“The rug.” That’s how privacy activist Max Schrems began a tweet reacting to yesterday’s news that the Irish Data Protection Commission will act to stop Facebook from sending European citizens’ data overseas to the United States.
Schrems, the individual most responsible for this development, was accurate to characterize this as a rug being pulled out from under the feet of the world’s biggest social network. But in truth, this is the opening gambit of a new data privacy chapter that could take years to unfold.
Why Are EU Regulators Acting Now?
Some background context: EU citizens’ data is protected by the provisions of the General Data Protection Regulation (GDPR). It’s a law that affords far greater privacy protections to European data “subjects” than any federal law in the United States (some laws, like California’s CCPA, approach GDPR in their level of data privacy protection, but they remain state-level.) Importantly, the provisions of GDPR apply to EU citizen data no matter where it resides in the world.
This is the root of the issue at hand. In the middle of July, the Court of Justice of the European Union, ruling on a case brought by Schrems, struck down an adequacy agreement called Privacy Shield. This was a diplomatic solution to lubricate the trans-Atlantic data pipeline in the absence of GDPR-type protection for European data that crossed the ocean.
While there are still some legal avenues for EU-US data flows, invalidating the Privacy Shield sent a message that the EU was willing to flex geopolitical muscle to guarantee data privacy protection for its citizens.
Clamping Down On Data Flows
Now, the rug. Facebook’s European headquarters are in Ireland, and so its data practices are subject to the authority of the Irish Data Protection Commission. The order to cease transmitting data overseas to the US – if enforced – would have massive impacts on everything from employee payroll to advertising, ie, Facebook’s core business.
It’s a big “if”. There will be legal challenges that could take years to unwind. What’s more, the broad implications of staunching data flows are so serious that stakeholders will work mightily to prevent a shutdown. Facebook is already on the offensive to highlight this. In a press release, it cited the precedent the enforcement of this order could create:
A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU… In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. In truth, this is hardly scaremongering from Facebook.
So, How Does This Play Out?
Though Facebook’s pronouncement seems dire, it’s a fairly accurate assessment of what would happen if user data could no longer flow out of the European market to other regions. In my opinion, that simply won’t be allowed to happen. There are three scenarios, as I see it, for how this story might unfold…
Scenario One: A Return To “Adequacy”
The EU and US regroup to fashion another adequacy agreement to paper over regulatory imbalances that persist between regions. In a Brookings institute virtual panel the morning after the story broke, EU Commissioner Didier Reynders hinted at a willingness to revisit and strengthen the Standard Contractual Clauses that persist as an option for data transfer out of the EU. This may be the most straightforward option. However, so long as privacy evangelists like Schrems operate, any adequacy agreement that doesn’t protect EU data overseas is likely to be challenged and, as we saw in July, invalidated.
Scenario Two: Death By A Thousand Legal Cuts
The Irish DPC’s order is diluted by a thousand legal cuts over the next few years of legal wrangling. This doesn’t resolve the larger issue in a definitive way, but it may allow the EU to send a symbolic message without meaningfully affecting the way large companies do business. I don’t think this is what will happen because the prolonged uncertainty of this scenario will be intolerable to key actors.
Scenario Three: Fast-tracked Federal US Privacy Law
The big one. A federal US privacy law that grants sufficient protection for genuine adequacy between the EU and the United States. There are so many factors that go into passage of such a consequential piece of legislation, but the scenario of a trans-Atlantic data pipeline shutdown adds real urgency to the need for a viable long-term solution. Many of the US’s biggest companies are already lobbying for a federal privacy law. If the Irish DPC moves to enforce its order to Facebook, those calls will grow much louder, much quicker.
As mentioned at the outset, either of these three scenarios would unfold over the course of years, not months. So it’s too soon for the “average” data-driven multinational to hit any panic button. Nevertheless, we are out of the “calm before the storm” phase of the CJEU’s Schrems II ruling. Yesterday we felt the first clap of thunder.