By Robert Bateman
Facebook has said it is “not clear” how it will continue to provide Facebook and Instagram in the European Union if it is forced to comply with a recent legal ruling.
The company’s associate general counsel made the comments in a Sept. 10 filing with the Irish High Court. Facebook, based in Menlo Park, Calif., has been ordered to suspend data transfers from the E.U. to the U.S., following a landmark legal case known as “Schrems II.”
But some legal experts told Digital Privacy News that Facebook was quite capable of complying with the E.U.’s rules, while others considered the comments to be a “bluff.”
“It is perfectly doable and low-cost — especially for such an incredibly wealthy company.”Stefano Rossetti, NOYB, the European Center for Digital Rights.
“It is perfectly doable and low-cost — especially for such an incredibly wealthy company,” said Stefano Rossetti, data-protection lawyer at the Austrian legal organization behind the Schrems II case, NOYB, the European Center for Digital Rights.
“We don’t think that shutting down Facebook services in Europe — a market of 520 million people — would make much sense.”
But a Facebook spokesperson countered to Digital Privacy News: “Facebook is not threatening to withdraw from Europe.
“Legal documents filed with the Irish High Court set out the simple reality that Facebook and many other businesses, organizations and services rely on data transfers between the E.U. and the U.S. in order to operate their services.
“A lack of safe, secure and legal international data-transfers would damage the economy and hamper the growth of data-driven businesses in the E.U., just as we seek recovery from COVID-19,” the spokesperson said.
Before the July 16 Schrems II decision, U.S. companies could rely on two main legal mechanisms to facilitate data-transfers from the E.U.
They were by complying with the Privacy Shield framework or by using the standard contractual clauses provided by the European Commission.
The Court of Justice of the European Union (CJEU) ruled that the Privacy Shield framework did not provide E.U. users’ data with sufficient protection from U.S. government surveillance.
The court also ruled that organizations using standard contractual clauses should include additional privacy safeguards.
No ‘Disruption’ to Facebook
Rossetti told Digital Privacy News, however, that the decision did not prevent Facebook from operating in Europe.
“The CJEU’s ruling does not disrupt Facebook’s business model,” he said. “Rather, it only calls for adjustments.”
He argued that Facebook had several options.
“Facebook could finally localize its servers in Europe and implement other technical measures to block, or at least hinder, U.S. surveillance,” Rossetti said.
Rights vs. Dollars
Alexander Hanff, a data-privacy expert and CEO of the Swedish consultancy Think Privacy, told Digital Privacy News that it was “highly unlikely” that Facebook would follow through on their threat, which he argued was “a bluff.”
“It is long overdue that the E.U. starts to enforce the law in favor of our fundamental rights — rather than dollars.”Alexander Hanff, Think Privacy consultancy.
“It is long overdue that the E.U. starts to enforce the law in favor of our fundamental rights — rather than dollars,” Hanff said.
“Facebook extracts very significant revenues from its E.U. operations,” he explained. “That data is also used by many of their global customers, so the impact would not be restricted to E.U. businesses.”
Hanff added that, if it pulled out the E.U., Facebook could be breaching its legal obligation to act in the best interests of its shareholders, which could lead to “class-action litigation.”
Asked whether he thought Facebook’s business model was compatible with E.U. law, Hanff said: “The answer to that is very obvious: an absolute and explicit ‘no.’”
But the situation is not new, he noted.
“This has always been the case and is not some new revelation due to the Schrems II,” Hanff said. “The court merely verified that their activities were illegal based on existing law, which has not changed, in this respect, for 25 years — long before Facebook existed.”
Hanff said that the E.U. should address these issues through “data-sovereignty measures, such as developing E.U. infrastructure, to make us less reliant on technologies from regions and organizations which do not respect E.U. law.”
Others, however, argue that Facebook’s comments have been misinterpreted.
“Those comments hold as true for Facebook as for any other company moving data between the U.S. and the E.U.,” Heather Burns, a tech-policy specialist in Glasgow, told Digital Privacy News.
“There needs to be a political and legal process, in the wake of the Schrems II ruling, to create the mechanism to allow that data to continue to flow,” she said.
According to Burns, Schrems II highlighted a “lack of data-protection equivalence” between the U.S. and the E.U. The Privacy Shield’s data-transfer mechanism attempted to “patch over” this problem.
“There needs to be a political and legal process … to create the mechanism to allow that data to continue to flow.”Heather Burns, tech-policy specialist, Glasgow.
Following the invalidation of Privacy Shield, a new data-transfer structure is required. Burns said existing infrastructure could be used to resolve this.
But a much harder problem arising from Schrems II, Burns posed, is how to resolve “the lack of a right of individual redress for E.U. citizens whose data is swept up into U.S. surveillance mechanisms.”
She argued that no clear solutions for businesses like Facebook might exist.
“The individual redress issues will require a wholly internal review of U.S. surveillance laws, systems and safeguards — including the creation of oversight mechanisms that do not currently exist,” Burns said.
“It remains to be seen how committed the United States will be — in the middle of a pandemic, climate emergencies, racist homicides, a mass-collective delusion and a contested presidential election — to taking that work forward.”
Robert Bateman is a writer in Brighton, UK
Sources (some external links):