It has finally happened: Meta has less than five months to stop sending Europeans’ personal data to the U.S., under a decision by the Irish privacy watchdog that also imposed a record $1.3 billion fine on the company for its past illegal data transfers. That means Facebook and Instagram may soon no longer be available in Europe.
You can read all about the bombshell decision and the history behind it here—and I recommend doing so but, the tl;dr is that, since Meta is not able to prevent American intelligence agencies from collecting and accessing European users’ personal data in the U.S., the company illegally fails to guarantee Europeans’ privacy rights when it transfers data to the U.S.
Now, let’s discuss what happens next. There are essentially just four possible ways this could play out:
Option 1 — New deal: The European Commission adopts a new data-sharing pact with the U.S., giving Meta a legal basis for its transatlantic data transfers before the clock runs out in mid-October.
Option 2 — Adapt: Meta finds a way to stop sending EU personal data to the U.S., without messing up the functionality of Facebook and Insta.
Option 3 — Fight: Meta successfully appeals the decision and this all goes away.
Option 4 — Exit: None of the above happens, and Meta pulls Facebook and Insta from the EU (Mexit?), as it has previously warned it will.
The first option is probably the most likely outcome—and certainly the most attractive for other U.S. corporations that are just as vulnerable as Meta. However, the new agreement would be the third of its kind, with the previous two having been struck down by the EU’s highest court because they didn’t rein in U.S. mass surveillance. And it’s far from clear that the new deal (known as the Data Privacy Framework or DPF) would achieve that aim.
The European Parliament and the EU’s data protection authorities have already said they think the U.S.’s promised surveillance safeguards are too vague and potentially ineffective. The Commission could ignore their warnings and seal the deal—if the EU’s member states agree—but if those deficiencies go unresolved, there’s a very high chance the Court of Justice of the EU will kill this agreement as it did their predecessors.
Max Schrems—the Austrian lawyer whose 2013 complaints to the Irish regulator set everything here in motion—believes the problems can be fixed if the U.S. puts real limits on how its agencies surveil people from allied countries.
“Basically my personal ideal outcome is a ‘no spy’ agreement giving people of democratic countries baseline guarantees, no matter if their data stays local or not,” Schrems told me this morning. And his second-favorite potential outcome? “The ‘federalized’ social network with an EU and U.S. branch, where only the necessary data is sent to the U.S. anymore (e.g. a message to a U.S. friend).”
This approach to data management may be a legally viable option for Meta—it could then claim necessity as the legal basis (under the EU’s General Data Protection Regulation or GDPR) for those limited transfers—but the company really doesn’t want to go down that route.
“In our opinion, localisation is not the answer,” said a Meta spokesperson. “Global services need global connections, and the internet is based on an open global model. Meta cannot simply wall off EU user data from non-EU user data. People don’t use our services to have this type of experience, which is inconsistent with the very nature of how global services like ours are designed to operate.”
As Schrems points out, Meta’s chances of a successful appeal are low, because the EU’s highest court has more than once confirmed how U.S. surveillance practices make transatlantic data transfers illegal. So the activist lawyer reckons Meta will cave in at the last minute and move to a federated model for its social networks. He characterizes the company’s warning of a withdrawal from Europe—from which it derived 22% of its Q1 revenue this year—as “laughable."
Two final thoughts from my side. Firstly, this whole affair has shredded the reputation of the Irish Data Protection Commission (DPC), which didn’t want to levy any fine against Meta but was then brutally slapped down by its peers on the European continent. The Irish DPC is the most important of the EU privacy watchdogs because so many multinationals are headquartered on its turf, but it has long been seen as ineffective because of its glacially slow pace of enforcement. It always claimed underfunding was to blame; now it looks like reluctance is the problem.
Secondly, the EU’s watchdogs also collectively ensured that the Irish decision forces Meta to delete the European personal data it has already funneled into its U.S. systems over recent years. As civil liberties activists have pointed out, unsealed documents from a U.S. case suggest Meta does not have a good grasp on where data goes in its systems—so getting it out within the next six months, as it is now supposed to do, will be very difficult indeed.
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
David Meyer
Data Sheet’s daily news section was written and curated by Andrea Guzman.