In the wake of the Irish Data Protection Commission’s decision, there have been reports in the press that Meta could leave Europe because of the uncertainty over EU-US data transfers. The company has repeatedly denied this but does not refute that if there is no alternative to the old system, they will not be able to operate unhindered in Europe. Analysis.
Back in the six months between 7 June 2018 and 4 December 2018, the Irish Data Protection Commission launched an investigation into twelve data breaches. As a result, Meta was fined €17 million in administrative fines for GDPR violations in March. This was followed by a DPC order on 7 July threatening to block the transfer of data of EU Facebook and Instagram users to the US. The regulation stems from a court ruling declaring that the data of European users of Facebook and Instagram cannot be transferred to the US because the services are subject to US laws that give supervisory bodies access to certain data of international users.
But the reality is that Meta relies on data transfers between the EU and the US to run its global services. And they are not alone. At least 70 other companies from a wide range of industries, including ten European businesses, have raised the risks associated with data transfers in their revenue reports. DPC chief executive Helen Dixon told Reuters in February that a shutdown of Meta’s data traffic would not immediately affect other big tech companies, but potentially “hundreds of thousands of organizations” would need to be investigated.
Meta has been at the center of the controversy because it was the subject of a lawsuit that led to a 2020 ruling by the European Union’s top court, the European Court of Justice, which invalidated a key data-sharing agreement between the European Union and the United States. The court said the agreement, known as Privacy Shield, was illegal because it did not protect privacy from US spying. In its ruling, it also made it difficult to use another legal instrument, the Standard Contractual Clauses (SCC) used by Meta and several other US companies to transfer personal data to the US. The decision means that Facebook will also be forced to stop using SCCs.
“Unless a new transatlantic data transfer framework is adopted and we can continue to rely on SCCs or other alternative means of transferring data from Europe to the US, we will likely not be able to offer many of our most important products and services, including Facebook and Instagram, in Europe,” Meta said in a statement filed with the US Securities and Exchange Commission in March this year.
Ireland is responsible for regulating Meta’s data practices in Europe, as the company’s EU headquarters are based in Dublin. Data protection regulators in other EU countries have one month to object to Ireland’s regulation. Meta can also appeal the ruling in court. The draft regulation, submitted on Thursday, applies only to Facebook and Instagram, not to other Meta services such as WhatsApp, which has a different data controller within the group.
A DPC spokesperson said in an interview that they would extend stricter regulations not only to US-based Meta, but also to the Chinese platform TikTok by ByteDance, because their investigations found that it also fails to properly handle the personal data of minors, and processes and transfers it to China in the same way as it does with data from adult users, TechCrunch reports.
Looks like they’re not leaving the EU
There have been reports in the press that Meta is threatening to leave Europe due to uncertainty over EU-US data transfer mechanisms. According to the tech giant in question, this is not true. Like all listed companies, they have a legal obligation to disclose key risks to their investors. International data transfer is the bedrock of the global economy and supports many of the services that underpin our daily lives. In addition, of course, Meta wants the internet to continue to work as they believe it was intended, not constrained by national borders.
t is unlikely that Meta will let go of the European market, which provides a significant proportion of its revenues and users. European revenues were around $29 billion in 2021. Of course, the US is still the most important market for Facebook, with almost twice the revenue, but around 25 percent of total sales come from Europe. Add to this the fact that in 2021, around 307 million people in Europe used Facebook, and 338 million used Instagram. These are not the small numbers that a tech giant could let go of so easily.
The EU won’t leave Big Tech companies alone
This legal dispute is not the only one affecting Meta’s services in the EU. We’ve previously written more about the Digital Services Act, which will come into force in early 2023. The new rules will set out obligations, duties, and prohibitions for big tech companies that the EU says restrict competition and that they will have to comply with in their day-to-day operations.
The Digital Marketplaces Act aims to tackle unfair practices by large gatekeepers with significant economic power that provide essential platform services and to address the lack of competition in the digital sector while leaving gatekeepers with every opportunity to innovate.
However, if a gatekeeper fails to comply in the future, the Commission can impose fines of up to 10% of the total worldwide turnover of their previous financial year, and 20% for repeated infringements. In the case of repeated infringements, the Commission can ban them from acquiring other companies for a period of time. Facebook is already used to these fines, but they will make Facebook less and less motivated to maintain or even improve its services on the continent.
Could it come into force as early as the end of the summer?
If no objections to the DPC’s draft decision are received by the relevant EU data protection authorities within four weeks, i.e. by early August, the decision will become binding. This case is still at the cooperation level and the European Data Protection Board (EDPB) is not involved at this stage. The EDPB can only be involved after the cross-border case has been raised to the Board level, following the dispute resolution procedure. Unless the situation is further complicated, draft decisions are generally not discussed at the level of the EDPB, nor are decisions adopted.