There were a flurry of articles this week falsely alleging that Meta is “threatening” to shut down Facebook and Instagram in Europe. In response, European leaders indignantly responded “good riddance,” arguing that they would be just fine without the social network. Perhaps these leaders simply did not read beyond the headlines, but if they had, they would have quickly realized that Meta’s disclosure was not meant as a slight against Europe or an indication of an unwillingness to abide by its rules, but rather a warning sign that if policymakers do not resolve the issue of transatlantic data flows satisfactorily, many businesses will face an existential crisis in Europe.
The news about Meta’s future in Europe stems from misreporting over a statement in an annual report the company filed with the U.S. Securities and Exchange Commission. As required by law, Meta disclosed to investors risks and uncertainties that could impact its bottom line. As part of this filing, Meta noted that if it does not have a lawful means to transfer data between Europe and the United States, it may not be able to offer its services in the region. Many companies previously relied on the EU-U.S. Privacy Shield, an agreement crafted between the EU and the United States, to remain in compliance with the General Data Protection Regulation (GDPR), which imposes restrictions on foreign data transfers. However, the European Court of Justice invalidated that agreement, forcing companies to retreat to a “Plan B”—a legal mechanism known as Standard Contractual Clauses (SCCs). But with SCCs also facing new scrutiny and at risk of similarly being deemed unacceptable by regulators, many companies may be left with no remaining viable options.
Facebook explains the problem quite clearly in its filing (emphasis added):
If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results. For example, the Privacy Shield, a transfer framework we relied upon for data transferred from the European Union to the United States, was invalidated in July 2020 by the Court of Justice of the European Union (CJEU). In addition, the other bases upon which Meta relies to transfer such data, such as Standard Contractual Clauses (SCCs), have been subjected to regulatory and judicial scrutiny. In August 2020, we received a preliminary draft decision from the Irish Data Protection Commission (IDPC) that preliminarily concluded that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with the General Data Protection Regulation (GDPR) and preliminarily proposed that such transfers of user data from the European Union to the United States should therefore be suspended. We believe a final decision in this inquiry may issue as early as the first half of 2022. If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.
Again, Meta was not threatening to leave Europe, it was disclosing to investors the risk that the lack of a legally valid data transfer mechanism would have on its business. But rather than heed this warning, many EU policymakers have responded with outrage at Meta. MEP Axel Voss argued “Meta cannot just blackmail the EU into giving up its data protection standards.” Robert Habeck, the German Economy Minister, noted, “I’ve lived without Facebook for four years and life has been fantastic. The European Union is such a big internal market with so much economic power that if we act in unity we won’t be intimidated by something like this.” Similarly, Bruno Le Maire, the French Finance Minister, stated, “I can confirm that life is very good without Facebook and that we would live very well without Facebook. Digital giants must understand that the European continent will resist and affirm its sovereignty.”
Unfortunately, these comments show how poorly many policymakers understand the problem. After all, if policymakers do not create a successor to the EU-U.S. Privacy Shield and maintain the validity of SCCs, the biggest impact will not be that Facebook and Instagram cannot operate their services in Europe, it will be that thousands of businesses in virtually every major industry will face similar legal challenges, seriously harming transatlantic digital trade. The problem is not unique to Meta and attempts to treat it as such only harm efforts to find a resolution.
To move forward, EU policymakers should expedite their efforts to craft a successor to the EU-U.S. Privacy Shield and updated SCCs that will withstand future court challenges. They will of course need to work with their U.S. counterparts, but since the problem largely stems from the GDPR’s inflexibility when it comes to transferring data abroad, ultimately the EU will need to be the one chiefly responsible for a solution, unless it plans to turn its back not just on Meta but the entire transatlantic data economy.