Already shaken, Meta’s fate in Europe could be decided by a draft decision on EU-US data transfers scheduled for the end of March

Already facing multiple serious challenges, Facebook’s problems could soon escalate as the Irish Data Protection Commission (DPC) is set to release a draft decision that will determine the fate of its data transfers between the EU and USA.

The question has been in the air for some time, but Facebook has just received a draft decision from the Irish DPC and has four weeks to file comments on it before it is forwarded to the other European data protection authorities. data (DPA) in April for a final decision. The draft decision is currently confidential, but Meta’s public statements on it indicate that the DPC has decided to suspend Facebook’s EU-US data transfers.

Meta says loss of EU-US data transfers could end its presence in Europe

The whole issue goes back to the Schrems II ruling two years ago, in which the EU’s highest court determined that the US was an “inadequate” data transfer partner under the rules of the regulation. General on Data Protection (GDPR).

The problem goes beyond Facebook; whatever the Irish DPC has decided could have ramifications for all EU-US data transfers, but particular attention has been given to Facebook by Max Schrems and his privacy group noyb. Noyb’s complaints following the 2020 High Court ruling led to an initial interim order to Facebook to stop EU-US data transfers, but this was frozen by Facebook on appeal before being confirmed in a decision in May last year.

Meta is also particularly vulnerable given that it relies almost entirely on targeted advertising revenue. It has already suffered substantial losses due to Apple’s privacy changes, which put the majority of this market out of its reach for ad tracking purposes.

All of this has led Meta to issue statements indicating that a halt to EU-US data transfers would be “devastating” to its business and could cause it to pull services from the region, even specifically naming Facebook and Instagram as products that could become inaccessible. to EU residents.

Facebook received notification of the draft decision on February 22 and has 28 days to respond with comments, at which time the Irish DPC will refer the matter to other EU data protection authorities for review. This process should begin in April and a final decision could be made as early as May.

The outlook for Meta in Europe if EU-US data transfers are suspended

Several pieces of circumstantial evidence indicate that Meta is preparing for a ban on its EU-US data transfers at the end of the review process. Investor calls since the beginning of the month have emphasized the impact of regulation on expected future growth. There have also been statements to the media, in which Facebook representatives have highlighted the expected damages if data transfers between the EU and the US become impossible for the company.

There are also recent rulings against other ad tech companies in the area of ​​collecting large amounts of personal information, including France’s CNIL ruling against Google Analytics earlier in February. If Ireland takes the side of banning EU-US data transfers from Meta, it is generally expected that there will be no major dissent from other EU DPAs based on their general decision patterns.

Companies that transfer data between the EU and the US have continued to do business either through stricter Standard Contractual Clauses (SCCs), strengthened to require additional security such as encryption, or by transferring the data processing inside the EU. Facebook is in a tougher position than most in terms of pivoting in this way. One of Facebook’s biggest problems is that even the hardened SCCs aren’t adequate due to laws in the United States guaranteeing government access to the information it collects, which really can only be solved by new laws at the federal level. There have been several attempts to implement a GDPR-equivalent privacy law in the US in recent years, but some kind of major distraction always seems to occur; first Covid-19, then a very contentious election in 2020, then the huge infrastructure bill and, most recently, the war in Ukraine.

There has been some such regulation in the US at the state level, including the California Consumer Privacy Act (to which Facebook, headquartered in Silicon Valley, is subject). But regulation equivalent to the GDPR should emerge at the federal level and should at a minimum prohibit US intelligence agencies from collecting Europeans’ data outside the context of legally authorized criminal investigations (and provide them with some form of redress in case of misuse). of their personal data).

The meta statements indicate that a halt to #data transfers between the EU and the US would be “devastating” and could lead to it withdrawing services from Europe, even saying specifically that Facebook and Instagram could become inaccessible. #GDPR #privacy #respectdataClick to tweet

Mandar Shinde, Privacy Lawyer and Chief Operating Officer of will erasesees that there was a period of growing regulations at the US state level before a federal effort emerged: “In this case (Facebook was) harvesting facial recognition patterns without permission, but we’ve seen a number of these cases for things like texting without consent (eg class action lawsuits against cannabis companies in Florida), etc. are clear privacy laws; so a lot of the headlines are about cases that clarify their interpretation In the US you have a hodgepodge of legislation (state, federal; different purposes/origins) so the laws that trigger these actions will be much more varied.

About Roberto Frank

Check Also

Parents, do you want to stop overdoing it? Research offers a clue.

Placeholder while loading article actions Leidy Klotz, professor of engineering and architecture at the University …