Europe Ordered Facebook to Stop Sending User Data to the United States

Facebook is facing the prospect of having to shut down its European operation after a regulator in Ireland ordered it to stop sending user data across the Atlantic.

The Irish Data Protection Commission, which is the regulator that oversees Facebook’s actions in Europe, sent the social media giant a preliminary order late last month to stop sending user data to the U.S., according to a Wall Street Journal report Wednesday

In order to comply with the order, Facebook would have to either reengineer its entire operation to keep European user data entirely separate from data collected elsewhere in the world, or it may have to shut down European service entirely — at least temporarily.

If Facebook fails to comply with the preliminary order, the Irish DPC has the power to fine the company up to 4% of global revenue, or almost $3 billion. 

Facebook transfers data from its European users to its U.S.-based servers in order to serve those users more targeted ads. Disrupting this process would make it more difficult for Facebook to make as much money as it does from each user.  

Facebook made an average of $13.21 from each European user in 2019. While this is a fraction of the money it makes from North American users ($41.41) it’s significantly more than it makes from users elsewhere in the world. 

The DPC’s action is the first major step taken by a European regulator since a landmark court ruling in July that struck down Privacy Shield, a legal mechanism for transferring data from the EU to the U.S. The court said the mechanism was invalid as European users had no legal recourse to challenge U.S. government surveillance.

At the time Facebook said the ruling wouldn’t impact its operations as it relied on a different tool — known as Standard Contractual Clauses (SCCs) — to send data collected on users in Europe back to servers based in the U.S.  The Court of Justice of the European Union at the time said SCCs were valid.

But now it appears that the Irish regulator has another view. 

The Irish DPC told VICE News it was not commenting on the report.

However, Facebook’s VP of Global Affairs and Communications Nick Clegg confirmed that the Irish regulator had been in touch as part of an on-going inquiry it was conducting into Facebook’s data transfer policies.   

“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-U.S. data transfers and has suggested that SCCs cannot in practice be used for EU-U.S. data transfers,” Clegg said in a blog post published Wednesday evening. “While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”

For now, Facebook says it is going to continue to use SCCs meaning that initially at least, nothing will change for users in Europe. However, if the Irish regulator does enforce the order, it could mean that European Facebook users wouldn’t be able to access Facebook’s services until the company reconfigured its setup to stop sending data across the Atlantic.

While the Irish regulator has only issued an order to Facebook at the moment, the decision could have a much wider impact on companies on both sides of the Atlantic, and Clegg sought to use those concerns to make this case about more than just Facebook.

“The impact would be felt by businesses large and small, across multiple sectors,” Clegg said. “In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call center in Morocco.”

Clegg also pointed out that Ireland’s own COVID-19 tracking app relies on SCCs to transfer data to the U.S. for processing.

As well as having a huge impact on Facebook’s ability to sell ads to its users in Europe, the decision could also have a positive impact on privacy in the U.S. according to one expert. 

“If the Irish DPC follows through on the notice, I believe you’ll see US lawmakers scramble to reinstate better adequacy between U.S. and EU data protections — although in this case “scramble” could still be a timeframe of a few years,” Cillian Kieran, a privacy compliance expert and CEO of privacy startup Ethyca, told VICE News. “In the end, a move like this could absolutely speed up progress on a U.S. federal privacy law as major platforms will be brought to their knees if trans-Atlantic data transfers are shut down.”

Cover: In this photo illustration a Facebook logo seen displayed on a smartphone with a street in the background. (Omar Marques / SOPA Images/Sipa USA)(Sipa via AP Images)