Meta and the rest of the U.S. tech scene are in a real bind when it comes to Europe. Thanks to a series of legal rulings and regulatory decisions in recent years, Meta lacks any legal basis for exporting Europeans’ personal data to the U.S.—and although these cases have revolved around the Facebook parent, the same applies to other American companies, particularly in the consumer internet business.
Their only hope is that the European Commission—the EU’s executive body—quickly comes up with a new, long-lasting transatlantic data-sharing agreement to replace the two that have already been struck down by the bloc’s top court. Being a political animal, the commission is trying its best to make this happen. But as of this week, it’s increasingly looking like those efforts will be doomed.
If that does turn out to be the case, Meta will almost certainly have to withdraw Facebook and Instagram from the European market which accounted for 22% of the company’s revenue last quarter, and its U.S. peers could quickly find themselves in the same boat.
This is a long-running saga. If you’d like to catch up, here are our pieces on when the first such agreement (Safe Harbor) got killed in 2015, when its successor (Privacy Shield) was similarly struck down in 2020, and when Ireland’s privacy regulator decided last year that Facebook and Instagram also couldn’t use a backup legal mechanism to export personal data to the U.S.
However, the key point is quite simple: U.S. intelligence agencies have broad discretion to poke around Europeans’ personal data when it lands in U.S. data centers, and Europeans have no way to stop this from happening. That violates their data-protection rights under European law—hence the imminent threat of those data transfers being blocked.
The commission proposed a fresh data-sharing pact in December, a couple months after President Biden signed an executive order adding some safeguards to U.S. intelligence practices. Before it can cement the agreement, the commission has to first run it through the European Parliament and the European Data Protection Board, which is the umbrella body for the EU’s privacy regulators. Neither has the power to nix the deal, but their disapproval would nonetheless make it hard for the commission to formalize the agreement while retaining credibility.
The European Parliament’s civil liberties committee delivered its draft opinion a couple days ago, and it’s a big fat “no.” (The final opinion should be out next month, with a full parliament vote following in April.)
In its draft verdict, the committee said Biden’s executive order was unclear and imprecise, and failed to stop U.S. intelligence from collecting Europeans’ data in bulk—EU law requires targeted surveillance. It also criticized the “Data Protection Review Court” that the order would set up for Europeans who want to stop U.S. spies hoovering up their communications, saying it would operate in secrecy and lack independence from the White House.
“The EU-U.S. Data Privacy Framework fails to create actual equivalence [to EU law] in the level of protection,” the committee wrote, urging the commission not to follow through with the deal. We can expect the European Data Protection Board to release its own opinion in a few weeks, and I would be extremely surprised if its verdict wasn’t roughly the same.
Again, these opinions are not binding, and the commission could press ahead with the agreement nonetheless. But if that’s how it plays out, the commission would be roundly attacked in Europe for ignoring citizens’ fundamental rights in the name of political expediency—and the EU’s top court would probably strike the deal down in a couple years anyway. If the aim is to give U.S. tech firms certainty that they can keep operating legally in Europe, that’s not going to happen anytime soon.
Want to send thoughts or suggestions to Data Sheet? Drop me a line here.
David Meyer
Data Sheet’s daily news section was written and curated by Andrea Guzman.