Meta says it may have to abandon the European Union.
The note was buried in the company’s annual filing with the Securities and Exchange Commission. Meta said that if officials on both sides of the Atlantic can’t reach an agreement on data transfers and warehousing, the company may have to pull its Facebook and Instagram platforms from Europe.
“If a new transatlantic data transfer framework is not adopted… we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe,” Meta said in its 10-K filing.
At this point, the statement is probably less of a threat and more an acknowledgment of the regulatory headwinds that the American company faces in the European Union. The SEC requires publicly traded companies to disclose issues that may affect profits and losses, and few things are more profitable for Facebook than user data.
“We have absolutely no desire and no plans to withdraw from Europe, but the simple reality is that Meta, and many other businesses, organizations, and services, rely on data transfers between the EU and the US in order to operate global services,” a Meta spokesperson told Ars. “We are closely monitoring the potential impact on our European operations as these developments progress.”
Initially, Meta, then known as Facebook, relied on the EU-US Privacy Shield, a framework that regulated data transfer across the Atlantic. The Court of Justice of the European Union ruled in July 2020 that the agreement was invalid but let companies use Standard Contractual Clauses, which are essentially boilerplate that the European Commission had “pre-approved.” The clauses allowed data to be transferred from the EU to another country and still be compliant with the General Data Protection Regulation, or GDPR.
The use of those clauses, though, was challenged by Max Schrems, an Austrian privacy activist who has challenged several EU privacy laws and decisions. In response, the Court of Justice of the European Union ruled that US law did not ensure an “adequate level of protection,” particularly from mass surveillance by the US government. For the data transfers to be valid, US law would have to be “essentially equivalent to those required under EU law”—a high hurdle to clear. In September 2020, Meta/Facebook was granted a temporary freeze on the order, which allowed it to continue data transfers under the Standard Contractual Clauses for the time being.
The case had come up through the Irish court system, and it forced that country’s Data Protection Commission to review Meta/Facebook’s use of Standard Contractual Clauses to see if it could clear the hurdle. In a preliminary decision, the Irish regulator said it did not.
In the 10-K filing, Meta said that a final decision from the Irish regulator could arrive in the next few months. If the regulator decides that Meta’s data privacy safeguards aren’t up to par, it could end data transfers outside the EU.
In earlier court filings, Meta/Facebook warned that it might have to pull out of Europe if officials and courts can’t agree on data transfer regulations, though Meta VP of Global Affairs and Communications Nick Clegg has previously denied that would happen, saying that such a move would imperil Europe’s small and medium-sized businesses because of their reliance on targeted ads.
But the new filing suggests that Meta’s business may be in peril if European law forces the company to halt data transfers to the US. If the company were to pull Facebook and Instagram from the market, it would “materially and adversely affect our business, financial condition, and results of operations,” Meta said in the SEC filing.