<https://www.wired.com/story/facebook-eu-us-data-transfers/>
Facebook faces trouble in Europe—and Meta wants you to know about it.
Every three months since June 2018, the company has used its financial
results to warn that it could be forced to stop running Facebook and
Instagram across the continent—potentially pulling its apps from
millions of people and thousands of businesses—if it can’t send data
between the EU and the US.
Whether Meta’s bluffing will become clear soon enough.
Data regulators are on the verge of making a historic ruling in a
years-long case, and they are expected to say Facebook’s data transfers
across the Atlantic should be blocked. For years, Meta has fought
against European privacy activists over how data is sent to the US, with
courts ruling multiple times that European data isn’t properly protected
and can potentially be snooped on by the NSA and other US intelligence
agencies.
While the case focuses on Meta, it has widespread ramifications,
potentially impacting thousands of businesses across Europe that rely
upon the services of Google, Amazon, Microsoft, and more. At the same
time, US and European negotiators are scrambling to finalize a
long-awaited new data-sharing deal that will limit what information US
intelligence agencies can get their hands on. If negotiators can’t get
it right, people’s privacy will remain at risk and billions of dollars
of trade will be put in jeopardy.
At the start of July, the Irish Data Protection Commission, Facebook’s
main data regulator in Europe, issued a draft decision that would block
Meta from sending data across the Atlantic. While the specifics of that
draft decision aren’t known, if it is enacted, it could create a
Facebook blackout across Europe.
Under the GDPR, Europe’s data law, countries across the continent get 30
days to scrutinize Ireland’s Meta decision and respond with any
potential changes or complaints. That time is now up. A spokesperson for
the Irish regulator says “some” objections have been received from a
“small” number of other countries and it is working to address these.
Experts say these are likely to be minor points of law, rather than
overturning the entire decision.
So, how likely is it that Meta will actually pull its services from
Europe? In reality, the chances are probably pretty slim. Meta has said
it has “no desire” to leave the continent, going as far as publishing a
blog post titled “Meta Is Absolutely Not Threatening to Leave Europe.”
Europe’s 30-plus countries are a large market for Meta, and stopping
services, even temporarily, could be costly. (A close comparison is when
the company briefly banned news posts in Australia in early 2021,
following a row with publishers.) While Meta may not leave Europe, it
may have to make changes to how it stores and transfers data once the
final decision from the Irish regulator is published, although there is
no set timeline. It may also face a fine.
“My guess is that Meta is going to have to look at some form of
geo-siloing if they want to continue to operate in the EU,” says Calli
Schroeder, global privacy counsel at the Electronic Privacy Information
Center, a nonprofit digital rights research organization. Schroeder, who
previously worked with companies on international data transfers, says
this approach could mean Meta would have to create its own servers and
data centers in the EU that aren’t connected to its broader databases.
Advertisement
Harshvardhan Pandit, a computer science research fellow at Trinity
College Dublin who is researching the GDPR, says that as data
authorities are still considering Meta’s case and a final decision
hasn’t been published yet, they could include several caveats or steps
that Meta should take to fall in line. For instance, one recent data
protection decision in Europe gave a six-month period for a company to
make changes to its business.
“I think the most pragmatic solution would be for them to create the
European infrastructure, like Google or Amazon, which have quite a few
data centers here,” Pandit says, adding that Meta could also introduce
more encryption to how it stores data and maximize how much it keeps in
the EU. All these measures would be costly, though. Jack Gilbert,
director and associate general counsel at Meta, says that the issue “is
in the process of being resolved.” Facebook did not respond specifically
to questions about its plan to respond to the Irish decision.
European officials have twice ruled that systems put in place to share
data between the EU and US don’t properly protect people’s data—the
complaints have been ongoing since the early 2010s. European courts
ruled that international data-sharing agreements weren’t up to scratch
first in 2015 and then again in July 2020, when the Privacy Shield
agreement was ruled illegal.
See What’s Next in Tech With the Fast Forward Newsletter
From artificial intelligence and self-driving cars to transformed
cities and new startups, sign up for the latest news.
Your email
By signing up you agree to our User Agreement (including the class
action waiver and arbitration provisions), our Privacy Policy & Cookie
Statement and to receive marketing and account-related emails from
WIRED. You can unsubscribe at any time.
“All that the EU is asking for when organizations transfer data to other
countries is to protect that data in line with the GDPR,” says Nader
Henein, a research vice president specializing in privacy and data
protection at Gartner. “The issue is that laws in the US that protect
the data of ‘nonresident aliens’ are woefully insufficient and make it
very difficult for organizations like Facebook to comply with local law
and the GDPR.”
While Meta is the focus of the most high-profile complaint, it isn’t the
only company impacted by a lack of clarity on how companies in Europe
can send data to the US. “The data transfer issue is not Meta-specific,”
David Wehner, Meta’s chief strategy officer, said in a July earnings
call. “It relates to how in general data is transferred for all US and
EU companies back and forth to the US.”
The impacts of the July 2020 decision to get rid of Privacy Shield are
now being felt. Since January of this year, multiple European data
regulators have ruled that using Google Analytics, the company’s
traffic-monitoring service for websites, falls foul of the GDPR. Danish
authorities went even further: Schools can’t use Chromebooks without
restrictions being put in place. “There is a ton of legal uncertainty,
and there is a significant compliance risk,” says Gabriela
Zanfir-Fortuna, vice president of global privacy at Future of Privacy
Forum, a nonprofit think tank.
Most Popular
Politicians are well aware of the problems. In March, US president Joe
Biden and European Commission president Ursula von der Leyen announced a
new Trans-Atlantic Data Privacy Framework, which will change the way
data is sent between the EU and US. The deal, which will be introduced
by executive order, will limit what data US intelligence agencies can
access and will create a new system where Europeans can complain if they
think they’ve been illegally spied upon by US agencies.
However, since the deal was announced, no specifics—including any legal
texts—have been published. In June, officials said the deal could be
published in the coming weeks, but so far, there has been little public
progress. The US Department of Commerce says discussions are still
taking place, including a meeting between both sides last week. (A
European Commission spokesperson says work on the new agreement is
ongoing, but they do not have a timeline that can be shared.) The longer
the negotiations take, the more blocking orders will drop. “Obviously,
if that framework is not complete, we would be in jeopardy of being able
to transfer data,” Facebook’s Wehner said earlier this year.
The deal is likely to take a while yet. “Realistically, at this point,
we're looking at a potential adequacy decision for this Trans-Atlantic
data transfers framework sometime next year—maybe the first quarter of
next year,” Zanfir-Fortuna says. Once the details have been published,
EU officials will spend months scrutinizing the specifics to see if they
fall in line with court orders.
And they won’t be the only ones pouring over it. Privacy activists and
lawyers will also be looking at the agreement and could launch further
legal challenges if they find that data moving from Europe to the US
still isn’t protected strongly enough. “The continued challenges are not
unwarranted, particularly considering the Snowden revelations and the
prevalence of Big Tech firms coming out of the US,” Schroeder says. “As
a whole, America really needs to make sure we rise to the challenge of
showing that we can be good stewards of the industry that we're trying
to be leaders in.”
_______________________________________________
nexa mailing list
[email protected]
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
