The wait for a transatlantic regulatory agreement might force Meta to halt Facebook and other services across Europe.

On May 12, the Irish Data Protection Commission (IDPC) plans to issue a decision on whether to stop Meta from transferring personal data to the United States. The IDPC is Meta’s lead European Union privacy regulator under the General Data Protection Regulation (GDPR), Meta’s 10-Q for Q1 2023 stated.

Meta discussed the upcoming EU ruling in its April 26 earnings call, in which it announced first quarter 2023 revenue hit nearly $28.7 billion, an increase of 3% year over year. The company said it’s consulting with policymakers who expect a new EU-US Data Privacy Framework before a data transfer suspension would occur. However, Meta is preparing in case this agreement comes after the deadline.

Meta doesn’t expect to be forced to comply with the data transfer ruling before the fourth quarter of 2023, according to the 10-Q filing.

About 10% of Meta’s worldwide ad revenue originates from ads delivered to Facebook users in EU countries. The impact on advertisers due to a data transfer suspension is unknown, according to Meta CFO Susan Li. She said the company is hopeful a new EU-US privacy framework will be completed before a suspension occurs.

“But if it comes to that, there’s a lot that we don’t know in terms of the specifics of a final order and how long a suspension order would last, which would be important variables in determining the overall impact,” Li said.

Meta and Data Transfer Regulations: How We Got Here

Austrian lawyer and privacy activist Max Schrems, honorary chairman of the nonprofit organization NYOB -- the European Center for Digital Rights, filed the original data privacy complaint against Facebook in 2014, challenging the transfer of data to the US. In 2016, the European Union and US established a data transfer framework called the Privacy Shield, which the Court of Justice of the European Union invalidated in July 2020. Meta noted that its Standard Contractual Clauses (SCCs) have come under regulatory and judicial scrutiny. Meta uses SCCs as the legal basis to transfer data from the EU to the US. However, the IDPC says the SCCs violate the GDPR. Therefore, the IDPC in Ireland says data transfers under the SCCs should be suspended.

In addition to a possible transfer suspension, Meta’s platforms in Ireland face a fine for noncompliance with the GDPR, the company stated in its 10-Q.

“We continue to examine the decision and its potential impact on our operations,” Meta stated in the SEC filing. “We expect that the deadlines to comply with the IDPC decision will be no earlier than the fourth quarter of 2023.”

This implementation window of six months is longer than the typical window of three months for IDPC decisions, which could help Meta, according to Caitlin Fennessy, vice president and chief knowledge officer for the International Association of Privacy Professionals.

“The reason that is significant is because the European Commission has suggested that they should be able to finalize the adequacy process by this summer,” Fennessy said.

President Biden signed an executive order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) in October 2022, and on Dec. 13, 2022, the European Commission published a draft on whether the new EU-US met the adequacy standard, which ensures that a company protects personal information adequately. Meta says it awaits the European Commission’s final “adequacy decision” on whether a new EU-US framework meets its standards.

“If adequacy can come online before the order takes effect, then no suspension may be needed,” Fennessy explained. “We are now just waiting for a few steps on the US side to implement that framework, and then the European Commission’s process to formally declare whether it is adequate.”

Meta could then appeal and seek a stay following the IDPC’s decision in May. However, a new transatlantic data transfer agreement could prevent a suspension of data transfers. If a new agreement between the EU and US isn’t finalized, Meta would need to shut down Facebook, Instagram and other services in Europe, a step that “would materially and adversely affect our business, financial condition, and results of operations.”

Other Companies Face Data-Transfer Regulations

Meta is not the only company facing the EU-US data transfer regulations, Fennessy notes. In fact, some companies in Europe have switched service providers after the data privacy complaints that nonprofit NYOB has filed, according to Fennessy. Companies may resort to localizing data or switch to local providers, Fennessy said.

“It’s not a single company issue, and it’s not an issue companies alone can really resolve,” Fennessy said. “Governments have to resolve it because it pertains to government access to data and whether the EU thinks US protections are equivalent.”

As the tech industry awaits the IPDC decision, lots of questions remain as to what the decision will mean for Facebook and other social network services.

“It seems possible that the decision itself will require that they bring these elements into compliance without stipulating how and when. Facebook will have some time to figure that out, and we will all be waiting to see if ‘adequacy’ comes online first,” Fennessy said. “Then if it does, does that take care of past transfers or only forward-looking transfers? I think those are open questions.”

How Organizations Can Prepare for Data Transfer Challenges

As the legal steps on data transfer play out in the coming months, organizations should rely on their data privacy professionals on staff to relay what risks they might face, Fennessy advised.

“Business leaders are going to need to recognize that there is increased risk on the table and then just assess what they want to do about it,” Fennessy said. “Now in some cases, they may decide that they are not the target of a likely investigation.”

In addition, organizations should expect business partners to ask questions and be prepared to discuss risks and mitigating measures, Fennessy said.

To avoid red flags on global data transfers, companies will create EU divisions that are more localized from other parts of the world, predicted Rob Enderle, president and principal analyst at the Enderle Group.

“They can likely get around some of this by creating an EU division that is more isolated from the parent and can act more like a native company in the EU,” Enderle said. “That’s what IBM did when they faced similar issues decades ago, and it was very successful for IBM. If they can form a near stand-alone division that looks more like a native company, many of these problems should evaporate if that company can reestablish trust.”

What to Read Next:

Q&A: What Meta’s $400M+ EU Fine Means for Data Privacy and Ads

$275M Fine for Meta After Facebook Data Scrape

Facebook Parent Meta Lays Off 11,000: What CIOs Should Know