Meta has said it is considering shutting down Facebook and Instagram in Europe if it can’t keep transferring user data back to the U.S.
The social media giant issued the warning in its annual report last Thursday.
Regulators in Europe are currently drawing up new legislation that will dictate how EU citizens’ user data gets transferred across the Atlantic.
Facebook said: “If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”
The company added this “would materially and adversely affect our business, financial condition, and results of operations.”
“Meta cannot just blackmail the EU into giving up its data protection standards,” European lawmaker Axel Voss said via Twitter, adding that “leaving the EU would be their loss.” Voss has previously written some of the EU’s data protection legislation.
A Meta spokesperson told CNBC on Monday that the company has no desire and no plans to withdraw from Europe, adding it has raised the same concerns in previous filings.
“But the simple reality is that Meta, and many other businesses, organizations and services, rely on data transfers between the EU and the U.S. in order to operate global services,” they said.
The European Commission did not immediately respond to a CNBC request for comment.
In August 2020, Ireland’s Protection Commission sent Facebook a preliminary order to stop transferring user data from the EU to the U.S., according to a report from The Wall Street Journal that cited sources familiar with the matter.
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” Nick Clegg, Facebook’s vice president of global affairs and communications, said in a blog post at the time.
“While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on,” he added.
Ireland’s Data Protection Commission is expected to issue a final decision in the first half of 2022.
If SCCs can’t be used as the legal basis for transferring data, Facebook would have to silo off the majority of the data it collects on European users. The DPC could fine Facebook up to 4% of its annual revenue, or $2.8 billion if it failed to comply.
In July 2020, the European Court of Justice ruled the data transfer standard between the EU and the U.S. doesn’t adequately protect European citizens’ privacy.
The court, the EU’s highest legal authority, restricted how U.S. firms could send European user data to the U.S. after concluding EU citizens had no effective way to challenge American government surveillance.
U.S. agencies such as the NSA can theoretically ask internet companies like Facebook and Google to hand over data on an EU citizen and that EU citizen would be none-the-wiser.
The ECJ ruling came after Austrian privacy activist Max Schrems filed a lawsuit in light of the Edward Snowden revelations arguing that U.S. law did not offer sufficient protection against surveillance by public authorities. Schrems raised the complaint against Facebook which, like many other firms, was transferring his and other user data to the U.S.
The court ruling invalidated the EU-U.S. Privacy Shield agreement, which enabled firms to send EU citizen’s data across the Atlantic. As a result, companies have had to rely on SCCs.