Meta may be forced to suspend services in Europe over data transfer concerns

The draft order builds on a 2020 decision by the European Court of Justice that put an end to an EU-US data-sharing agreement called Privacy Shield. Lawmakers were concerned about Privacy Shield’s lack of protections for EU users as they relate to US surveillance practices; American intelligence and surveillance agencies had access to significant amounts of personal information about European users under Privacy Shield.

The move is the latest in a smattering of recent decisions in Europe that aim to crack down on EU-US data transfer policies. If passed, the DPC’s order will serve “another huge blow to the surveillance data economy,“ says Shiv Malik, chief executive at Pool Data, a web3 platform that aims to put data creators in control of their information.

Meta has said that it may have to shutter Facebook and Instagram services in European markets if the order is passed since its business relies on seamless data transfers.

“Meta is one of the largest data processing companies in the world – it has global reach and the volume and scope of personal data that it collects and transfers is truly enormous,” says Calli Schroeder, global privacy counsel at Electronic Privacy Information Center, a Washington, DC-based not-for-profit organization dedicated to raising awareness about privacy-related issues. “If the draft decision bars it from transferring EU data, my guess is that it will have to set up internal controls to immediately geo-silo Europe to ensure it no longer collects or transfers data from Europe ... if it is unable to ensure that no EU data is transferred to the US, Meta would have to stop doing business in the EU until this is resolved.”

Though the DPC’s draft decision is specifically focused on Meta business, other companies could potentially be at risk. Cross-national data transfers are a critical part of most businesses with an international presence. Helen Dixon, head of the DPC, told Reuters earlier this year that there could be “hundreds of thousands of entities” that would be forced to revisit their data transfer practices.

Any company that regularly transfers data on EU users to the US – including other tech titans such as Google and Amazon – will likely be feeling the pressure right now and, per Schroeder, “should consider ... what technical and procedural measures they could take” if their ability to transfer data becomes more restricted.

The sentiment is echoed by other experts. “This is ... a much broader issue, as foreshadowed, for example, by the growing EU data protection authorities’ rulings on Google Analytics,” says Arielle Garcia, chief privacy officer at ad agency UM Worldwide, referring to regulators’ crackdown on Google Analytics’ privacy practices in a handful of recent cases. “Enforcement of the decision could similarly impact every platform and company moving EU data to the US.”

Beyond the business implications of the DPC’s decision, the move signals a broader concern about the US’ stance on data protection and privacy. “[This move] can ... be viewed as a warning from Europe that the US has not taken EU laws and enforcement seriously enough,” Schroeder notes.

A possible solution? A new, more stringent EU-US data transfer agreement. Regulators in both regions have already been negotiating a framework to replace Privacy Shield, and Schroeder predicts that it’s “very likely” they’ll reach a deal. The DPC’s new draft order is likely to increase pressure on regulators to finalize a deal.

But even if an agreement is reached, international businesses such as Meta are likely to continue to be scrutinized over their many data handling practices. There’s a fundamental challenge at play, though: many of the criticisms levied at existing data sharing and transferring policies take issue with the reach of intelligence and surveillance agencies – a matter that individual businesses have little to no ability to influence. As it stands, companies can adapt their data collecting, sharing and sales practices in order to remain in compliance with data regulations – but they may still be the subject of undue criticism until surveillance legislation is updated.

As of today, the DPC’s decision remains a draft. It has been shared with other European data protection authorities, which have one month to respond with comments. UM Worldwide’s Garcia predicts that, in light of past reactions to DPC decisions, some data protection authorities will object to the order. A new draft will likely incorporate feedback from these regulatory groups, after which a vote will be held and a final decision made.

“In the interim,” Garcia says, “we can expect businesses and tech companies in particular to adamantly push for alignment [between the] EU and US government on a replacement framework.”

For more, sign up for The Drum’s daily US newsletter here.