On Thursday, the Irish data protection authority (DPC) announced that they might stop data transfers between Meta Platforms Ireland and its US parent company, effectively shutting down Facebook in Europe.
Read the full statement here by Politico.eu who were the first to report
At July 7, 2022 12:37 PM CET by Vincent Manancourt.
Europeans risk seeing social media services Facebook and Instagram shut down this summer, as Ireland's privacy regulator doubled down on its order to stop the firm's data flows to the United States.
The Irish Data Protection Commission on Thursday informed its counterparts in Europe that it will block Facebook-owner Meta from sending user data from Europe to the U.S. The Irish regulator's draft decision cracks down on Meta's last legal resort to transfer large chunks of data to the U.S., after years of fierce court battles between the U.S. tech giant and European privacy activists.
The European Court of Justice in 2020 annulled an EU-U.S. data flows pact called Privacy Shield because of fears over U.S. surveillance practices. In its ruling, it also made it harder to use another legal tool that Meta and many other U.S. firms use to transfer personal data to the U.S., called standard contractual clauses (SCCs). This week's decision out of Ireland means Facebook is forced to stop relying on SCCs too.
Meta has repeatedly warned that such a decision would shutter many of its services in Europe, including Facebook and Instagram.
"If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe," Meta said in a filing to the U.S. Securities and Exchange Commission in March this year.
The Irish blocking order, if confirmed by the group of European national data protection regulators, is likely to send a chill through the wider business community too, which has been scratching its head about how to continue sending data from Europe to the U.S. following the EU's top court ruling in 2020.
The EU and U.S. are in the midst of negotiating a new data-transfer text that would allow companies like Meta to continue to ship data across the Atlantic irrespective of the Irish order. Brussels and Washington in March agreed to a preliminary deal at the political level, but negotiations on the legal fine print have stalled and a final deal is unlikely to be reached before the end of the year.
A spokesperson for the Irish DPC confirmed that the draft decision had been sent to other European privacy regulators, who now have a month to give their input, but wouldn't discuss details of the decision.
"This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and U.S. law which is in the process of being resolved," a Meta spokesperson said. "We welcome the EU-U.S. agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected."
View source at politico.eu.
The DPC drafted a decision to shut down Meta's data transfers for Facebook and submitted it to the European Data Protection Board Data protection agencies from other EU Member States have a month to add their views and objections before it moves forward, but the process will likely take longer. The move could mean the biggest disruption of the social media giant in its history. The DPC did not disclose the contents of the draft.
Earlier this year, Facebook stated that if it's unable to transfer data overseas, it could affect the availability of its products. This scenario now seems close to becoming a reality now.
(Update: the EDPB got directly involved in the case. In the end, Meta was fined for a record €1.2 billion and ordered to suspend US data transfers for Facebook. The terms for the suspension order is pending and the risk of a Facebook blackout is more real than ever. We wrote about this decision in depth)
- Facebook and Schrems. A long Story
- Crackdown on Google Analytics
- Privacy Shield 2.0
- Implications of Facebook ban
- Final thoughts
Facebook and Schrems. A long Story
The draft decision is the result of a long and complex legal battle between Max Schrems and Facebook. Nine years ago, privacy activist Max Schrems filed a complaint about Facebook’s data transfers before the DPC, citing privacy concerns in the wake of the Snowden revelations. The case ended up in the EU Court of Justice twice, and the Court invalidated two EU-US data transfers frameworks in the landmark Schrems I and II cases.
Schrems II made US data transfers tricky, as the Court highlighted the need to implement effective safeguards against US surveillance- which is hard and often impossible for European companies.
Under US surveillance law, Facebook qualifies as an “Electronic communication service provider” and is therefore obliged to share data with the US intelligence service if requested. This means that US agencies can access the personal data of EU citizens.
The mandate of the GDPR is simple: protecting the privacy of European data. This cannot be guaranteed when personal data is sent from the EU to Facebook servers in the US.
Crackdown on Google Analytics
The Schrems II ruling did not lead to a response from data protection authorities until the beginning of this year, when the DSB (Austria) responded by banning the use of Google Analytics. CNIL (France) was quick to follow, and Garante (Italy) banned Google Analytics last week as well. More EU member states are likely to follow suit in the coming months.
(Update: Finland and Norway ruled against Google Analytics- although the Norwegian authority's findings are yet preliminary. Additionally, Denmark essentially embraced the same stance in a press release.
Privacy Shield 2.0
A Facebook spokesperson noted that the issue is in the process of being resolved, referring to a new agreement between the U.S and the EU that will allow the continued transfer of data. The so-called Privacy Shield 2.0. However, the deal is far from finalized. Both the EU (here) and the US (here) announced a new agreement on a new framework for transatlantic data transfer, but no legal document has been provided.
Max Schrems (yup, the one from the rulings) noted:
“The final text will need more time; once this arrives, we will analyze it in-depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”
Update: the new framework for EU-US data transfers is on the way. US President Joe Biden signed an executive order in October 2022 and the European Commission published a [draft adequacy decision] for the US two months later. Together, these two acts are meant to be the foundation for the Trans Atlantic Data Privacy Framework.
The new framework is still problematic in some respects and will surely face challenges in Court. It was also met with opposition from the EU Parliament. We are looking at yet another Schrems ruling and it’s hard to say how it will play out.
Implications of Facebook ban
An unresolved conflict about transatlantic data transfer could have a significant impact on (almost) all Europeans. It sounds unrealistic that Facebook would not be available for EU citizens, but this might very well become a reality.
In February, DPC head Helen Dixon told Reuters that a decision would not immediately affect WhatsApp as it has a different data controller.
It sounds harsh, but finally, the GDPR is showing its teeth. Privacy is a human right and should be treated as such. Google and Facebook have become the biggest monopolies companies in the world by monetizing our data. This model is showing cracks as more and more consumers are demanding privacy.
We started Simple Analytics because we care about privacy. Our "fight" is mainly with Google as Simple Analytics is a privacy-first Google Analytics alternative, but it goes further than that. We believe in an independent web that is friendly to website visitors.
To create a more open web, we need to adopt a different mindset. We must find ways to stop relying on the biggest advertising companies in the world. We really need to figure out how to become independent from those data-devouring beasts.
To change this, we need alternatives that allow us to do so. And yes, we are biased because we built a privacy-first Google Analytics alternative. But if this message resonates with you, you should check out all these EU-based alternatives for digital products and see for yourself.