Will gazillions of posts, photos, videos and messages on Facebook and Instagram hang forever, photons suspended in the lightbeam of some undersea fibre-optic cable, as transatlantic data transfers finally grind to a long-threatened halt?
That dramatic possibility caused some media hyperventilation weeks ago when the Irish Office of the Data Protection Commissioner (DPC) set an endgame in motion that could halt such data flows, a ubiquitous part of daily business operations for many companies.
In July, the DPC sent a draft decision to fellow European data-protection authorities (DPAs) indicating that Facebook parent company Meta’s transatlantic transfers were non-compliant with European Union data-protection laws and should be stopped.
That finding was the consequence of a Court of Justice of the European Union (CJEU) opinion issued two years ago (the Schrems II decision), that, wait for it, the methods used by Meta to transfer data between the EU and the United States were invalid under EU data-protection laws. Which followed a CJEU opinion seven years ago (the Schrems I decision) that, you guessed it, the methods used by Meta/Facebook to transfer data between the EU and US were invalid under EU data-protection laws.
The Schrems I decision also invalidated the flimsy US-EU Safe Harbour data transfer framework. This was replaced by the Privacy Shield agreement, invalidated by Schrems II (do keep up). Also invalidated was the magical thinking by many lobby groups and corporates — big tech multinationals in particular — that the EU would never really do something so preposterously inconvenient as to actually mean what it said in its data-protection laws. And worse: enforce them.
The Schrems decisions were end responses to different ways of asking the same question, in the hopes that the answer might be more satisfying to the Meta boardroom. Meta and other companies had hoped the General Data Protection Regulation was more like Privacy Shield: a bit of data-protection window dressing nobody had to take seriously. The good old days!
After Schrems I, Meta (and everyone else schlepping data across the Atlantic) gained seven more years in which to keep on transferring information, namely by lawyering up and whipping out the challenge that ended in the Schrems II decision. This proved once again that if you have deep corporate pockets, brandishing the company legal team can profitably elongate the period before anyone has to do anything meaningful after a court decision. The goal has been to kick the can down the road, praying that the EU and US would ultimately, if belatedly, ride to the rescue with (at last) a sound data-transfer agreement.
That was unlikely, to say the least, during the Trump years — yet another of those anomalies where the person elected with, supposedly, a strong business agenda actually ignored a critical issue with large business implications. But then came a new administration. In March, the US and EU made a sudden announcement that suggested (to the gullible) that a new, compliant agreement was near completion.
“The United States and the European Commission have committed to a new Trans-Atlantic Data Privacy Framework, which will foster transatlantic data flows and address the concerns raised by the Court of Justice of the European Union...” the statement began. It then itemised and implied solutions to many big problematic points, mainly around the extraordinarily difficult issue that US surveillance agencies and infrastructure impede the ability to give EU-level data protections to EU citizens’ data.
Meanwhile, time has flown and the DPC has indicated with its July draft decision that the end of the road is near. Data transfers will have to stop. Meta has threatened that it would, possibly, have to stop offering services in Europe. This is so unlikely as to be laughable. The European cash cow generated €29 billion in revenue for Meta last year, second only to the US and Canada. Revenue per EU user increased by 35 per cent.
Oddly, other EU and US companies have watched this unfold as if the problem is only Meta’s. But, if Meta, with all its financial and legal resources, hasn’t yet found a compliant way to transfer data, the same problem exists for everyone else.
A little reprieve arose in August, when the DPC said “a small number” of EU DPAs had objected to its decision. Norway, for one, indicated that it wants a fine as well as a halt to data flows. Going on past form, none is likely to press for a more lenient decision from Ireland. While the DPAs hammer out details, a few more weeks of business as usual have been gained by Meta (and other companies).
However, you can be sure that Meta already has its plan B in place, and withdrawal from the EU is not it. Some legerdemain with EU-based data centres will be at its heart. What other companies plan to do, especially smaller firms, is a mystery. Meanwhile, boardroom thoughts and prayers — not just at Meta, but everywhere — will be with that EU and US negotiating teams, whose efforts to produce a legally viable data-transfer agreement drag on.