EU inches closer to blocking Meta from sending personal data to US

A smartphone showing the Meta company logo in front of a large Facebook logo
(Image credit: Getty Images)

Ireland’s data protection regulator has pushed to stop Meta’s from moving personal data from Europe Union (EU) territories to the US.

An Irish Data Protection Commission (DPC) draft decision has been sent to counterparts in Europe, with suggestions it could lead to blocking Meta from sending user data from the continent to the US, as reported by Politico yesterday.

Meta has warned that this kind of decision would shut down many of its services in Europe, including Instagram and Facebook.If approved by other European national data protection regulators, the order to block these services may affect other businesses which have been unsure how to continue sending data between Europe and the US.

In 2020, the European Court of Justice annulled the Privacy Shield agreement due to concerns around US surveillance practices. In the ruling, the court also made it harder to use standard contractual clauses (SCCs) which are legal tools that allowed Meta and other US firms to transfer personal data to their home country. The new order from Ireland will mean that Meta will have to stop relying on SCCs as well.

The DPC's draft decision has arrived amid the EU and US attempting to negotiate a new data-transfer mechanism, which would allow businesses like Meta to continue transferring data from Europe to the US. The two entities agreed to a preliminary deal in March, but negotiations have stalled and a final deal isn't expected be reached before the end of the year.

The draft decision has been sent to other European privacy regulators, which will now have a month to submit their input, a spokesperson from the Irish DPC told Politico.

“This draft decision, which is subject to review by European Data Protection Authorities, relates to a conflict of EU and US law which is in the process of being resolved,” a Meta spokesperson told IT Pro. “We welcome the EU-US agreement for a new legal framework that will allow the continued transfer of data across borders, and we expect this framework will allow us to keep families, communities and economies connected.”

The regulator’s draft decision comes after Meta’s attempt to transfer large amounts of data to the US following years of battles between the tech giant and European privacy advocates.

"If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe," Meta said in a filing to the US Securities and Exchange Commission (SEC) in March this year.

This isn’t the first time that Ireland’s DPC and Meta have clashed. In March 2022, the regulator hit the company with a €17 million (£14 million) fine over multiple breaches of GDPR. It said it arrived at this decision following an inquiry into a series of 12 data breach notifications it received between 7 June 2018 and 4 December 2018.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.