Published by The Lawfare Institute
in Cooperation With
On May 22, 2023, the Irish Data Protection Commissioner (DPC) ordered Meta to stop transferring EU personal data to the United States. Such transfers underpin Meta’s EU business, which makes up approximately 10 percent of its global revenue. To boot, the DPC imposed a fine of 1.2 billion euros (about $1.3 billion) against Meta’s Irish subsidiary responsible for the transfer of EU data and ordered Meta to remedy the fact that EU personal data was already in the U.S. by bringing that data “into compliance” with the EU General Data Protection Regulation (GDPR).
A billion-dollar-plus fine—a sum greater than the Irish defense budget and the EU’s largest ever for a privacy violation—alongside an order to stop practices that have become so commonplace, if not essential, to the internet’s promise of easy global communications is a wake-up call. It is a wake-up call not just for the internet but also for national surveillance, which faces the challenge of increasing distrust among nations, including among traditional allies.
As historic and consequential as this enforcement against one company is, it is important to understand what this record fine does not represent. This is not a fine for over-collection of data by a company often criticized for its ubiquitous data gathering, or for that company’s business model of offering free services at the price of advertising targeted based on personal data, or for misusing data in unexpected or harmful ways. On the whole, the enforcement stems not from what Meta did—other than engage in a practice of transferring personal data to a country, which thousands of other companies engage in—but from what U.S. surveillance authorities could do with that data and the rights and recourse that exist for non-U.S. persons when their data is used by U.S. surveillance authorities.
The decision has enormous implications, not just for Meta or other companies based in the United States but also for companies around the world that seek to provide services to the European market. The reality is that countless companies (and even nonprofit organizations), both American and European, likely commit the same data protection violation for which Meta faces a $1.3 billion penalty: After all, they also transfer data to the United States, using “electronic communications services” that are subject to U.S. government directives issued under the Foreign Intelligence Surveillance Act’s Section 702. Of course, most of these organizations would not face fines nearly as severe because they are unlikely to transfer the volume of data or earn the revenue that Meta does. But the penalty would be painful nonetheless, and the prospect of having to stop data flows to the United States to avoid further pains would be devastating to many companies.
Many observers have worried that the World Wide Web could be carved up into national or regional zones. The historic fine issued by the Irish data protection authority against Meta in May suggests that such concerns have reached a crisis level, imperiling data transfers from the EU to the U.S., at least until stronger controls over U.S. surveillance law are in place and recognized as adequate by the EU.
Snowden and Schrems
Meta’s travails began 10 years ago this month with Edward Snowden’s revelations of widespread electronics signals gathering by the U.S. National Security Agency. Disclosures related to hitherto unknown U.S. surveillance practices and programs, such as PRISM, and how they extended to data on non-U.S. persons, catalyzed action and activism in Europe.
Those revelations drove the Court of Justice of the European Union (CJEU) in 2015 to invalidate the EU-U.S. Safe Harbor—an agreement that facilitated data transfers from the EU to certified U.S. companies—on account of the lack of “essential equivalence” between U.S. and EU privacy protections. That case was the result of a complaint brought by the Austrian Max Schrems, who was then a law student. After the EU approved a new mechanism for data transfer to the United States, Schrems would challenge the lawfulness of using other GDPR-sanctioned mechanisms to transfer data to the United States and, in doing so, brought about the demise of the successor to the Safe Harbor—the EU-U.S. Privacy Shield—in July 2020. The CJEU in Schrems II found U.S. surveillance practices to lack some of the hallmarks of EU privacy protections: “necessary and proportionate” limits on the collection of personal data by U.S. surveillance authorities and the existence of effective redress functions for individuals.
Having eliminated two EU-U.S. adequacy agreements, Schrems turned his focus on Meta—one company amid the thousands that had relied on the “adequate” transatlantic pipeline. In the absence of an EU-sanctioned “adequate” U.S. framework for transfers, companies like Meta resorted to reliance on alternative organization-level mechanisms to legally effect such transfers. By far the most prevalent is use of standard contractual clauses that bind non-EU data importers to the privacy standards that bind EU data exporters. One study found that 94 percent of organizations turned to these standard contractual clauses to legally effect transfers of data from the EU to the U.S. following Schrems II. Mindful of the risk that those contractual commitments may not count for much if abrogated by overriding laws and practices in the country of the data importer, the European Data Protection Board—comprising each of the EU member state data privacy supervisory authorities—released guidance as to when EU data can be transferred internationally, under what conditions, and what “supplementary measures” could be utilized to legally effect the transfer.
Notwithstanding seemingly favorable commentary by the Irish DPC about Meta’s diligence around its privacy safeguards, no measures implemented by a private organization—not even those with the resources of Meta—could fill the purported gaps that exist in U.S. surveillance law and practice.
Such an order raises two prospects of operational consequence for Meta. The first is the option to cease transfers of EU data to the United States. The second is to somehow shield EU data in the U.S. from U.S. surveillance authorities. Neither is likely to be practical or desirable.
Meta’s Solution 1: Just Stop Transferring Data
Meta has suggested that it needs to transfer personal data to the U.S. in order to offer services in the EU. In its 2021 Annual Report, Meta warned that it might be unable to operate its main services, including Facebook and Instagram, if it were unable to transfer data from Europe across the Atlantic: “If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.” Similar warnings were sounded in subsequent investor disclosures and, incidentally, by dozens of other companies.
Some companies have gone the way of localizing data in-territory as a way of mitigating or altogether avoiding the risk and concerns of conflicts of law. Microsoft has its appropriately named EU Data Boundary available for some of its enterprise data. TikTok has its U.S.-based Project Texas, which is serving as inspiration for its move toward a European version titled Project Clover. The hope that localized data processing as a means of engendering regulatory certainty and customer trust is often premised on theories akin to the merits of stashing cash under the mattress. Localizing practices can introduce new or heightened security vulnerabilities, threaten to fragment the functioning of the internet, and undermine the efficacy of law enforcement and national security practices, especially those with a cross-border component.
It appears unlikely that, despite its continued investment in EU data centers, Meta will want or be able to provide its EU services without some means of routing EU data to its headquarters in the U.S.
Meta’s Solution 2: End-to-End Encryption
Assuming Meta proceeds with transferring EU data to the U.S., a nearly decisive way to avoid U.S. surveillance laws is to make that data nearly impossible to read, so that turning it over essentially reveals nothing. Encryption is a neat solution in theory. In practice, this would require end-to-end encryption at all parts of the data processing life cycle in order to be confident that surveillance authorities cannot obtain access to personal data. It would effectively require Meta itself to never be able to read the data. After all, if Meta holds the encryption key, the National Security Agency could possibly order it to turn over that data in an unencrypted form or to hand over the key. Such end-to-end encryption would undermine Meta’s business model, which, as we’ve said, relies on advertising that is targeted based on users’ personal information. It would also make it difficult for Meta to engage in routine content moderation and fraud detection, including the detection of what Meta calls “coordinated inauthentic behavior.” Finally, law enforcement agencies on both sides of the Atlantic would be displeased with having less access to information.
The root causes of the enforcement directed at Meta—European perceptions of U.S. surveillance overreach—are not matters that Meta can address. Lancing the boil is a measure that only governments with competence for law enforcement and national security matters can perform.
Next Steps for Policymakers
Many eyes and clocks are fixed on the ongoing transatlantic work to finalize a third data adequacy framework. In the eleventh hour, there is work on both sides of the pond. Significant reforms to U.S. laws and practices, ushered in by Executive Order 14086 and accompanying Attorney General regulations, are undeniable improvements to the privacy safeguards that were assessed by the CJEU as wanting in Schrems I and II. Those enhancements are limited so as to be applicable only to the citizens of “qualifying states” that offer comparably reciprocal rights to U.S. persons when U.S. data is in that state. The U.S. is yet to designate the EU as a qualifying state, with such designation necessarily needing to account for important differences between the EU member states, each of which is competent for its own national security laws and practices. Across the pond, the European Commission has concluded preliminarily that the reformed U.S. rules and practices are “adequate” to protect European personal data. That assessment, which is snaking its way through the EU’s internal process for adoption, depends on the U.S. designating the EU a “qualifying state.” The prevailing expectation, supported by statements from high-level representatives on both sides, is that the new adequate EU-U.S. agreement—the Data Privacy Framework—will be online this summer.
That such an arrangement is anticipated and in short order will put in place a data transfer framework that many have been calling for since the demise of the Privacy Shield. It would also relieve Meta from having to turn off the taps for its transatlantic transfers, something it would otherwise be required to do by October this year.
The long-awaited and forthcoming transatlantic triumph is only one piece, albeit an important piece, in an increasingly fragmented and unstable global puzzle for international data transfers. Indeed, that puzzle contains many puzzles within puzzles. For all their ease from the perspective of the organizations relying on them as a legal mechanism for transfer, adequacy decisions have proved cumbersome to scale up. The EU-U.S. Data Privacy Framework would bring the EU’s list of “adequate” destinations to 15. That’s after over 25 years of reviewing countries to see if they have adequate protections. Even the UK, which left the EU in part to be more fleet of regulatory foot, has found the task of assessing countries to be labor intensive and has increasingly spread its bets across different initiatives.
Now extrapolate those challenges further afield. The proliferation of GDPR-type laws around the world has resulted in over 70 countries with similar but independent powers to assess the “adequacy” of other countries’ law. The numbers are similar for countries covered by different versions of standard contractual clauses. Then there are those countries with even more restrictive gateways to lawfully transfer data and countries that require the local storage of data as a condition of doing business in-territory. Mapping an organization’s data transfers is one challenge. Navigating the complex web of unilateral and bilateral mechanisms is of a different, more challenging order. That’s before the near impossible task of finding (if they exist) and assessing (if they’re accessible) the extent to which laws and practices pertaining to national security and law enforcement undercut privacy protections. Past and current criticisms laid at the door of the U.S. are not unique to the U.S. Indeed, many of the countries found adequate by the EU before the Schrems jurisprudence have their own vulnerabilities to legal challenge, to say nothing of the laws and practices that exist among EU member states.
Also, keep in mind that any hard-fought determination of adequacy would still leave out most of the world as inadequate to receive personal data from the European Union without elaborate and expensive safeguards.
It is against that backdrop that many rightly laud multilateral initiatives taking on both the complex web of different transfer mechanisms and the lack of trust and standardization when it comes to surveillance. On the former, initiatives such as the Global Cross-Border Privacy Rules Forum stand out and appear to be gathering momentum with the commitments being made by some of the fastest growing and most established digital economies to the design of a more scalable multilateral data transfers certification mechanism. There is also momentum, albeit more limited than the Global CBPRs, behind the modernized Convention 108—a legally binding instrument of the Council of Europe—which creates a data flows bloc for all signatories apart from EU member states.
On surveillance, there is no greater accelerant toward establishing and promoting trust than the “landmark” OECD (Organization for Economic Cooperation and Development) agreement on the principles for government access to data for the purposes of national security and law enforcement. That all OECD members could, on matters of profound sensitivity and national specificity, articulate principles that they agree are good and commonly held is no small feat. That those same countries were of one voice in how they “reject any approach … that, regardless of the context, is inconsistent with democratic values and the rule of law, and is unconstrained, unreasonable, arbitrary or disproportionate” suggests there might just be a paradigm shift in perspective to focus on bad actors.
The concatenation of circumstances that followed the Snowden revelations, spearheaded in large part by Max Schrems and now his organization None of Your Business, has undoubtedly prompted sharper scrutiny of and reforms to surveillance laws. The economics of modern digital trade have fused with national security equities, and the importance of trust has prevailed as both a journey and a destination to securing both. The importance of trust in data transfers, what that trust can enable, what its absence curtails, and the strategic dividends associated with coalescing around shared principles has risen to the top of the geopolitical in-box for presidents and prime ministers. Hopefully they can come together and avoid the sort of total breakdown that would further fragment the internet.