.svg)
Europeans could be cut off from Facebook and Instagram as enforcement of data privacy rights heat up in Europe and the regulatory framework guiding transatlantic data flow is still in the making.
In its 2021 annual report, Meta said the company “will likely be unable to offer” a number of its most significant products in Europe, including Facebook and Instagram, if regulators do not resolve regulatory issues around data sharing between the European Union and the United States.
The invalidation of the EU-US Privacy Shield, which enabled the transfer of data between the two sides of the Atlantic, has created an environment of uncertainty that has been going on for more than a year and a half.
The transfer, processing and sharing of certain data is critical to the operations of many transatlantic businesses, including payment service providers (PSPs) that send EU customer data to the US.
Prior to the Court of Justice of the European Union (CJEU) judgment, also known as Schrems II, there were more than 5,400 companies relying on the Privacy Shield, more than two-thirds of which are small and medium-sized enterprises (SMEs), which now need to revise their contracts to make sure those include sufficient safeguards and protections for European data subjects.
But many of these companies do not have the resources to switch to more expensive mechanisms.
Although EU and US regulators are in talks to set up a new version of the Privacy Shield, one that addresses the issues brought forward in the judgment, talks seem to have stalled since the last announcement was made on progress almost a year ago.
Another solution to the problem could come from the US in the form of a federal privacy law that would place the country’s privacy protections on par with the EU’s General Data Protection Regulation (GDPR).
Although there is a widespread demand coming from the public to enact a US privacy act, there has been little to no movement in Congress in the past year to push forward their GDPR equivalent.
Nonetheless, the CJEU judgment did leave a door open for companies to be able to share data across the Atlantic via the use of standard contractual clauses (SCCs). Updated last June, the SCCs are model contract clauses pre-approved by the European Commission to ensure there are sufficient data protection safeguards in data transfers to third countries.
Although there is still no overarching guiding framework for transatlantic data transfer, data protection regulators have increasingly stepped up their enforcement efforts in the past couple of years, showing a distinct shift from previous guidance.
The enhanced enforcement means both an increasing focus on Schrems II compliance and the fact that payments firms are coming into scope.
At the start of the year, the European Data Protection Supervisor (EDPS) sanctioned the European Parliament for transferring data through Google Analytics and Stripe cookies to the US in non-compliance with Schrems II.
A few days later, the Austrian data protection authority (DPA) ruled against the use of Google Analytics by an Austrian website provider, while the Dutch DPA is investigating two complaints about the use of Google Analytics in the Netherlands.
These “groundbreaking enforcement decisions against the sharing of personal data across the Atlantic signal the beginning of a domino effect where the move against Google Analytics seems to be only the beginning”, Petruta Pirvan, senior privacy principal consultant at Wrangu B.V., said.
Meta is currently subject to an investigation by the Irish Data Protection Commission (IDPC), which preliminarily concluded in August 2020 that Meta's reliance on the SCCs is not enough to comply with the GDPR.
The technology giant expects the IDPC to hand down a final decision in the first half of this year, which could effectively suspend the bigtech’s transfers of user data from the EU to the US.
“If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results,” Meta said in the filing.
A Meta spokesperson has since confirmed to the media that it is not planning to withdraw from Europe. Nevertheless, the case for resolving EU-US data flow is arguably becoming more pressing a year and half after the CJEU initially shook up the data transfer rules.
