On May 22, the Irish Data Protection Commission (DPC) announced that Meta violated Europe’s General Data Protection Regulation (GDPR). This violation occurred when Meta Ireland (a subsidiary of Meta) sent European citizens’ data to the U.S. This was deemed illegal because Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows American intelligence agencies to spy on non-citizens outside the U.S., exposing EU citizens’ data in the U.S. to potential surveillance. Now it seems the Biden administration will do everything to save cross-Atlantic data transfers except address FISA privacy concerns.
The decision to fine Meta and suspend their data transfers was based on a Court of Justice of the European Union (CJEU) judgment in Data Protection Commissioner v. Facebook Ireland Ltd. In this 2013 case, Max Schrems, an EU citizen, challenged Facebook’s decision to transfer his data to the United States, after Edward Snowden released documents revealing that U.S. espionage routinely violated data privacy.
The case resulted in a 2015 decision to end America’s Safe Harbor framework, which allowed companies to send EU citizens’ data to the U.S. To ensure that American tech companies could continue to operate seamlessly in Europe, a new agreement was quickly entered into on July 12, 2016, dubbed Privacy Shield. Then only four days after the agreement’s fourth anniversary (July 16, 2020), the Schrems II judgment struck down Privacy Shield for still not adequately addressing the concerns outlined in the Max Schrems case.
To salvage the situation without reforming FISA, Biden passed Executive Order 14086, which launched the Data Privacy Framework. With the recent decision by the Irish DPC, the Biden Administration is re-entering into a negotiation to lift the transfer suspension. Since its inception, the Data Privacy Framework has faced criticism for failing to address the underlying privacy concerns in Schrem II. Namely, privacy is inherently at risk so long as FISA Section 702 allows EU citizens’ data to be searched without a warrant.
Failing to secure an acceptable U.S.-EU deal could destabilize the cornerstone of modern data markets, cloud computing. Without cross-Atlantic data transfers, an Atlantic iron curtain could arise, forcing cloud servers to bifurcate to one side or the other. Cloud computing efficiency comes from its ability to utilize economies of scale. The more servers working together, the cheaper the data storage. Without access to Europe or European access to the U.S., those economies of scale diminish.
Meta’s 2022 end-of-year report stated that if a deal is not reached, it may be “unable to offer a number of [its] most significant products and services, including Facebook and Instagram, in Europe.” For Americans, this will limit access to communication services, both personal and professional, overseas.
Although Meta is taking the brunt of European regulators’ hostility, it’s the fault of policymakers who refuse to reform surveillance laws they are being fined and forced to suspend data transfers. Meta’s only alternative would be to completely decouple its European data storage from the U.S., similar to but opposite of TikTok’s Project Texas, which will move all U.S. data storage to the U.S.
It’s hard to criticize the EU’s actions when U.S. lawmakers are undertaking similar efforts, for almost identical reasons, against the popular video-sharing app TikTok. To avoid being hypocritical and resume transatlantic data transfers, U.S. policymakers could amend FISA Section 702 to prevent unwarranted searches on non-citizens. Without this amendment, we will likely continue to see uncertainty in any tech service that crosses the Atlantic.
Isaac Schick is a policy analyst at the American Consumer Institute, a nonprofit education and research organization. For more information about the Institute, visit www.TheAmericanConsumer.Org or follow us on Twitter @ConsumerPal.