Meta Platforms's stark warning of a retreat from Europe may just be the start, as one of the region's top privacy watchdogs prepares a decision that could paralyze transatlantic data flows and risk billions in revenue for tech giants.
The Irish data protection authority, which polices the Silicon Valley tech giants that have flocked to the nation, is soon to weigh in on the legality of so-called standard contractual clauses used by Meta, Alphabet's Google and others to legally transfer swathes of user data to the U.S. for processing.
Privacy experts say the imminent decision could eliminate one of the only remaining options for Meta and potentially thousands of other companies that rely on shipping vast amounts of commercial data across the Atlantic.
The Irish authority already cast doubt on the legality of the SCCs in an interim opinion, saying they failed a key test of protecting European citizens from the prying eyes of U.S. agencies.
Such is the tension around the ruling, that Meta warned in its latest annual report that it will "likely be unable" to offer services including Facebook and Instagram in the EU if it's unable to use SCCs.
Facebook produced $8.2 billion in revenue in Europe over the last quarter of 2021, about a quarter of global revenue. While the U.K. will count for a significant portion of that and will not be impacted by the ruling on SCCs, the region is a serious money maker for Meta, beaten only by its home market of the U.S. and Canada.
There is no easy work-around. Storing data in Europe may not be feasible for any service based on customer interactions across the world, from gaming to video streaming, because European data rules follow a person's information, no matter where it is.
Meta's business model, like that of Alphabet's Google, relies on collecting enough data to discern what users might be interested in or want to purchase, and to serve them relevant ads. The company is already hampered by Europe's privacy rules and a ban on SCCs would likely make its business model more expensive and less effective to run.
"What's at stake here are the entire data transfers to the U.S. and the services that depend on them," said Johannes Caspar, an academic who recently stepped down as one of Germany's top data protection regulators.
Despite its latest comments in its annual report that it would "likely be unable" to offer Facebook and Instagram in Europe if regulators ruled that SCCs were unfeasible, Meta has also stated -- most recently in a blog post that it's "absolutely not threatening to leave Europe," a plea that Nick Clegg, now Meta's leading policy executive, originally made in Sept. 2020.
"Ongoing uncertainty over data transfers is impacting a large number of businesses and organizations in Europe and in the U.S.," a Meta spokesperson said in an emailed comment.
"The simple reality is that we all rely on data transfers to operate global services. We need a long-term solution to EU-U.S. data transfers to keep people and economies connected and protect transatlantic trade," they said.
Google pointed to a January blog post by Kent Walker, its head of global affairs which called for a rapid end to the impasse over a replacement to a EU-U.S. privacy pact that was struck down by the EU's top court in 2020 over longstanding fears that citizens' data wasn't safe from American surveillance.
"The stakes are too high -- and international trade between Europe and the U.S. too important to the livelihoods of millions of people -- to fail at finding a prompt solution to this imminent problem," he said.
The controversy over data transfers stretches back to 2013, when Edward Snowden exposed the extent of spying by the U.S. National Security Agency.
A surprise 2020 ruling by the EU's highest court toppled the so-called Privacy Shield, a trans-Atlantic transfer pact, over longstanding fears that citizens' data wasn't safe from American surveillance.
But while the separate, contract-based system was upheld, the EU Court of Justice's doubts about American data protection already made this a shaky alternative too.
"For many companies it is virtually impossible to fully comply" with the 2020 EU court ruling, said Tom De Cordier, a technology and data protection lawyer at CMS DeBacker in Brussels. "So, often it is a matter of mitigating your data compliance risks rather than trying to be 100% compliant."
Should the Irish authority double down on its interim opinion over the contractual clauses, the doomsday scenario for Meta and its rivals of a tech blackout has started to emerge.
The Irish authority's decision "could now be a precedent which will cause the whole situation to slide," said Caspar. "It's up to politicians in the U.S. to avoid plunging their tech industry into chaos."
Bloomberg