What is at stake as the region works with the United States to finalize a new agreement on how to handle transatlantic data flows is highlighted by reports of a potential shutdown of Meta services Facebook and Instagram in the European Union that could take place as soon as this summer.
The Irish Data Protection Commission (DPC) informed the other data protection authorities (DPA) of its draft decision on the legality of Meta's transfers of EU data to the US on Thursday. The DPAs have one month to review the decision, which according to Politico would stop Meta from exporting data between the EU and the US.
Although the Irish DPC acknowledged sending the draft decision, it withheld its specifics.
The company would probably pull Facebook and Instagram from the European Union, as Meta has previously stated, "which would materially and adversely affect our business, financial condition, and results of operations."
Since the EU's top court ruled in 2020 that U.S. law does not offer the same level of data protection as the European Union under the latter's General Data Protection Regulation, the possibility of such a result has existed (GDPR). Since that time, companies like Meta have relied more heavily on standard contractual clauses (SCCs) and other safeguards to make sure that data transfers are compliant. However, those SCCs are insufficient to protect some businesses from potential legal liability.
On a new procedure for compliant transatlantic data flows, the United States and the European Union tentatively agreed in March. However, neither side has provided many updates since then. According to reports, including Politico, the negotiations have stalled and a final agreement is unlikely to be reached before the end of the year. If this is the case, the Irish DPC's Meta decision will be an important one for all businesses that rely on SCCs.
Some people do not anticipate this to be the case, among them privacy advocate Max Schrems. In a news release for his data rights organization NOYB, Schrems, whose legal challenges led to the demise of the previous EU-U.S. data transfer frameworks Privacy Shield and Safe Harbor, stated that he anticipates DPAs to disagree with some aspects of the Irish DPC's decision and that Ireland will take its time to address the objections.
Additionally, according to Schrems, "Facebook will use the Irish legal system to delay any actual ban of data transfers. Ireland will have to send the police to physically cut the cords before these transfers actually stop. "
The European Commission lists the following as the fundamental tenets of the data transfer framework that the European Union and the United States have tentatively agreed upon: "binding safeguards to limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security" and "a new two-tier redress system to investigate and resolve complaints of Europeans on access of data by U.S. Intelligence authorities, which includes a Data Protection Review Court." Legal experts predict that if the new framework does not adequately address concerns about U.S. surveillance, it may suffer the same fate as the Privacy Shield and Safe Harbor that came before it.
A Meta spokesperson responded to the situation in light of the most recent action by the Irish DPC by saying that, "this draft decision, which is subject to review by European data protection authorities, relates to a conflict of EU and U.S. law which is in the process of being resolved. We welcome the EU-U.S. agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities, and economies connected."
By fLEXI tEAM