way. One of the key problems for Facebook is that even beefed-up SCCs are not adequate due to laws on the books in the US guaranteeing government access to the information it collects, something that can really only be solved by new federal-level laws. Several attempts at getting a GDPR-equivalent privacy law in place in the US have been floated in recent years, but some sort of major distraction always seems to come along; first Covid-19, then a highly contentious 2020 election, then the massive infrastructure bill, and most recently war in Ukraine.
There has been some regulation of this nature in the US at the state level, most notably the California Consumer Privacy Act (which Silicon Valley-headquartered Facebook is subject to). But a GDPR-equivalent regulation would need to emerge at the federal level, and would need to at minimum forbid US intelligence agencies from gathering up the data of Europeans outside of the context of legally allowed criminal investigations (and provide them with some form of redress should their personal data be misused).
Mandar Shinde, privacy attorney and COO of Blotout, sees there being a period of growth in US state-level regulations before a federal effort emerges: “In this case (Facebook was) harvesting facial recognition patterns without permission, but we’ve seen a number of these cases for things like sending text messages without consent (e.g., class actions against cannabis companies in Florida), etc. We’ll expect these to proliferate as laws get stronger, get enforced, and the scope of potentially problematic activities increase … The European context is much more explicit because there are clear privacy laws; so a lot of the headlines are about cases that clarify their interpretation. In the U.S., you have a hodgepodge of legislation (state, federal; differing purposes/origins), so the laws that trigger these actions will be much more varied.”