Meta Platforms Inc.’s stark warning of a retreat from Europe may just be the start, as one of the region’s top privacy watchdogs prepares a decision that could paralyse transatlantic data flows and risk billions in revenue for tech giants.
The Irish data protection authority, which polices the Silicon Valley tech giants that have flocked to the nation, is soon to weigh in on the legality of so-called standard contractual clauses used by Meta, Alphabet Inc.’s Google and others to legally transfer swathes of user data to the US for processing.
Privacy experts say the imminent decision could eliminate one of the only remaining options for Meta and potentially thousands of other companies that rely on shipping vast amounts of commercial data across the Atlantic.
The Irish authority already cast doubt on the legality of the SCCs in an interim opinion, saying they failed a key test of protecting European citizens from the prying eyes of US agencies.
Such is the tension around the ruling, that Meta warned in its latest annual report that it will “likely be unable” to offer services including Facebook and Instagram in the EU if it’s unable to use SCCs.
Facebook produced US$8,2 billion in revenue in Europe over the last quarter of 2021, about a quarter of global revenue.
While the UK will account for a significant portion of that and will not be impacted by the ruling on SCCs, the region is a serious money maker for Meta, beaten only by its home market of the US and Canada.
There is no easy work-around. Storing data in Europe may not be feasible for any service based on customer interactions across the world, from gaming to video streaming, because European data rules follow a person’s information, no matter where it is.
Meta’s business model, like that of Alphabet’s Google, relies on collecting enough data to discern what users might be interested in or want to purchase, and to serve them relevant ads.
The company is already hampered by Europe’s privacy rules and a ban on SCCs would likely make its business model more expensive and less effective to run.
“What’s at stake here are the entire data transfers to the US and the services that depend on them,” said Johannes Caspar, an academic who recently stepped down as one of Germany’s top data protection regulators.