Facebook recently hit the headlines when it told a court in Ireland that it might have to stop offering its services in Europe.
The context of this statement was a decision of the Court of Justice of the European Union, earlier this summer, which cast doubt on the ability for organisations in Europe to continue sending personal data to the US. Facebook argues that it relies on data transfers between the EU and the US to operate its services. So, should we be getting ready for a future without Facebook or Instagram? And what might this row tell us about the future of international data transfers?
I wrote about the Schrems II case and its possible implications for international transfers back in July. The case involved the transfer of personal data from Facebook’s European HQ in Ireland to Facebook in the US. After the European court’s judgment, the proceedings moved back to Ireland, where Ireland’s Data Protection Commissioner is tasked with enforcing the rules.
The Commissioner has now issued a preliminary notice requiring Facebook to stop data transfers to the US, which is being challenged by Facebook. The reason for Facebook’s continued legal action, despite repeated defeats, is obvious – international data transfers are a crucial part of its business model.
“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19 … Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term … The EU has led the way in establishing a framework for data protection that protects and empowers users. Privacy rules will continue to evolve, and global rules can ensure the consistent treatment of data wherever it is stored.”
In the age of Brexit and increasing protectionism, this plea for global rules may seem far-fetched, even naive. However, there is a clear trend internationally towards standardised data protection rules. In 2019 the European Commission granted an adequacy decision to Japan, which allows data to flow freely between the EU and Japan. The decision followed Japan’s implementation of new data protection rules. And only last month, Brazil adopted its new data protection law. Even the US, which has traditionally not had comparable privacy laws, has seen a move towards increased regulation. The California Consumer Privacy Act, which shares some common features with the European GDPR, came into force in January this year. There are also moves in Congress to enact a federal law, the so-called SAFE DATA Act (Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act). However, it may be some time before anything resembling a comprehensive US data protection law is passed.
The irony for Facebook is that it is precisely the strong rules set by the EU, which Facebook is continuing to challenge through the courts, that are driving this global trend towards ever closer standards of data protection. Many of the new laws we have seen around the world are very closely influenced by EU data protection law. The GDPR is seen as very much the gold standard for protecting individual rights and ensuring accountability for how personal data is used. So Nick Clegg may get his wish for a standard set of global rules thanks in no small part to Facebook’s courtroom defeats.
While standards are converging elsewhere, the UK appears to be going in the opposite direction. Brexit will, of course, allow the UK to change data protection rules away from European (and increasingly global) standards.
Here, the UK government is sending out some very mixed messages. In its recently launched National Data Strategy, the government states that “… we know that regulatory certainty and high data protection standards allow businesses and consumers to thrive. We will seek EU’ data adequacy’ to maintain the free flow of personal data from the EEA, and we will pursue UK’ data adequacy’ with global partners to promote the free flow of data to and from the UK and ensure that it will be properly protected.” Elsewhere, however, the Strategy talks about ‘lifting the compliance burden’ of data protection rules, which certainly hints at relaxation of the rules.
Ultimately, the future of Facebook and Instagram in Europe is likely to depend on profitability rather than data protection rules. Despite the posturing and some apocalyptic predictions, international data transfers are too valuable to businesses for them to stop suddenly.
The EU’s continued insistence on high data protection standards may be causing difficulties today for global companies such as Facebook. Still, it is leading us slowly towards common international standards for tomorrow. And ultimately that will be good news for all businesses- even Facebook.