Big Tech expresses business-viability concerns in Europe over transatlantic data transfer deadlock
In its 2021 annual report to the U.S Security and Exchange Commission, released earlier this February, Meta noted that the present lack of a framework regulating transatlantic data transfer between the EU and the United States may leave the organization with no choice but to retract its online services, like Facebook and Instagram, from the region. Google also expressed similar concerns in January 2022, highlighting the “lack of legal stability for international data flows” facing the American and European business ecosystem. These concerns from Meta and Google come on the heels of multiple European Court of Human Rights and Data Protection Commissions rulings in European countries that have, in essence, held all current and existing frameworks for data transfer from Europe to the USA to be in breach of the EU’s General Data Protection Regulation (GDPR).
A few landmark events stand out on the timeline leading to the current deadlock. From July 2000 until 2015, the framework regulating data transfers from the EU to the USA was the Safe Harbor Framework. In October 2015, the European Court of Human Rights (ECtHR), in the ‘Schrems I’ ruling, stated that this framework was insufficient in securing EU citizen’s right to privacy since it enabled interference and scrutiny of EU citizens’ data by US public authorities without any grievance redressal mechanisms in place. Resultantly, the Safe Harbor Framework was made defunct, and in 2016, was subsequently replaced by the EU-US privacy shield, which offered additional oversight mechanisms and limitations on data use, among other things. Next, as a result of the heightened protections offered to EU citizens by the 2018 GDPR, which was presented as an international standard for data protection regulations, the privacy shield was also legally challenged, this time in Schrems II. In this case, the ECtHR held that the EU-US privacy shield, like its predecessor, was not in compliance with the level of data protection offered, this time under the GDPR. In addition, it held that any other Standard Contractual Clauses (SCCs) between EU and non-EU countries must afford a level of data protection equivalent to the protection extended under the GDPR. Finally, in the last year, at least three EU Data Protection Authorities have ruled, albeit preliminarily, that Facebook and Google Analytics standard contractual clauses for data sharing are inadequate and not in equivalence to the GDPR protections.
In August 2020, the Irish Data Protection Commission made a preliminary finding that Facebook’s SCC for data transfer from Europe to the USA does not comply with the GDPR. In effect, the commission required Facebook to suspend processing of any European Data on American servers. However, this has not happened yet because it is a preliminary ruling that will be followed by a final ruling in the next few months.
In December 2021, the Austrian Data Protection Authority made similar findings about a local medical news company’s use of Google Analytics, which was found to be in non-compliance with the GDPR since the use of Google Analytics required data transfer to the USA. The French Data Protection Authority followed suit, by making a similar finding about the use of Google Analytics in February 2022.
Considering the growing difficulty global OSPs face carrying out business in European jurisdictions because of the GDPR’s strict data protection mandates, representatives of Facebook, (now Meta) have made statements emphasizing the need for a set of principles that successfully accommodate international data transfers, and highlighting that the “inadequacies in the current framework would result in small European tech-startups not being able to use US-based cloud services” or organizations not being able to set up call centers in a different country. They have noted that despite Meta’s unwillingness to withdraw certain services from Europe, it would be difficult to sustain their business model in Europe without a clear framework for transatlantic data transfers. Google has also emphasized the need for a durable framework in a recent blog post.
Negotiations already underway between European Commission and U.S officials to create a new framework for transatlantic data transfers have recently intensified, even though the Commission states, “they will take time, given the complexities of the issues discussed”. While organizations whose business model relies on transatlantic data transfers wait for the new framework, it remains to be seen whether it, like its predecessors, will have a short life span, in part due to the US’s expansive government surveillance practices, among other reasons, or whether it will stand the test of ‘essential equivalence’, laid out by the ECtHR in its Schrems II decision.
Author: Shreya Tewari, Research Fellow at the Lumen Project