It’s 2022, and with a new year comes new opportunities to look at the world through a data protection lens. To kick things off, News has broken Facebook’s parent company Meta is threatening to cut off its main consumer services like Facebook and Instagram from customers in the EU.
Unlike last year’s piece-meal banning of news content in Australia, this would be a cataclysmic withdrawal of the services entirely. Is this realistic? Could it really happen? Are there any wider implications? These are some of the questions on our minds.
It’s not the first time that media giants have made threats, but Meta stands to lose billions of dollars of advertising revenue if it did so. Underneath all this bluster is a real risk to the company, as well as many other companies looking to process personal data in the United States.
EU-US Data Sharing: A History
The history of data sharing with the US is complicated and has seen several upheavals.
There was once a protocol called ‘Safe Harbour’ a set of principles that governed the exchange of data between the United States of America and the European Union, but the European Court threw it out in 2015, as it didn’t offer the level of protection that the Data Protection Directive (the forerunner of GDPR) demanded.
This caused a multitude of difficulties. So in 2016, the EU-US Privacy Shield was rather hastily erected to replace Safe Harbour. However, this European Courts struck this down in 2020, thanks to campaigning from Austrian activist Max Schrems.
With Safe Harbour gone, and the Privacy Shield destroyed, those of us wanting to transfer data to the US were left with the use of Standard Contractual Clauses (SCCs) to govern data flow. These clauses must be put in place by every company, take more negotiation and must be written into a legal agreement.
What’s Next for EU-US Transfers?
Moving on from Schrems’s success, there is now action brewing to invalidate SCCs. The Irish data protection regulator has already ruled that they fail to protect against snooping from US Intelligence Agencies.
Without them, it will become incredibly difficult to transfer data to the US without breaking Data Protection Regulations. Companies would need to provide specific contracts, where they can show safeguards against intelligence monitoring. Given the wide scope of homeland security based legislation in the US, this would be near impossible.
Let’s say the courts strike down SCCs. Firms transferring data to the US will fail to abide by the rules and could face huge fines. In the case of Meta this could be nearly $3 billion.
What About the UK?
Facebook and Instagram users in the UK can relax a little, as any new EU ruling would not automatically affect us. In fact, the UK Government have made strong noises about loosening information transfer regulation rather than tightening it.
However, if you use applications based in Europe that move data to the US (such as for support services or data backup) you may see disruption.
The level of outcry should these platforms go dark means Meta will probably work something out. Indeed, facebook have since released a statement that they are not “threatening” to do anything. However, this topic does demonstrate that data protection legislation has an array of real-world implications. Real-world implications we can’t just ignore.