First the headline with which the always well-informed portal political recently startled Internet users: “Europe is threatened with a Facebook blackout”. Admittedly, the line “How little regard large Internet platform operators take for the General Data Protection Regulation (GDPR)” would not have been quite as catchy. But that’s exactly what it’s all about, and it’s worth taking a closer look at this topic, because there’s another argument: Is the data of European users safe with US companies? The dispute that is being fought about this could actually result in Facebook and Instagram going offline in Europe.
This is related to the plans of the Irish Data Protection Commission (DPC). Ireland plays an important role in the EU because tech companies like Facebook and Instagram parent Meta have their European branches there (evil tongues say: for tax reasons). The Irish now want to ban Meta from sending user data from Europe to the United States.
The DPC sent its draft decision to the other European data protection authorities at the beginning of the month. They only have until the end of July to comment on this. Meta, in turn, has already threatenedin the event of a final decision against him, to shut down his very popular Instagram and Facebook services in Europe.
So far, Ireland has done little to regulate tech companies
The basic problem: The conditions and protection standards under which user data can be sent from the EU to the USA have been the subject of a great deal of back-and-forth for years. In 2015, the Austrian data protection activist Max Schrems successfully sued against the so-called Safe Harbor Agreement, which had previously regulated data traffic (or, from his point of view: not really regulated).
The EU agreed on a new agreement with the USA, but the European Court of Justice (ECJ) also overturned this “Privacy Shield” in 2020 after Schrems filed another lawsuit, partly because EU citizens were far less able to sue for their rights in the USA as a US citizen.
Since this “Schrems II judgment” the question of data transfer has been open again. For the transition, platforms like Facebook can manage by to have its European users agree to so-called Standard Contractual Clauses, with which each individual allows the transfer of their data. The Irish data protection authority now wants to decree that Facebook can no longer use these clauses either – because, as I said, the level of data protection in the USA is insufficient.
The fact that the Irish of all people are now leading the way may come as a surprise to some. So far, the local authority was not exactly known for being particularly bold in the regulation of tech companies. The Federal Data Protection Commissioner Ulrich Kelber accused his Irish colleagues last year even delaying important proceedings. Max Schrems in turn said Netzpolitik.org: “We assume that there is also some show involved.” And that it will drag. Because the other data protection authorities in the EU can submit requests for changes to the draft from Ireland or object entirely.
Experience shows that it can take the Irish DPC months to incorporate the comments of others into their papers. And even if a decision is finally made, Meta can still sue in Ireland, which would delay a final decision on the fate of Instagram and Facebook in Europe by another few months.
Schrems also assumes this. “The simplest thing would be for the DPC to impose a fine. The ECJ ruled that the data transfers of the past few years were illegal,” he is quoted as saying NGO None Of Your Business (Noyb)of which he is honorary chairman.
Now even the EU Commission is getting into trouble itself when it comes to data protection
Authorities in other countries are more uncompromising: the data protection authorities in France, Italy and Austria recently banned the Google service Analytics. This allows website operators to create profiles of their users and use them for advertising purposes – this data has also ended up in the USA, which the three authorities found illegal.
And the Danish Data Protection Authority found out last weekthat it “does not meet the requirements” of the General Data Protection Regulation for schools to use Google services such as Gmail or Docs and Google laptops because the data flows to the USA.
Curiously, even the EU Commission itself is now getting into trouble when it comes to data protection: The NGO European Society for Data Protection announced on Tuesday, she supports the lawsuit of a user from Germany. Accordingly, the Commission uses for the website to a “Conference on the future of Europe” the US service Amazon Web Services – which apparently sends user data from the EU to an “unsafe third country”.
It could take a while before there is a fundamental regulation between the EU and the USA again. In the spring, EU Commission chief Ursula von der Leyen and US President Joe Biden announced that they had agreed to present a new agreement soon. According to information from the US government, the US government wants a corresponding decree political worked out in the next few weeks.
However, once the decree is in place, the EU Commission will probably need another six months to clarify whether all of this really conforms to European data protection rules. So before 2023 it will be nothing. And Max Schrems has already announced: If the next agreement turns out to be as inadequate as the two previous ones, he will complain again.