Facebook is facing the prospect of not being able to move data about its European users to the United States, after European regulators raised concerns that such transfers do not adequately protect the information from American government surveillance.
The social network said on Wednesday that the Irish Data Protection Commission had begun an inquiry into its movement of data on European users to the United States. The Irish regulator oversees Facebook’s data practices in Europe and can fine it up to 4 percent of its global revenue for breaking European data protection laws.
The Silicon Valley company may now have to overhaul its operations to keep data on Europeans stored within the European Union, an immensely complicated task given the way that Facebook moves data among data centers around the world.
The inquiry, earlier reported by The Wall Street Journal, is the first major fallout of a European Union high court decision in July that invalidated a key trans-Atlantic agreement called Privacy Shield. That agreement between the United States and European Union had allowed businesses to send data between the two regions, but the court struck it down, saying Europeans did not have sufficient protections from American spy agencies.
The ruling affects thousands of businesses, but Facebook’s data-sharing practices have been under particular scrutiny by European authorities. Facebook had argued that the court allowed certain kinds of legal contracts to continue transferring data, but Irish regulators disagreed and said those arrangements were invalid.
Facebook has until later this month to respond to Ireland’s complaint, then the Irish regulator will make a final decision toward the end of the year. Facebook could challenge that judgment in court.
“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the E.U., just as we seek a recovery from Covid-19,” Nick Clegg, Facebook’s vice president of global affairs, said of the moves. “The impact would be felt by businesses large and small, across multiple sectors.”
Ireland’s Data Protection Commission declined to comment.
Facebook’s experience will be closely watched by other major tech companies, like Google, that also depend on transferring data between the United States and Europe.
American and European officials have expressed a desire to work out a new data-sharing agreement. But legal experts have said complying with the European court ruling will require substantive changes to American surveillance laws to give Europeans added privacy protections.