As VideoWeek reported two weeks ago, there’s plenty of legislation and regulatory action in the works which could have a major impact on the world’s biggest tech companies.
But it could end up being existing legislation which has the biggest impact. Just this year we’ve seen rumours that Meta could be forced out of Europe, and had a ruling from France’s data regulator CNIL that Google Analytics is currently operating illegally throughout the continent.
Both these cases stem from existing rules around data transfers between the European Union and non-EU countries, outlined in the General Data Protection Regulation (GDPR). But through the headlines it can be hard to grasp exactly what it is that Meta and Google are getting wrong, and where the tension is.
Here’s a breakdown of the standoff over data flows.
What exactly are the rules?
The General Data Protection Regulation added a host of new rules governing how businesses collect, transfer, and delta personal data in Europe.
But in a world of international tech companies which are largely powered by a wealth of personal data, people’s data rarely stays within the borders of their home countries. It’s not much use creating a bunch of new rules to protect users’ data if that data is quickly transferred abroad, where those rules no longer apply.
As a result, GDPR also included rules governing data transfers between the EU and non-EU markets.
The law gives the EU the ability to define countries which provide “adequate” protection for personal data. In these countries, transfers of personal data to and from the EU may take place “without the need to obtain any further authorisation”.
To qualify as adequate, a third-party country or organisation must essentially be able to demonstrate that its own data laws offer equal protection to the GDPR. The EU has so far granted data adequacy status to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom, and Uruguay.
For countries where data adequacy status hasn’t been granted, businesses must put in extra work to guarantee that EU users’ data will still receive GDPR-level protections once it leaves the EU.
As the law itself states, “such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority”.
Where no such safeguards are in place, any data transfers from the EU to a market without data adequacy status are illegal.
How does this apply to Meta and Google?
Shortly after GDPR was approved by the EU, the Union struck an agreement with the USA known as the ‘Privacy Shield’.
Essentially the Privacy Shield allowed American businesses to agree to a number of obligations set out by the Privacy Shield, after which they were able to freely transfer data across from the EU. The idea was to create a simpler way for US businesses to comply with GDPR and continue free data flows.
But the Privacy Shield was struck down by the Court of Justice of the European Union, the EU’s highest court. The ruling, prompted by a suit filed by privacy campaigner Max Schrems, found that the Privacy Shield didn’t offer GDPR-level protection for personal data, since US domestic law meant that the US government would be able to access that personal data for national security purposes.
Meta and Google, which obviously both transfer huge quantities of personal data from Europe to America, were signed up to the Privacy Shield, and used it as a legal basis for transferring personal data. Since the Privacy Shield was struck down, they’ve had to find an alternative.
Both companies say that they use ‘Standard Contractual Clauses’. These are standard agreements which the European Commission has approved, which data importers and exporters can weave into contract to ensure that personal data is protected outside of the EU.
But privacy campaigners maintain that the SCCs used by Google and Meta aren’t valid for the very same reason that the Privacy Shield was ruled as invalid.
When using SCCs, companies in non-EU markets must conduct their own risk assessments of how local laws could compromise data protection for EU citizens’ personal data, and add supplementary measures where necessary to ensure GDPR-level protection.
But just as was the case with the Privacy Shield, privacy campaigners argue that US-based companies can’t write any supplementary clauses which protect EU users’ data from the US government. In theory the government could demand access to personal data held by Meta and Google for national security reasons, and that demand would override the SCCs used by the two companies.
Meta and Google have continued to send data freely between the US and EU, arguing that their SCCs are valid. But data protection authorities in Europe are increasingly making it clear that they don’t agree.
Last week Ireland’s Data Protection Commission sent a revised ruling to Facebook, following a preliminary order in September 2020 telling Facebook to cease transfers between the EU and US, which Facebook contested.
This followed shortly on the heels of the CNIL’s order for Google Analytics to cease its own data transfers to the US. The CNIL’s decision directly referenced the idea that Google’s SCCs can’t protect EU user data from intelligence services.
Hence, we’ve started to see a bit of a shift in the conversation. Meta in particular has shifted away from arguing that its SCCs are valid, and is instead arguing that the burden of complying would be unreasonably high, hence the suggestions that parts of Meta’s business in Europe could be forced to shut down.
What’s the end game?
While the debate has been simmering away for years now, expect to see significant progress soon.
Ireland’s data watchdog plans to consult with other European data protection authorities in April, after which it will move towards issuing a final decision. Meanwhile the CNIL gave a month following its ruling for websites which use Google Analytics to update their practices, in order to ensure that data is no longer being transferred illegally.
The end results could seemingly play out one of three ways.
Meta hopes that it will persuade data protection authorities to take a more lenient stance. The company hopes that a new agreement – something akin to the Privacy Shield – can be created and approved by European data watchdogs which will allow free flows of data.
A second possibility is that the regulators stick by their guns, and Meta and Google update their business practices to comply. One solution suggested by the CNIL would be for companies to use tools which don’t require data to be transferred outside of the EU, keeping it out of reach of US intelligence authorities.
But Meta in particular seems to believe this option is unfeasible. This leaves the third option – the authorities demand an end to data transfers, Meta and Google don’t change their business practices, and thus both shut down large chunks of their businesses in the EU.