On July 16, 2020, the Court Of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems.[1] The EU-US Privacy Shield was a set of frameworks and guidelines co-designed by the United States Department of Commerce and the European Commission and Swiss Administration to give companies in Europe and the United States reference points and requirements when transferring data from the EU and Switzerland to the United States.[2]

The CJEU invalidated the Privacy Shield for two main reasons.[3] First, the CJEU reasoned that the Privacy Shield does not comport with the minimum safeguards of consumer data and privacy.[4] The CJEU further established that the surveillance programs in effect “cannot be regarded as limited to what is strictly necessary.”[5] Second, the CJEU determined that consumers and subjects whose data is being collected and transferred do not have “actionable judicial redress and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.”[6]

So what does this mean for tech giants such as Facebook, Google, and Microsoft? These tech companies’ cloud services “form the backbone of most of the Western World’s Internet.”[7] The Schrems II Ruling threatens these companies insofar as to make it extremely difficult for the companies to transfer and share data about European users with its U.S. operations, applications and data centers.[8]

Now, these companies must verify the privacy protection in the United States to ensure they comply with European Laws in order to use mechanisms called Standard Contractual Clauses (SCCs).[9] SCCs are “contract[s] that can be used for data transfers between EU and non-EU countries.”[10]

The CJEU has stated that personal data is not as well-protected in the United States as it is in Europe.[11] As such, this verification process that tech giants will have to hurdle through and face will likely result in extreme increases and costs and decreases in efficiency.

Now, Facebook has threatened to fully back out of Europe.[12] If Facebook were to not be able to transfer European user data to the United States, there is no clear indication as so how the company would be able to continue to operate in Europe.[13]

The struggles that Facebook, and other tech companies alike, are dealing with, will likely have grave monetary consequences if they are not able to come up with a viable solution on how to deal with this.

Facebook in particular has just experienced its biggest drop in stock price in a day’s span on February 3, 2022.[14] The company, for the first time ever, lost users.[15] At least one potential reason for this drop in users is “federal and international regulators scrutinize[ing] its business practices.”[16]

Facebook is ultimately going to continue to fight for the ability to collect and transfer European user data to the United States. They would lose exorbitant amounts of advertising revenues if they get completely locked out of transferring this data. It will be interesting to see Facebook, and other tech giants’, next steps in fighting this uphill battle.

Omar Nesheiwat is a staff member of Fordham International Law Journal Volume XLV.

This is a student blog post and in no way represents the views of the Fordham International Law Journal.
—

[1] See Sharp Cookie Advisors, Schrems II A Summary – All You Need To Know, GDPR Summary (Nov. 23, 2020), https://www.gdprsummary.com/schrems-ii/.

[2] See Privacy Shield, https://www.privacyshield.gov/welcome, (last visited February 23, 2022).

[3] See Caitlin Fennessy,  The ‘Schrems II’ Decision: EU-US Data Transfers in Question, IAPP: Privacy Tracker (July, 16 2020) https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/.

[4]  See C‑311/18, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems ECLI:EU:C:2020:559, 184 (July 16, 2020).

[5] Id. at 184.

[6] Fennessy, supra note 3.

[7] David Williams, Meta threatens to pull Facebook and Instagram if it can’t share data with the US, iTWire (Feb. 06, 2022), https://itwire.com/listed-tech/meta-threatens-to-pull-facebook-and-instagram-from-europe-if-it-can-t-target-ads.html.

[8] See id.

[9] See supra note 1.

[10] See Standard Contractual Clauses (SCC), GDPR Summary (Nov. 22, 2020), https://www.gdprsummary.com/gdpr-definitions/standard-contractual-clauses/.

[11]See supra note 7.

[12] See Alex Hern, , Facebook Says it May Quit Europe Over Ban on Sharing Data With US, The Guardian (Sept. 22, 2020), https://www.theguardian.com/technology/2020/sep/22/facebook-says-it-may-quit-europe-over-ban-on-sharing-data-with-us.

[13] See id.

[14] See Lauren Feiner, Facebook Stock Plummets 26% in its Biggest One-Day Drop Ever, CNBC (Feb. 3, 2022), https://www.cnbc.com/2022/02/03/facebook-shares-plummet-22percent-after-reporting-weak-guidance.html.

[15] See Elizabeth Dwoskin, Will Oremus & Rachel Lerman, Facebook Loses Users for the First Time in its History, CNBC (Feb. 2, 2022), https://www.washingtonpost.com/technology/2022/02/02/facebook-earnings-meta/.

[16] Id.