Meta threatens to pull Facebook, Instagram in Europe over GDPR data transfer dispute

The dispute centers around the failure by regulators in the European Union and United States to agree on methods American companies can use to safely transfer data on EU customers across the Atlantic, without that data being available for surveillance by U.S. government agencies.

Until July 2020, Meta and other American tech companies relied on the EU-U.S. Privacy Shield, an agreement between the regions that provided legal protections on data sharing for thousands of American companies. The Privacy Shield effectively blocked potential legal reprisals under EU privacy law, but after Europe’s top court ruled it unlawful, nothing similar has been drafted to replace it.

Since the court decision, Meta and other companies have increased use of standard contractual clauses (SCCs) as an alternative for ensuring compliant data transfers. But those SCCs are not strong enough to shield Meta from potential legal liability, the company said.

In a 10-K disclosure filed with the Securities and Exchange Commission on Feb. 3, Meta said a preliminary decision by the Irish Data Protection Commission (DPC) from August 2020 “concluded that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with the [GDPR] and preliminarily proposed that such transfers of user data from the European Union to the United States should therefore be suspended.” Meta said a final decision from the Irish DPC is expected as early as the first half of 2022.

As a result, Meta warned investors: “If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.”

I have always called for an alternative to the EU US #privacyshield to find a balanced agreement on data exchange + always called for #GDPR flexibility. However, #META cannot just blackmail the EU into giving up its data protection standards, leaving the EU would be their loss.

— Axel Voss MdEP (@AxelVossMdEP) February 7, 2022

Later in the disclosure, Meta said data privacy regulations in effect or coming into effect in other countries—including the United Kingdom, Brazil, and the United States—could result in limitations to its advertising services and adversely affect its business.

Meta’s stock dropped more than 25 percent in value, or more than $200 billion, on the same day as the disclosure, which included figures that its total number of daily active users had declined for the first time.

The Irish DPC in September announced a 225 million euro (then-U.S. $267 million) fine against Meta subsidiary WhatsApp for violations of the GDPR. The regulator has proposed a separate fine between €28 million and €36 million (U.S. $32 million and $41 million) against Facebook under the law, though the draft decision must be approved by other EU data protection authorities before it can be formally announced.

Axel Voss, a German member of European Parliament who was involved in drafting the GDPR, said Monday in a Twitter post he favors finding an alternative to the EU-U.S. Privacy Shield and GDPR “flexibility.” But he added, “Meta cannot just blackmail the EU into giving up its data protection standards. Leaving the EU would be their loss.”

Privacy campaigner Max Schrems, a driving force behind the end of the EU-U.S. Privacy Shield, commented in a Twitter post Sunday about Meta’s threat to pull out of the European Union, saying it is “amazing how they don’t seem to work on durable solutions.”