The Schrems II ruling that invalidated the US-EU “Privacy Shield” data transfer agreement has caused chaos at American companies as they scramble to find ways to legally continue processing the personal data of EU residents. It appears that for some, including the biggest names in tech, the possibility of pulling out of Europe entirely is not off the table.
This possibility was raised due to a mid-September Facebook court filing in Dublin, in which the company’s associate general counsel indicated that it may not be able to continue to operate in the region in the event of a complete data transfer suspension. Facebook was quick to do damage control, issuing a statement that it was “not threatening to withdraw from Europe” over the issue. That statement does not absolutely preclude the possibility, however, and it leaves one to wonder how many companies (of all sizes) might consider doing the same.
Could data transfer terms cut Europe off?
The statement from the Facebook associate general counsel appeared to make the EU pullout contingent on the Irish Data Protection Commission (DPC)’s enforcement decisions. Facebook appeared to be stating that if a full data transfer ban is enforced by the DPC, the company would have to seriously consider pulling up its stakes in Europe.
Facebook’s later statement characterized this position as a “simple reality.” The company stated that an inability to perform “safe, secure and legal international data transfers” could leave it in an untenable position that it would have no better option but to retreat from.
Should Facebook opt to pull both its core services and Instagram from the EU over the data transfer flap, it would be abandoning a market of about 410 million users. Thus far the enforcement action is limited to a preliminary order issued in early September, which Facebook is challenging in the Irish court. Facebook is alleging unfair terms (such as an inadequate amount of time to respond to the decision) and bias in singling out the social media giant. A judge recently issued a stay on the data transfer ban as Facebook’s legal challenge proceeds.
It seems highly unlikely that Facebook would simply abandon a market of this size; while it would certainly be a significant added expense, the option of shifting EU resident data processing to exclusively EU facilities still exists (and is something that the company can readily afford with $70.7 billion in annual revenue). Facebook VP Nick Clegg appeared to acknowledge that in a recent policy debate, stating that the company was not actively seeking to end its services in the EU and that it was committed to its “customers and small and medium sized businesses in Europe.” But while Facebook and similar tech giants have the means to reorganize in this way, smaller companies that rely heavily on personal data transfers may reach the conclusion that the only viable option is to leave.
Data transfer solutions being considered
Clegg also alluded to the fact that, given the pending complete invalidation of standard contractual clauses (SCCs) as a valid legal framework, the only political answer to the Schrems situation would be for the US government to pass a federal data privacy law. Any such new law would need to address the EU concerns about US intelligence tapping into data transfers and would need to achieve parity with the standards of the General Data Protection Regulation (GDPR). As Clegg pointed out, this issue has been taken up by Congress and has significant bipartisan support but stalled out earlier this year due to a combination of the Covid-19 crisis and the pending election. Any such law is not expected to be seriously addressed until the next presidential administration is determined, leaving a period of at least some months before this rescue scenario could potentially play out.
In the interim, the European Commission is considering new data transfer solutions that could be immediately implemented. A leading early candidate is the “model clause,” which is a method already in use for data partners in non-trusted countries outside of the EU. This proposed solution could end up being contentious and confusing, however, as it would be up to each of the EU’s 27 data protection authorities to determine for themselves if model clauses can be used in their jurisdictions.
Some observers have speculated that the fallout from the landmark ruling will put pressure on governments around the world to fast-track new privacy regulations that meet the GDPR standards, ensuring that they have “trusted partner” status. It remains to be seen if this hypothesis will be proven correct, but quick moves in this direction by the US in 2021 would certainly lend a great deal of credence to the theory. In the meantime, the primary focus appears to be on delaying tactics in the EU courts and the possibility of the European Commission coming up with something that is at least a temporary stopgap measure.