Reports of a potential shutdown of Meta services Facebook and Instagram in the European Union that could take place as soon as this summer underscore what’s at stake as the region works with the United States to finalize a new agreement on how to handle transatlantic data flows.
The Irish Data Protection Commission (DPC) on Thursday informed its data protection authority (DPA) counterparts of a draft decision it has made regarding the legality of Meta’s transfers of EU data to the United States. The DPAs have one month to review the decision, which Politico reports would block Meta’s EU-U.S. data exports.
The Irish DPC confirmed sending the draft decision but did not provide its details.
As Meta has previously disclosed, such a decision would likely result in the company pulling Facebook and Instagram in the European Union, “which would materially and adversely affect our business, financial condition, and results of operations.”
The threat of such an outcome has been present since 2020, when the EU’s top court ruled U.S. law does not provide a similar level of data protection as the European Union under the latter’s General Data Protection Regulation (GDPR). Since then, businesses like Meta have leaned heavier on standard contractual clauses (SCCs) and other mechanisms for ensuring compliant data transfers. But those SCCs are not strong enough to shield some companies from potential legal liability.
The United States and European Union reached a tentative agreement in March on a new process for compliant transatlantic data flows, but neither side has provided many updates since then. Reports, including Politico, indicate the talks have stalled and a final deal is unlikely before the end of the year, leaving the Irish DPC’s Meta decision as a case worth watching for all companies relying on SCCs should it move forward quickly.
Some, including privacy campaigner Max Schrems, do not expect this to be the case. Schrems, whose legal challenges have resulted in the end of previous EU-U.S. data transfer frameworks Privacy Shield and Safe Harbor, wrote in a news release for his data rights group NOYB he expects DPAs to disagree with some elements of the Irish DPC’s decision and that Ireland will drag its feet to address the objections.
Further, “Facebook will use the Irish legal system to delay any actual ban of data transfers,” Schrems wrote. “Ireland will have to send the police to physically cut the cords before these transfers actually stop.”
The key principles of the data transfer framework tentatively agreed to between the European Union and United Stated include “binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security” and “a new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court,” the European Commission explained in a one-page document in March. Legal experts anticipate the new framework could face a similar fate as the Privacy Shield and Safe Harbor before it if it does not thoroughly address concerns regarding U.S. surveillance.
In response to its situation following the Irish DPC’s latest action, a Meta spokesperson stated, “This draft decision, which is subject to review by European data protection authorities, relates to a conflict of EU and U.S. law which is in the process of being resolved. We welcome the EU-U.S. agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities, and economies connected.”