First the headline with which the always well-informed portal Politico recently startled Internet users: “Europe is threatened with a Facebook blackout”. Admittedly, the line “How little regard large Internet platform operators take for the General Data Protection Regulation (GDPR)” would not have been quite as catchy. But that’s exactly what it’s all about, and it’s worth taking a closer look at the topic, because there’s a dispute again: Is the data of European users safe with US companies? The conflict over this issue could actually lead to Facebook and Instagram going offline in Europe.
This is related to the plans of the Irish data protection authority Data Protection Commission (DPC). Ireland plays an important role in the EU because corporations like Meta, the parent company of Facebook and Instagram, have their European branches located there, angry tongues say: for tax reasons. The Irish now want to ban Meta from sending user data from Europe to the United States.
The DPC sent its draft decision to the other European data protection authorities at the beginning of July. They only have until the end of the month to comment. Meta, in turn, has already threatenedin the event of a final decision against him, to shut down his very popular Instagram and Facebook services in Europe.
The basic problem: Under which conditions and protection standards user data can be sent from the EU to the USA has been the subject of a great deal of back and forth for years. In 2015, the Austrian lawyer and data protection activist Max Schrems successfully sued against the Safe Harbor Agreement, which restricts data traffic previously regulated or, from Schrem’s point of view, not regulated.
It is difficult for EU citizens to sue for data protection violations in the USA
The EU agreed a new agreement with the US: the Privacy Shield. However, the European Court of Justice (ECJ) overturned this in 2020 and Schrems filed another lawsuit, partly because EU citizens are far less able to sue for their rights in the USA than US citizens.
Since this “Schrems II judgment” the data transfer question has been open again. For a transitional period, platforms like Facebook are allowed to make do with their European Users agree to the transfer of their data via standard contractual clauses allow. The Irish data protection authority now wants to close this back door and Facebook should no longer be allowed to use the clauses. Because, as I said, the level of data protection in the USA is insufficient.
It may come as a surprise that Ireland of all places is leading the way. So far, the Irish DPC has not been known for wanting to regulate tech companies particularly briskly. Of the Federal Data Protection Commissioner Ulrich Kelber accused his Irish colleagues last year even delaying important proceedings. Max Schrems in turn now said Netzpolitik.org: “We assume that there is also some show involved.” And that it will take time, because the other data protection authorities in the EU can submit requests for changes to the Irish draft or object to them entirely. Experience shows that it can take months for the DPC to incorporate the comments of the European partners into its papers. And even if the regulation is in place, Meta can still sue against it. That would delay a final decision on the fate of Instagram and Facebook in Europe by more months.
Schrems also assumes this. “The simplest thing would be if the DPC would impose a fine. The ECJ has ruled that the data transfers of the past few years were illegal,” he is quoted as saying NGO None Of Your Business (Noyb), whose CEO is Schrems.
Denmark wants to ban Google from schools
Data protection authorities in other countries take more uncompromising action against the violations. For example, Austria, France and Italy banned the Google service Analytics. This allows website operators to create profiles of their users and use them for advertising purposes – this data also ends up in the USA, which the three authorities have found illegal. In Denmark, too, people take a close look. In the past week, the competent authority complained that it met the requirements contradicts the General Data Protection Regulation when schools use Google services such as Gmail or Docs and Google laptopsbecause the data flows to the USA.
The EU Commission itself is now responsible for a curiosity in the matter: On Tuesday announced the NGO European Society for Data Protectionthat she supports a plaintiff from Germany. Accordingly, the Commission uses for their Website for a “Conference on the Future of Europe” the US service Amazon Web Services – which apparently sends user data from the EU to an “unsafe third country”.
It could be some time before the European Union and the USA agree on a new basic regulation. EU Commission chief Ursula von der Leyen and US President Joe Biden announced in the spring that they had agreed to present a new agreement soon. And according to information from Politico, the US government wants to have a corresponding decree drawn up in the next few weeks. But it’s not done with that.
Once the decree is in place, the EU Commission should need a good six months to clarify whether it really conforms to European data protection rules. So before 2023 it will be nothing. and Max Schrems has already announced: If the next agreement is as inadequate as the previous ones, he will sue again.