LONDON — Facebook faces a potential ban on the transfer of Europeans’ data to the United States. That would be a “massive blow” to the social networking giant, according to experts, and has serious implications for other large American tech firms.
Last week, Ireland’s High Court dismissed a challenge from Facebook over a regulatory inquiry that could lead to a ban on the flow of its user information from the European Union to the U.S.
It comes after a landmark ruling from the EU’s top court invalidated the use of Privacy Shield, a framework for the transatlantic sharing of data.
The decision was a victory for Max Schrems, an Austrian privacy activist who has taken Facebook to task over how it handles data on European citizens. Schrems argued that, in light of revelations from American whistleblower Edward Snowden, U.S. law did not offer sufficient protection against surveillance by public authorities.
In September, Ireland’s Data Protection Commission sent Facebook a preliminary order to stop using an alternative tool, known as standard contractual clauses, to send user information from the EU to the U.S.
Facebook said this measure would threaten its European operations and secured a temporary freeze on the order.
Now, the way Facebook transfers data from the EU to America is once again under threat. On Thursday, the Irish High Court will hold a short hearing where it is expected to lift a stay on the DPC’s order and its inquiry into Facebook’s EU-U.S. data flows.
“Like other companies, we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to provide a global service and connect people, businesses and charities,” a Facebook spokesperson told CNBC.
“We look forward to defending our compliance to the DPC, as their preliminary decision could be damaging not only to Facebook, but also to users and other businesses.”
‘Massive blow’
In the event that Facebook is forced to stop transferring Europeans’ information to the U.S., experts believe the company will likely be required to process EU data within the bloc. And the fallout from the European Court of Justice’s original ruling could affect many more U.S. tech firms.
“In reality Facebook would have to ‘split’ its service into a European and a U.S. service,” Schrems told CNBC by email.
“The absolutely ‘necessary’ transfers (e.g. when a U.S. user is sending a message to an EU user) can still happen between these two systems. The rest needs to stay in Europe (or in another safe country). Obviously Facebook will do everything to avoid that.”
The move “could be a massive blow for the revenue model of Facebook,” which has more than 400 million monthly active users in Europe, according to Cillian Kieran, founder and CEO of data privacy software start-up Ethyca.
“The recent ruling, and the potential suspension of Facebook’s data flows, suggest serious challenges for other U.S. companies to conduct international business, especially those with fewer resources than Facebook to navigate legal procedures,” Kieran told CNBC.
Many U.S. internet giants — including Apple and Google — have established their European headquarters in Ireland. Ireland’s DPC is the lead privacy regulator for these companies.
“The news raises the stakes for U.S. businesses to meet global standards for data protection, not only to earn users’ trust in the marketplace but also — on a more fundamental level — to be able to bring their product to important markets in the first place,” said Kieran.
The European Data Protection Board — an independent European body tasked with ensuring consistent application of the EU’s GDPR privacy rules — is expected to soon issue its final guidance on how businesses must comply with the ECJ’s decision when it comes to international data transfers, cloud use and remote processing.