Image: © Ralf/Stock.adobe.com
A legal quagmire around the transfer of EU data to US servers has prompted Meta to consider the future of Facebook and Instagram in Europe.
Meta has said that it may have to pull Facebook and Instagram from the EU market if regulation around data transfers between Europe and the US does not come to fruition soon.
In its annual report to the US Securities and Exchange Commission filed last week, Meta said that it would “likely be unable to offer” some of its major services if a framework is not drawn up to allow the transfer, storage and processing of data from its European users in US-based servers.
The statement comes amid a wider data protection and privacy debate about transatlantic data flows. The Schrems II case in 2020 struck down Privacy Shield, a data privacy tool that allowed for the transfer of European data to US companies, and said transfers of personal data from the EU could only take place if there is a sufficient level of protection.
Later that year, the European Commission and the US Government started negotiations on a successor arrangement to the Privacy Shield that would comply with the court’s ruling. But an agreement has yet to be finalised.
EU data protection law allows the free movement of personal data within the European Economic Area and between certain other countries that are deemed to offer adequate protection for personal data, such as Canada and Japan.
The EU does not consider US data protection to be adequate, and so data transfers can only take place through mechanisms such as the standard contractual clauses used by companies including Google and Facebook.
In August 2020, Ireland’s Data Protection Commission said Facebook’s use of standard contractual clauses in respect of European user data does not comply with GDPR, and proposed that the company may have to cease EU-US transfers. The Irish watchdog is expected to issue a final decision in the first half of 2022.
Meta’s response
Meta is worried that in the absence of a data protection arrangement such as Privacy Shield, or Safe Harbour before it, and if it is unable to rely on standard contractual clauses or alternative means of data transfer, there would be an impact on its data-reliant business.
Nick Clegg, vice-president of global affairs and communications at Meta, said in a statement received by CityAM that a lack of legal international data transfers would damage data-driven companies, both big and small, “just as we seek a recovery from Covid-19”.
“In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones,” he said.
In response to reports that Facebook and Instagram could be pulled in the EU, a Meta spokesperson has said that while the company has “absolutely no desire” to withdraw from Europe, “businesses need clear, global rules to protect transatlantic data flows over the long term”.
“Meta, and many other businesses, organisations and services, rely on data transfers between the EU and the US in order to operate global services,” the spokesperson added. “Like more than 70 other companies across a wide range of industries, we are closely monitoring the potential impact on our European operations as these developments progress.”
‘Theoretical risk’ not enough
Meta is not the only Big Tech company worried about the current lack of a data transfer deal between the EU and US. The Austrian data protection authority, DSB, recently found that the use of Google Analytics by an Austrian website did not comply with EU data protection law.
The DSB concluded that measures put in place to protect personal data transferred to the US via Google Analytics, such as encryption, were not sufficient to address that risk of privacy infringement by US intelligence agencies.
Kent Walker, president of global affairs at Google, expressed his concern in a blog post saying that in the 15 years Google Analytics has been around, the company “has never once received the type of demand [from US authorities] the [DSB] speculated about”.
“If a theoretical risk of data access were enough to block data flows, that would pose a risk for many publishers and small businesses who use the web and highlight the lack of legal stability for international data flows facing the entire European and American business ecosystem,” he said.
While this does not mean Google Analytics will be shut down in the EU any time soon, the ruling could potentially be replicated in other EU member states and, in the absence of a solution to the data transfer deadlock, cause US businesses operating in Europe to take drastic steps.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
