Though a new draft order from the Irish Data Protection Commission takes aim at Meta’s cross-national data transfer practices, all businesses with an international presence could face new pressure to reform.
Europe could see Meta-owned Facebook and Instagram disabled in short order due to a crackdown by Ireland’s privacy regulators. A draft decision by Ireland’s Data Protection Commission (DPC) yesterday revealed that it aims to block Meta from sending data about European users to the US.
Organizations that rely on cross-Atlantic data transfers could be in hot water
The draft order builds on a 2020 decision by the European Court of Justice that put an end to an EU-US data-sharing agreement called Privacy Shield. Lawmakers were concerned about Privacy Shield’s lack of protections for EU users as they relate to US surveillance practices; American intelligence and surveillance agencies had access to significant amounts of personal information about European users under Privacy Shield.
The move is the latest in a smattering of recent decisions in Europe that aim to crack down on EU-US data transfer policies. If passed, the DPC’s order will serve “another huge blow to the surveillance data economy,” says Shiv Malik, chief executive at Pool Data, a Web3 platform that aims to put data creators in control of their information.
The latest marketing news and insights straight to your inbox.
Get the best of The Drum by choosing from a series of great email briefings, whether that’s daily news, weekly recaps or deep dives into media or creativity.
Meta has said that it may have to shutter Facebook and Instagram services in European markets if the order is passed, since its business relies on seamless data transfers.
“Meta is one of the largest data processing companies in the world — they have global reach and the volume and scope of personal data that they collect and transfer is truly enormous,” says Calli Schroeder, global privacy counsel at Electronic Privacy Information Center, a Washington, DC-based nonprofit organization dedicated to raising awareness about privacy-related issues. “If the draft decision bars them from transferring EU data, my guess is that they will have to set up internal controls to immediately geo-silo Europe to ensure they no longer collect or transfer data from Europe … if they are unable to ensure that no EU data is transferred to the US, Meta would have to stop doing business in the EU until this is resolved.”
Though the DPC’s draft decision is specifically focused on Meta business, other companies could potentially be at risk. Cross-national data transfers are a critical part of most businesses with an international presence. Helen Dixon, head of the DPC, told Reuters earlier this year that there could be “hundreds of thousands of entities” that would be forced to revisit their data transfer practices.
Any company that regularly transfers data on EU users to the US — including other tech titans like Google and Amazon — will likely be feeling the pressure right now, and, per Schroeder, “should consider … what technical and procedural measures they could take” if their ability to transfer data becomes more restricted.
The sentiment is echoed by other experts. “This is … a much broader issue, as foreshadowed, for example, by the growing EU data protection authorities’ rulings on Google Analytics,” says Arielle Garcia, chief privacy officer at ad agency UM Worldwide, referring to regulators’ crackdown on Google Analytics’ privacy practices in a handful of recent cases. “Enforcement of the decision could similarly impact every platform and company moving EU data to the US.”
Beyond the business implications of the DPC’s decision, the move signals a broader concern about the US’ stance on data protection and privacy. “[This move] can … be viewed as a warning from Europe that the US has not taken EU laws and enforcement seriously enough,” Schroeder notes.
A possible solution? A new, more stringent EU-US data transfer agreement. Regulators in both regions have already been negotiating a framework to replace Privacy Shield, and Schroeder predicts that it’s “very likely” they’ll reach a deal. The DPC’s new draft order is likely to increase pressure on regulators to finalize a deal.
But even if an agreement is reached, international businesses like Meta are likely to continue to be scrutinized over their many data handling practices. There’s a fundamental challenge at play, though: many of the criticisms levied at existing data sharing and transferring policies take issue with the reach of intelligence and surveillance agencies — a matter which individual businesses have little to no ability to influence. As it stands, companies can adapt their data collecting, sharing and sales practices in order to remain in compliance with data regulations — but they may still be the subject of undue criticism until surveillance legislation is updated.
As of today, the DPC’s decision remains a draft. It has been shared with other European data protection authorities, which have one month to respond with comments. UM Worldwide’s Garcia predicts that, in light of past reactions to DPC decisions, some data protection authorities will object to the order. A new draft will likely incorporate feedback from these regulatory groups, after which a vote will be held, and a final decision made.
“In the interim,” Garcia says, “we can expect businesses and tech companies in particular to adamantly push for alignment [between the] EU and US government on a replacement framework.”