Meta may be forced to leave Europe; here's why

Just like most USA-headquartered companies doing business in the EU, Meta also relies on transatlantic data transfers for its operations. The data helps them rope in advertisers and develop business models specific to the region. If the data transfer pact ceases to exist, it can have major implications on the company’s profitability.

So far, Meta has relied on the Privacy Shield protocol for its cross-country data transfers. The process was compliant with the Standard Contractual Clause (SCC) and was believed to be in agreement with the General Data Protection Regulation (GDPR) laid down by the European Commission (EC). However, the Privacy Shield was doubled down upon by the CJEU in 2020.

A month after the CJEU’s verdict, the Irish Data Protection Commission (IDPC) followed suit and deemed Meta’s reliance on the SCC to be in violation of the GDPR. It demanded that Meta’s operations in the region be suspended. The hearing on this matter is expected to reach a verdict in the first half of 2022.

In May 2021, soon after these developments, Meta categorically stated the steps it had been taking to ensure that data transfers were indeed secure. In June 2021, it published another report explaining the significance of transatlantic data transfers. “According to this study, changes to (the) free flow of data could cause significant harm to telecommunications, digital payments, global services outsourcing and pharmaceutical R&D industries,” the report reads. “Based on the estimates of the Analysis Group economists, European businesses and consumers in each of these industries may incur several billion dollars of additional annual costs,” it adds.

If the ruling does not go in Meta’s favour, it will have no framework to continue within which data transfers will be possible. “We are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations,” the annual report mentioned.

Their verdict invalidated the EU-US Privacy Shield Framework. They highlighted that the GDPR guidelines require the country receiving the data to offer the same level of protection to the country from which the data is borrowed. In terms of standards, data protection has to match with that offered in the European Economic Area (EEA).

Consultancy firm Ernst & Young told Capital.com that the CJEU gave two reasons for their judgement:

By US law, citizens of the USA are allowed to collect data on citizens of the EU without providing them with adequate security.

Should there be a misdemeanour, EU citizens have no way to seek justice against US-based businesses.

Companies are now being compelled to deploy adequate safeguards to ensure SCC-level security. They must also explain case-by-case how the data is being protected post-transfer in the destination country.

In January 2022, Kent Walker, President – Global Affairs & Chief Legal Officer at Google and Alphabet, expressed his concerns about the lack of a framework to replace the Privacy Shield. “If a theoretical risk of data access were enough to block data flow, that would pose a risk for many publishers and small businesses who use the web and highlight the lack of legal stability for international data flows facing the entire European and American business ecosystem,” he wrote. He added, “The stakes are too high – and international trade between Europe and the US too important to the livelihoods of millions of people – to fail at finding a prompt solution to this imminent problem.”

Meta is hoping for the negotiations with the EU to continue such that an alternate solution may be arrived at. The company has explicitly clarified its position stating, “We have absolutely no desire to withdraw from Europe; of course, we don’t. But the simple reality is that Meta, like many other businesses, organisations and services, relies on data transfers between the EU and the US in order to operate our global services. We’re not alone. At least 70 other companies across a wide range of industries, including 10 European businesses, have also raised the risks around data transfers in their earnings filings.”