Friday, March 24

Meta threatens to withdraw Facebook and Instagram from the EU if the data transfer with the United States is not facilitated

Ordago of Meta. in a document presented before the Securities and Exchange Commission (SEC), from the USA, Mark Zuckerberg’s company warns of the implications that the so-called Schrems II decision could have, a ruling issued in 2020 by the Court of Justice of the European Union (CJEU) that establishes that the mechanism for transferring personal data between the EU and the US is not valid, and warns: if a mechanism for sharing information is not achieved, the future of Facebook and Instagram in Europe could be compromised.

The company’s warning to the SEC is clear. In his letter he underlines the importance of the Privacy Shield, the framework on which it is based for data transferred from the EU to the United States and recalls that was invalidated in July 2020 by the CJEU.

The key, data transfer

The multinational also recalls that “the other bases” used by Meta to “transfer said data, such as the Standard Contractual Clauses (CEE), have been subjected to regulatory and judicial scrutiny” and that it has received a notice from the authorities Irish precisely on that transfer. With this clear background, Zuckerberg’s company warns:

“If a new transatlantic data transfer framework is not adopted and we are unable to continue to use PPAs or other alternative means of transferring data from Europe to the United States, we may not be able to offer a number of our most important products and services, such as Facebook and Instagram, in Europe, which would adversely affect our business, financial condition and results of operations.”

The writing comes at a key moment. As the multinational itself recalls, shortly after the CJEU ruling —in August 2020—, the Irish Data Protection Commission (IDPC) sent you a notice warning that Meta Platforms Ireland’s reliance on standard contractual clauses relating to European user data does not comply with the General Data Protection Regulation (GDPR), for which he proposed that the transfer of information from the EU to the US be suspended. That was a preliminary decision. The company believes that the definitive one will arrive in not much, during the first half of 2022.

His position is explained, to a large extent, by the fundamental role that these operations have in Meta’s operation and business model. More specifically, in advertising. In fact, the company makes it clear in the text which has been submitted to the US SEC:

“If we are unable to transfer data between the countries and regions in which we operate or if we are restricted from sharing data between our products and services, this could affect our ability to deliver our services, the way we deliver them or our ability to target ads, which could adversely affect our financial results.”

In July 2020, the CJEU based its decision on the fact that the US does not provide sufficient guarantees to protect data privacy, which led it to declare the 2016 Privacy Shield agreement between Europe and the United States invalid, the same by which companies like Apple or Google could take data from European users to the other side of the Atlantic.

The statement came after a claim from a Facebook user, Maximilian Schrems, who requested that his personal data not be transferred from Facebook Ireland to the servers of Facebook Inc, considering that sufficient guarantees were not offered in the US.

In its ruling, the Court concludes that the country receiving the data must offer a “level of protection substantially equivalent to that guaranteed within the Union” and that its regulations not strict enough to adjust to the level required by the General Data Protection Regulation (RGPD). Years ago, in 2015, the Court had already knocked down the previous framework that protected the transfer of information, known as the Safe Harbor protocol.

European justice annuls the 'Privacy Shield': European personal data can no longer be transferred to US servers

Meta is not, in any case, the only US technology multinational that has been affected by changes in the EU regulatory framework. Recently, for example, the Austrian data protection authority concluded that Google Analytics is illegal precisely because it violates the GDPR. His decision is based on the 2020 resolution of the CJEU and, in addition to the ban, could also lead to a large fine of up to 20 million euros.

When the Austrian pronouncement became known, Schrems showed his confidence in which they happen “similar decisions in all Member States”. The Google Analytics ban is not firm yet anyway and the tool will still work. From Google they detailed in fact a couple of weeks ago that “the case only affects one publisher in particular.”

Pending what the rest of the courts decide and the pronouncement of the European Data Protection Supervisor, there would be different solutions on the table in the medium or long term, such as that US companies must review the use of data of its European users or achieve a new treaty between Europe and the United States for the transfer of information.

Cover Image | Stock Catalog (Flickr)