Facebook states in its SEC filing, "if a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on Standard Contractual Clauses [now also subject to new judicial scrutiny] or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations."
The filing continues to say such legislation "may also result in limitations on our advertising services"
The comments are in relation to the Schrems II decision, which is a key ruling by the Court of Justice of the European Union which, in July 2020, declared the Privacy Shield, the EU/S personal data transfer mechanism was no longer lawful. The Privacy Shield is US law that provided US authorities with the right to collect personal data about EU data subjects without, the Court says, adequate safeguards. Further, the judgement states EU data subjects lacked effective means to seek redress against the US Government.
This action itself harks back to 2011 when Austrian lawyer, activist, and author Maximillian Schrems pored through 1,222 pages of information Facebook held about him. He discovered details he believed he had deleted, and others he had not consented to be shared and lodged a complaint with the Irish data protection commissioner (as Facebook falls under Irish Jurisdiction, where it settled for tax reasons).
Fast forward today and with the European General Data Protection Regulation (GDPR) well in force, the US Privacy Shield principles were found non-compliant and consequently invalid.
The Schrems II ruling affects every American company, and not solely Facebook. It includes Google, Microsoft, and Amazon whose cloud services form the backbone of most of the Western World’s Internet. As such, the road to Schrems II will be a long and slow one as courts and industry navigate their way through the ramifications of the judgement.
|
|
Previously, Google Analytics and Google Fonts have been before the court where it was asserted that Google Fonts was sending personal data such as IP address to another service without permission, and without a clear and valid reason to do this.
While some fear Europe will alienate itself from the major cloud providers, and the Google Fonts ruling sets a precedent in cases where content is served from a content distribution network or CDN, there are other legal regimes in place that are approved to send EU data to the US. While Schrems II invalidates Privacy Shield, the legal protections afforded to Standard Contractual Clauses and Binding Corporate Rules continue to be in effect.
Nevertheless, Facebook is threatening it will simply pull out of Europe altogether if it is no longer able to share data about European users with its US operations, applications, and data centres. While the European Court of Justice states personal data is less well-protected in the US than in Europe, Facebook says (via side-line.com) stopping transatlantic data transfers will have a devastating impact on the company, which relies on the processing of user data to power its targeted online advertisements capabilities.
Meta's response
A Meta spokesperson advised iTWire, "We have absolutely no desire and no plans to withdraw from Europe, but the simple reality is that Meta, and many other businesses, organisations and services, rely on data transfers between the EU and the US in order to operate global services. Like other companies,we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to operate a global service. Fundamentally, businesses need clear, global rules to protect transatlantic data flows over the long term, and like more than 70 other companies across a wide range of industries, we are closely monitoring the potential impact on our European operations as these developments progress.”
Meta highlights the relevant excerpt from its SEC filing says, "We are also subject to evolving laws and regulations that dictate whether, how, and under what circumstances we can transfer, process and/or receive certain data that is critical to our operations, including data shared between countries or regions in which we operate and data shared among our products and services. For example, in 2016, the European Union and United States agreed to a transfer framework for data transferred from the European Union to the United States, called the Privacy Shield, but the Privacy Shield was invalidated in July 2020 by the Court of Justice of the European Union (CJEU). In addition, the other bases upon which Meta relies to transfer such data, such as Standard Contractual Clauses (SCCs), have been subjected to regulatory and judicial scrutiny."
"For example, the CJEU considered the validity of SCCs as a basis to transfer user data from the European Union to the United States following a challenge brought by the Irish Data Protection Commission (IDPC). Although the CJEU upheld the validity of SCCs in July 2020, our continued reliance on SCCs will be the subject of future regulatory consideration. In particular, in August 2020, we received a preliminary draft decision from the IDPC that preliminarily concluded that Meta Platforms Ireland's reliance on SCCs in respect of European user data does not achieve compliance with the GDPR and preliminarily proposed that such transfers of user data from the European Union to the United States should therefore be suspended. Meta Platforms Ireland challenged procedural aspects of this IDPC inquiry in a judicial review commenced in the Irish High Court in September 2020. In May 2021, the court rejected Meta Platforms Ireland's procedural challenges and the inquiry subsequently recommenced."
"We believe a final decision in this inquiry may issue as early as the first half of 2022. If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations."
To be clear, Meta states to iTWire its concern over Schrems II is not targeted ads but is about the company's ability to transfer data securely and safely between the US and EU.
iTWire has asked further clarifying questions and will update this story when able.
