Meta may be forced to suspend services in Europe due to data transfer issues – but this is only the first domino to fall
Although a new draft order from the Irish Data Protection Commission targets Meta’s cross-border data transfer practices, all companies with an international presence could face new pressures to reform.
Europe could see Facebook and Meta-owned Instagram deactivated before long due to a crackdown by Irish privacy regulators. A draft decision from the Irish Data Protection Commission (DPC) revealed yesterday that it seeks to prevent Meta from sending data about European users to the United States.
Organizations that rely on transatlantic data transfers could be in hot water
The draft order builds on a 2020 ruling by the European Court of Justice that ended a data-sharing agreement between the EU and the United States called Privacy Shield. Lawmakers were concerned about the lack of Privacy Shield protection for EU users regarding US surveillance practices; US intelligence and surveillance agencies have had access to large amounts of personal information about European users under the Privacy Shield.
This decision is the latest in a series of recent decisions in Europe aimed at cracking down on data transfer policies between the EU and the United States. If passed, the DPC order will deal “another blow to the surveillance data economy”, says Shiv Malik, chief executive of Pool Data, a web3 platform that aims to give data creators the control of their information.
The latest news and marketing information straight to your inbox.
Get the most out of The Drum by choosing from a range of excellent email briefings, whether it’s daily news, weekly recaps or in-depth media or creative dives.
Meta said it may have to shut down Facebook and Instagram services in European markets if the order goes through because its business relies on transparent data transfers.
Although the DPC’s proposed decision specifically focuses on Meta business, other businesses could potentially be at risk. Transnational data transfers are an essential part of most companies with an international presence. Helen Dixon, head of the DPC, told Reuters earlier this year that there could be “hundreds of thousands of entities” that would be forced to review their data transfer practices.
Any company that routinely transfers user data from the EU to the US — including other tech titans like Google and Amazon — will likely feel the pressure right now and, according to Schroeder, “should consider… .what technical and procedural measures it might take” if their ability to transfer data becomes more restricted.
The sentiment is shared by other experts. “This is…a much broader issue, as foreshadowed by, for example, the growing rulings by EU data protection authorities on Google Analytics,” says Arielle Garcia, Chief Privacy Officer to advertising agency UM Worldwide, referring to regulators’ crackdown on Google Analytics. ‘ privacy practices in a handful of recent cases. “Enforcement of the ruling could have a similar impact on every platform and company transferring data from the EU to the US.”
Beyond the commercial implications of the DPC’s decision, this decision signals a broader concern about the United States’ position on data protection and privacy. “[This move] can…be seen as a warning from Europe that the US has not taken EU laws and enforcement seriously enough,” Schroeder notes.
A possible solution? A new, stricter EU-US data transfer agreement. Regulators in both regions have already negotiated a framework to replace Privacy Shield, and Schroeder predicts it’s “highly likely” they’ll reach an agreement. The DPC’s new draft order is likely to increase pressure on regulators to finalize a deal.
But even if a deal is struck, international companies like Meta will likely continue to come under scrutiny for their extensive data handling practices. However, a fundamental challenge is at play: many criticisms leveled at existing data sharing and transfer policies challenge the reach of intelligence and surveillance agencies – an issue on which individual companies have little or no ability to influence. As things stand, companies can adapt their data collection, sharing and selling practices to stay compliant with data regulations – but they can still be subject to undue criticism until surveillance legislation is updated.
To date, the DPC’s decision remains in draft form. It has been shared with other European data protection authorities, who have one month to respond with comments. UM Worldwide’s Garcia predicts that in light of past reactions to the DPC’s rulings, some data protection authorities will oppose the order. A new draft will likely incorporate input from these regulatory groups, after which a vote will take place and a final decision will be made.
“In the meantime,” says Garcia, “we can expect businesses and tech companies in particular to push emphatically for alignment [between the] EU and US governments on a replacement framework.
For more, sign up for The Drum’s daily US newsletter here.