Meta warned this was coming, and now it’s almost here.
Following a lengthy investigation, Ireland’s privacy regulator wants to block Facebook and Instagram from transferring any European personal data to the United States. The groundbreaking move would effectively end Europeans’ ability to use the services.
And it’s not just the American social media giant that needs to worry: The Irish Data Protection Commission (DPC) is also moving closer to a draft decision that may result in China’s TikTok finding its own European data flows being cut off.
The big problems for Meta—and indeed other American multinationals, which should be deeply concerned about what’s unfolding here—are the power of U.S. intelligence agencies to collect and access the personal data of foreigners that is held on U.S. servers, and the powerlessness of Europeans to stop them.
These are the same issues that two years ago sunk the “Privacy Shield” agreement between the U.S. and the EU.
That deal allowed American companies to import Europeans’ personal data, even though the U.S. doesn’t have privacy laws that are anywhere close to being as strong as the EU’s—a precondition for any country getting a so-called “adequacy decision” from the European Commission.
Under Privacy Shield (and a preceding program called Safe Harbor, which was similarly struck down by the Court of Justice of the EU in 2015), companies could self-certify that they have EU-grade privacy protections in place. It was a relatively simple way for companies to maintain their transatlantic data flows—however, it did nothing to rein in the powers of U.S. intelligence.
What’s more, there was (and is) no one in the U.S. with independence and power that Europeans can complain to, if they think their European privacy rights are being abused by U.S. agencies. That’s why the court struck down Privacy Shield in 2020.
The court did not cancel the ability of companies to use an alternative legal mechanism, called standard contractual clauses (SCCs)—which is what Facebook and Instagram have been relying on for years, to underpin their Europe-to-U.S. data transfers. However, it made it very clear that if SCCs fall foul of the same issues, they’re not worth the paper they’re written on.
That’s pretty much what the Irish DPC has just decided in Meta’s case. It has submitted a draft decision to its counterparts across the EU—who collectively operate under the umbrella of the European Data Protection Board (EDPB)—and those other regulators now have a month to lodge any objections. After that window, the Irish DPC may have to modify its draft decision, and any differences of opinion will ultimately be settled in an EDPB vote.
Depending on how long this all takes, Europe could be cut off from Facebook and Instagram in late September, or the process could roll into next year.
Based on the fact that privacy regulators in the rest of Europe have if anything been critical of the Irish DPC for not hitting Big Tech hard enough—the companies tend to set up their European operations in Ireland, giving the Irish DPC jurisdiction—it seems unlikely that they will try to push back against the idea of halting Facebook and Instagram’s data flows.
On the other hand, that development could have serious negative effects on European businesses that rely on the services, which could be something that some EDPB members take into account.
Max Schrems, the Austrian lawyer whose complaints against Facebook triggered the downfalls of Safe Harbor, Privacy Shield, and now potentially Facebook’s SCCs, said Thursday that he was skeptical about enforcement.
“Facebook will use the Irish legal system to delay any actual ban of data transfers. Ireland will have to send the police to physically cut the cords before these transfers actually stop,” he said in a statement that criticized the Irish DPC for apparently not fining Facebook for past illegal transfers.
Meanwhile, the EU and U.S. still want to replace Privacy Shield with something new, that won’t end up being struck down by the Court of Justice.
They said in March that they had reached an agreement in principle, but although the U.S. has promised to provide more intelligence oversight and finally give Europeans a real redress mechanism, there’s little in the way of detail yet, and it is certainly not yet clear whether a final agreement would satisfy the European courts. Fortune understands the agreement will come at the end of this year at the earliest, and possibly later.
If the U.S. really does rein in its intelligence agencies and give Europeans a useful point of contact for complaints, that could rescue Facebook and Instagram’s SCCs, too. For now, that’s a big if—but Meta is counting on it.
“This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and U.S. law which is in the process of being resolved,” the company said in a statement. “We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”
A spokesperson for the Irish DPC confirmed to Fortune on Thursday that it has submitted the draft decision to the EDPB—news that was first reported by Politico—but would not discuss its contents.
However, the DPC’s spokesperson did reveal a major advance in the regulator’s investigation of TikTok, the ByteDance-owned video-sharing app that has recently become a major threat to its U.S. social-media rivals.
Last year, the DPC opened two probes into TikTok. One regards the way TikTok processes children’s data—TechCrunch reported a couple of weeks ago that a draft decision on this case could come toward the end of August. The second probe is about TikTok’s transfers of personal data to China, and that’s what is moving forward now.
Essentially, the Irish watchdog has identified issues that need addressing, and on Thursday it formally notified TikTok of its concerns, so the company can respond.
“In relation to our inquiry that’s currently open into TikTok’s transfers to China, we have today issued a statement of issues to TikTok, and we await their submissions,” the Irish DPC’s spokesperson told Fortune. “Once those submissions have been received, we will progress to drafting a preliminary draft decision.”
A TikTok spokesperson said the firm could not comment on an ongoing investigation and was “continuing to fully cooperate with the DPC.”
The EU isn’t the only territory that’s concerned about what happens to the personal data TikTok takes from its users.
With no small amount of irony, given the power of the U.S.’s own intelligence agencies, American senators and regulators have recently stepped up their warnings that the data could be vulnerable to Chinese intelligence agencies. One FCC commissioner has even urged Apple and Google to pull TikTok from their iPhone and Android app stores.
TikTok vigorously denies sharing U.S. data with the Chinese government and says it would never do so. However, Chinese intelligence laws would make it difficult for TikTok to turn down such a demand—and as far as the Europeans are concerned, that could essentially leave TikTok in the same boat as its rivals, Facebook and Instagram.