Meta will be unable to offer Facebook and Instagram in Europe if regulators there determine that the current legal basis used by the company for cross-border data transfers is invalid, the company said in a filing with the US Securities and Exchange Commission.
The European Union’s General Data Protection Regulation (GDPR) prescribes the grounds under which data can be transferred from the EU to a third country, and the Irish Data Protection Commission (IDPC) issued a preliminary draft decision in August 2020 stating that Facebook is not in compliance with the regulation. A final decision in this inquiry is expected in the first half of 2022, the company said.
“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.” – Meta
The outcome of this issue has notable implications for India because the Data Protection Bill, 2021, which was tabled in the parliament last December, has equally stringent restrictions, if not more, on cross-border data transfers as the GDPR.
How can companies transfer data from the EU to a third country and why is Facebook having trouble?
According to the GDPR, data transfers from the EU to a third country are allowed under the following grounds:
- Adequacy: If the European Commission has declared that a third country offers an adequate level of protection, then data can be sent to entities in the country without any further safeguards or being subject to additional conditions.
- Appropriate safeguards such as SCCs: In the absence of an Adequacy Decision, data transfers can take place if there are appropriate safeguards that provide users enforceable rights and effective legal remedies. Such safeguards include binding corporate rules between companies, contractual arrangements such as the standard contractual clauses (SCCs) approved by the European Commission, or adherence to a code of conduct or certification mechanism.
- Other specific situations: In the absence of the above two, transfers can be made “based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.”
Why is Meta having compliance issues with GDPR?
- Invalidation of EU-US Privacy Shield: Facebook initially relied on the EU-US Privacy Shield framework, which was declared as adequate by the European Commission, for transfers between the EU to the US. But this framework was invalidated in July 2020 by the Court of Justice of the European Union (CJEU).
- Reliance on SCCs does not achieve compliance: Following the invalidation of Privacy Shield, Facebook has been relying on Standard Contractual Clauses (SCCs), but these are currently under regulatory and judicial scrutiny. The Irish Data Protection Commission (IDPC) preliminarily concluded in August 2020 that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with GDPR and proposed that such transfers of user data from the EU to the US should be suspended. Facebook challenged procedural aspects of this IDPC enquiry in September 2020, but in May 2021, the court rejected Meta’s procedural challenges and now a final decision in this enquiry is expected in the first half of 2022, Meta said in its filing.
“If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results.” – Meta
Implications for India
India’s Data Protection Bill stipulates that all sensitive and critical personal data must be stored in India and can only be transferred outside India under certain conditions:
- Adequacy: Sensitive personal data can be transferred outside India based on countries meeting adequacy requirements, which will be determined by the government along with the Data Protection Authority.
- Contract or intra-group scheme: Sensitive personal data can be transferred outside India based on a contract or intra-group scheme approved by the Data Protection Authority in consultation with the government. This is similar to SCCs of GDPR, but India’s version is more cumbersome and onerous because there is no standard template provided and the central government needs to approve the contract.
In its SEC filing, Meta notes the problems this Bill can pose:
“Some countries, such as India, are considering or have passed legislation implementing data protection requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our services. New legislation or regulatory decisions that restrict our ability to collect and use information about minors may also result in limitations on our advertising services or our ability to offer products and services to minors in certain jurisdictions.”
Facebook says it does not want to leave Europe
In response to numerous reports suggesting that Facebook is “threatening” to leave Europe, the company on February 8 published a blog post denying any such reports. The company said:
“There has been reporting in the press that we are “threatening” to leave Europe because of the uncertainty over EU-US data transfers mechanisms. This is not true. Like all publicly-traded companies, we are legally required to disclose material risks to our investors. Last week, as we have done in our previous four financial quarters, we disclosed that continuing uncertainty over EU-US data transfers mechanisms poses a threat to our ability to serve European consumers and operate our business in Europe.”
Facebook added that “international data transfers underpin the global economy and support many of the services that are fundamental to our daily lives” and that “businesses need clear, global rules to protect transatlantic data flows over the long term.”
Update (February 9, 9:23 am): Added comments from Facebook’s blog post
Get our white paper on the Data Protection Bill 2021 in your inboxWe may also reach out occasionally with our coverage of the Data Protection Bill and more.
- Data Protection Bill 2021: Summary Of Data Localisation Norms And Restrictions On Cross Border Data Transfers
- Data Protection Bill: Issues Around Cross-Border Transfer Approval, Data Localisation, Adequacy, And Exemptions To Foreign Data #NAMA
- Europe’s Top Court Strikes Down EU-US Privacy Shield
Have something to add? Post your comment and gift someone a MediaNama subscription.