Last Thursday, Meta revealed the possibility of withdrawing products from Europe, in its annual report to the US Security and Exchange Commission, which requires public companies to disclose potential threats to their business. According to the report, if a new transatlantic agreement over data transfer is not established, Meta will “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”
Meta’s concerns follow two important developments in 2020, a ruling from the European Court of Justice (ECJ,) which invalidated the use of the “Privacy Shield,” and a preliminary decision from the Irish Data Protection Commission (IDPC,) which suggested that Facebook may have to stop sharing European data across the Atlantic.
The EU-US Privacy Shield system was an agreement that allowed companies to share user data between the EU and the US, despite the stricter standards of data regulation in the EU. There were strong concerns however, over the way EU users were exposed to the rampant mass surveillance that has long been associated with the US, following former National Security Agency (NSA) employee Edward Snowden’s decision in 2013 to expose the agency’s invasive and shocking data farming and monitoring practices.
The Court made clear however that transfer of EU user data to other countries was not banned, just that it had to be subject to “standard contractual clauses,” or SCCs, described by the BBC as “non-negotiable legal contracts drawn up by Europe.” Facebook subsequently joined Microsoft’s reliance on SCCs.
This was challenged months later, however, when the Irish Data Protection Commission (IDPC) suggested that even when transferred according to SCCs, EU data was exposed to significant risk on US servers. This followed a complaint from Max Shrems, founder of noyb, the “professional privacy enforcement NGO.”
In #Facebook (@Meta) $FB's Annual Report they openly admit that their whole business in Europe may have to shut down over #GDPR / #SchremsII and US Surveillance — amazing how they don't seem to work on durable solutions.. 😐😐https://t.co/Tmwsvjgemo pic.twitter.com/VEDdIMe3oR
— Max Schrems 🇪🇺 (@maxschrems) February 6, 2022
Schrems was also the person who initiated legal proceedings against the usage of Privacy Shield, and in 2015, the person who initiated the court proceedings that invalidated an earlier controversial data EU-US transfer agreement, the Safe Harbour Act.
The DPC has acted as the EU’s primary data regulation watchdog, responsible for protecting EU civilians from big tech companies misusing their data. Facebook, in their report, says they expect that a final decision, either confirming or knocking down the DPC’s primary decision that Facebook’s transfer of EU data to the US should stop, to be issued in early 2022.
The report draws attention to the crackdowns on the way user data is used, stored and transferred, in the wake of the General Data Protection Regulation (GDPR) regulations introduced in 2016
The GDPR was considered a landmark piece of legislation, aiming, amongst other things, to regulate the unchecked data mining and storage of internet users.
For many, GDPR is synonymous with the website cookie banners that have now become ubiquitous across websites since the passing of the ruling. However, these pop ups have been heavily criticized as being manipulative, and many, according to a ruling from the Belgian Data Protection Authority last Wednesday, have been declared non-compliant with GDPR.
This recent ruling is an example of the way in which legal efforts to restrain the egregious data usage of ad-tech companies, and ad-facilitators, do not always have the immediate and lasting effect that many may hope. Legal ruling like GDPR continues to be interpreted by courts seeking to meet new challenges posed by Meta, Google and others, whose use of analytics and targeted advertising continue to worry users.
Related articles: January 6 Insurrection Investigation: Major Tech Companies Subpoenaed | EU Makes Progress on Digital Regulations, Challenging Big Tech | Democrats Propose Bill Banning Targeted Advertising
In other words, there is still uncertainty around the ways EU data regulation laws will be able to reign in tech, and whether or not the current mechanisms are enough to hold big tech accountable. There is also uncertainty about whether or not big tech will meet these new interpretations of EU data regulation law, or whether they will deem them too onerous, and withdraw services entirely.
The level of uncertainty is seen both as an obstacle to the progress of big tech in the EU, and also a sign that there is room for debate
Companies like Meta need to be able to rely on certain data agreements in order to confidently continue operations in Europe. However, they have also demonstrated their willingness to lobby aggressively when their interests are challenged, and uncertainty with regards to data laws may only encourage attempts to circumvent them.
Meta, in its report to the US Security and Exchange Committee, pointed out this “uncertainty,” noting that “The GDPR is still a relatively new law, its interpretation is still evolving, and draft decisions in investigations by the IDPC are subject to review by other European privacy regulators as part of the GDPR’s consistency mechanism, which may lead to significant changes in the final outcome of such investigations.”
I have always called for an alternative to the EU US #privacyshield to find a balanced agreement on data exchange + always called for #GDPR flexibility. However, #META cannot just blackmail the EU into giving up its data protection standards, leaving the EU would be their loss.
— Axel Voss MdEP (@AxelVossMdEP) February 7, 2022
Meta’s assessment of the situation in the report may in itself be an attempt to exploit the legislative uncertainty, and court support in its favour. In fact, many have taken Meta’s suggestion of a possible removal as a threat. It was certainly received as such by Member of the European Parliament (MEP) Alex Voss, who in a tweet said that Meta cannot “blackmail the EU into giving up its data protection standards, leaving the EU would be their loss.”
French finance minister Bruno Lemaire suggested that the EU’s “sovereignty” would not be troubled by the threat of facebook’s withdrawal, and that the EU “is such a big internal market with so much economic power that if we act in unity we won’t be intimidated by something like this.”
Facebook did however release a blog post, suggesting that “Meta Is Absolutely Not Threatening to Leave Europe.” They also sent emails to a number of media outlets that they claimed falsely presented their assessment as a threat. According to Meta’s blog post, they were simply “identifying a business risk resulting from uncertainty around international data transfers.”
Given Meta, and other Big Tech companies’ involvement in extensive and sophisticated lobbying strategies in the EU, which involves controversial astroturfing techniques, it is no surprise that there is scepticism around Meta’s motives. As discussed in a previous impakter article, tech companies have representatives throughout EU institutions, and fund companies that parrot talking points favorable to them, whilst presenting themselves as advocating for small businesses.
An important dimension to any data regulation story, is also the discrepancy between US and EU law
Tech companies often have to change their behavior internationally, in order to keep in line with the requirements of a major region in which they operate.
This is partly because of the impracticality of having different standards of practice in different regions. Since the EU, and the UK to some extent, has typically had stronger regulations than the US, European law has often dictated how tech companies act in the US, even affecting the US legislature to some extent.
However, controversy over EU-US data transfer demonstrates the limitation of this principle. Instead of relying on companies to standardize their practices, the establishment of safe data passage agreements may require countries themselves to harmonize their laws.
As Max Schems suggested after the landmark decision against the Privacy Shield agreement, “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market.”
At the end of the day, despite what the EU ministers expressing indifference, and even jubilance to the threat of Facebook’s disappearance from Europe say, Meta’s projected withdrawal is unlikely. As a European Commision spokesman told Bloomberg, negotiations with the US have increased in intensity, in an attempt to save the many small, medium and giant businesses reliant on transatlantic data transfer.
Alex Voss for example, in his tweet condemning Meta’s alleged blackmail, said he has always been in favour of GDPR flexibility, and suggested that a workable alternative to the Privacy Shield should be agreed upon.
The bigger takeaway is perhaps the increased pressure on the US to confront the lacklustre protection it affords its citizens from data exploitation, and the distrust its reputation for surveillance has garnered internationally. Developments like the ban on targeted advertising proposed by some American legislators, which is not expected to make much progress, is perhaps at least indicative that the US may be about to embark on the long-awaited establishment of adequate legal privacy protection for American citizens.
Editor’s Note: The opinions expressed here by Impakter.com columnists are their own, not those of Impakter.com. — Featured Photo: Facebook and Instagram and WhatsApp, all owned by Meta, who has been accused of putting EU user data at risk in the US Photo Credit: Jeremy Bezanger.
