In July 2020, the Schrems II decision issued and the European Commission’s adequacy decision for the EU-US Privacy Shield Framework was invalidated. Further, and broader than the invalidation of Privacy Shield adequacy decision, the Schrems II judgement found that US surveillance measures interfered with what are considered “fundamental rights” under EU law, i.e., the rights to respect for private and family life, including communications, and the protection of personal data.
Following Schrems II, companies reevaluated their policies and practices surrounding the transfer of personal information out of the EU, and the safeguards (under the GDPR) that they rely on for those cross-border data transfers. While there has been some guidance, there has been no replacement for the EU-US Privacy Shield, and US surveillance practices remain a problem under the GDPR. Since then, more decisions have issued, making it even harder for companies that thought they had a solution. For example, we reported a few weeks ago that while Google was transferring Google Analytics data to US servers for processing – purportedly under the belief that the data was not personal information, and thus did not fall under the GDPR – an Austrian data regulator recently found Google’s practice to violate the GDPR. According to the Austrian data regulator, because Google uses IP addresses and cookie data identifiers to track information about web site visitors, that data is personal information.
This put a lot of the big US tech companies in a tough situation. While some thought a solution to this was to move processing of personal information about European subjects to the EU, Meta has recently taken a different stance—stating in its annual report last Thursday, February 3, that it is considering shutting down Facebook and Instagam in Europe if it can’t keep transferring data back to the U.S. The annual report states, on page 9:
In August 2020, we received a preliminary draft decision from the Irish Data Protection Commission (IDPC) that preliminarily concluded that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with the General Data Protection Regulation (GDPR) and preliminarily proposed that such transfers of user data from the European Union to the United States should therefore be suspended. We believe a final decision in this inquiry may issue as early as the first half of 2022. If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCC’s or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.
Some news outlets have reported this as a “threat.” In fact, a European lawmaker, Axel Voss, went so far as to call it “blackmail”: “#META cannot just blackmail the EU into giving up its data protection standards, leaving the EU would be their loss.” That said, the statement does not read like a threat in the annual report. It comes across as a matter-of-fact statement, i.e., if Meta cannot figure out any way to comply with the GDPR, it is going to have to stop transferring the restricted data from Europe to the United States. It would seem that a lot of US companies would have similar statements in their annual reports – which is, we may have to stop transferring personal information from the EU to the US and there are only two ways to do this: (1) keep processing the data, but process it outside the US (in the EU, or a country without data surveillance issues like in the US), or (2) stop processing the data/serving the EU market. Obviously the former takes a lot more time, effort, money and planning, even if it is a long-term solution for some entities. It will be interesting to see how this plays out.