Meta Platforms Inc.’s stern warning of a pullout from Europe may just be the start, as one of the region’s leading privacy watchdogs prepares a move that could cripple transatlantic data flows and risk billions in revenue for tech giants.
Ireland’s Data Protection Authority, which oversees the Silicon Valley tech giants that have flocked to the country, will soon rule on the legality of so-called standard contractual clauses used by Meta, Alphabet Inc. Google and others to lawfully transfer large chunks of user data to the United States for processing.
Privacy experts say the impending decision could eliminate one of the only remaining options for Meta and potentially thousands of other businesses that rely on shipping large amounts of business data across the Atlantic.
The Irish authority has already questioned the legality of the SCCs in an interim opinion, saying they have failed a key test of protecting European citizens from the prying eyes of US agencies.
Such is the tension around the decision, which Meta warned in its latest annual report that it will be “probably unable” to offer services including Facebook and Instagram in the EU if it is unable to. to use CCS.
Facebook generated $8.2 billion in revenue in Europe in the last quarter of 2021, about a quarter of global revenue. While the UK will account for a significant portion of this and will not be impacted by the SCC decision, the region is a serious source of revenue for Meta, beaten only by its home market of the US and Canada.
There is no easy workaround. Storing data in Europe may not be possible for any service based on customer interactions across the world, from gaming to video streaming, as European data rules track a person’s information wherever it is. are found.
Meta’s business model, like Alphabet’s Google, relies on collecting enough data to discern what users might be interested in or want to buy, and to serve them relevant advertising. The company is already hobbled by European privacy rules and a ban on SCCs would likely make its business model more expensive and less efficient to run.
“What’s at stake here are all data transfers to the United States and the services that depend on it,” said Johannes Caspar, an academic who recently resigned from his post as one of Germany’s top regulators. of data protection.
Despite its latest comments in its annual report that it would be “probably unable” to offer Facebook and Instagram in Europe if regulators decided SCCs weren’t feasible, Meta also said – most recently in a blog post that he was “not threatening to leave at all”. Europe,” a plea that Nick Clegg, now Meta’s chief policy officer, originally made in September 2020.
“The continued uncertainty over data transfers is impacting a large number of businesses and organizations in Europe and the United States,” a spokesperson for Meta said in an emailed comment.
“The simple reality is that we all rely on data transfers to operate global services. We need a long-term solution to EU-US data transfers to keep people and economies connected and to protect transatlantic trade,” they said.
Google pointed to a January blog post from Kent Walker, its head of global affairs, which called for a speedy end to the impasse over replacing an EU-US privacy pact that was overturned by the most EU’s top court in 2020 due to long-standing fears that citizens’ data was not immune from US surveillance.
“The stakes are too high – and international trade between Europe and the United States too important to the livelihoods of millions of people – not to find a quick solution to this looming problem,” he said. declared.
The data transfer controversy dates back to 2013, when Edward Snowden exposed the extent of espionage by the US National Security Agency.
A surprise ruling in 2020 by the EU’s highest court overturned the so-called Privacy Shield, a transatlantic transfer pact, following long-standing fears that citizens’ data may not be safe from American surveillance.
But while the separate, contract-based system has been maintained, doubts from the EU Court of Justice over US data protection have already made it a shaky alternative.
“For many companies, it is next to impossible to fully comply” with the 2020 EU court ruling, said Tom De Cordier, technology and data protection lawyer at CMS DeBacker in Brussels. “So it’s often a case of mitigating the compliance risks of your data rather than trying to be 100% compliant.”
If the Irish authority doubles down on its provisional opinion on contract terms, the doomsday scenario for Meta and its rivals of a technology blackout has begun to emerge.
The Irish authorities’ decision “could now be a precedent that would turn the whole situation upside down,” Caspar said. “It’s up to American politicians to avoid throwing their tech industry into chaos.”