If Meta is not given the option to transfer, store and process data from its European users on US-based servers, Facebook and Instagram may be shut down across Europe, the social media giants’ owner reportedly warned in its annual report.
The key issue for Meta is transatlantic data transfers, regulated via the so-called Privacy Shield and other model agreements that Meta uses or used to store data from European users on American servers. The current agreements to enable data transfers are currently under heavy scrutiny in the EU.
In its annual report to the U.S. Securities and Exchange Commission, Meta warns that if a new framework is not adopted and the company is no longer allowed to use the current model agreements “or alternatives,” the company will “probably” no longer be able to offer many of its “most significant products and services,” including Facebook and Instagram, in the EU, according to various media reports, including in iTWire, The Guardian newspaper and Side Line Magazine.
Sharing data between countries and regions is crucial for the provision of its services and targeted advertising, Meta stressed.
Therefore, it previously used the transatlantic data transfer framework called Privacy Shield as the legal basis to carry out those data transfers.
However, this treaty was annulled by the European Court of Justice in July 2020, because of data protection violations. Since then, the EU and the US did stress they are working on a new or updated version of the treaty.
In addition to the Privacy Shield, Meta also uses so-called model agreements, or Standard Contractual Clauses, as the primary legal basis for processing data from European users on American servers.
These model agreements are equally under scrutiny in Brussels and other parts of the EU.
When contacted by City A.M. today, John Nolan, Meta’s London-based tech media and advertising communications leader, did not deny or play down the reports.
Instead, he shared a statement from Nick Clegg, Meta’s VP of Global Affairs and Communications.
Clegg warned that “a lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19.”
“The impact would be felt by businesses large and small, across multiple sectors,” he continued.
“Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.”Nick Clegg, VP of Global Affairs and Communications.
“In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones.”
“A French retailer may find they can no longer maintain a call centre in Morocco,” Clegg stressed.
He added: “While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.”
“We are closely monitoring the potential impact on our European operations as these developments progress.”A Meta spokesperson
Following Clegg’s statement, Facebook got in touch for a second time, as a spokesperson for Meta told City A.M.: “We have absolutely no desire and no plans to withdraw from Europe, but the simple reality is that Meta, and many other businesses, organisations and services, rely on data transfers between the EU and the US in order to operate global services.”
“Like other companies, we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to operate a global service.”
“Fundamentally, businesses need clear, global rules to protect transatlantic data flows over the long term, and like more than 70 other companies across a wide range of industries, we are closely monitoring the potential impact on our European operations as these developments progress.”
Alongside the developments in Europe, the Irish Data Protection Commission told Meta in August 2020 that it had provisionally concluded that the use of the model agreements was not in line with the GDPR.
Processing the European data on American servers therefore had to be suspended by IDPC. However, this was merely a preliminary conclusion so, in effect, no change came about.
The company went to court to stop the injunction, but judges ruled that IDPC’s investigation could continue.
The watchdog’s final verdict is expected to be published in the first half of this year. Should IDPC indeed find that the model agreements are illegal, Meta may decide it is no longer feasible to offer some of its services across the EU.
Regarding the Irish case, Clegg said: “The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers.”
“While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on,” he concluded.