On April 28, Meta published its quarterly report where the company offered relevant information about the legal and regulatory risks that is facing and how these risks could affect the company´s revenue.
The company is facing lawsuits in the U.S., Europe and around the world. Perhaps the most relevant one for Meta is the ongoing litigation with the Federal Trade Commission (FTC) over Instagram and WhatsApp. The FTC is seeking to force Meta to unwind these acquisitions as, in the regulator’s opinion, they were part of an attempt to monopolize the market. Meta believes “that these lawsuits are without merit” but it also warned that the result of that litigation “could subject the company to substantial monetary remedies and require to change the business practices”.
But when it comes to regulatory risks, the threat of losing the ability to transfer users’ data from the European Union to the US is probably on top. This risk is probably even above the risks posed by the recently approved EU Digital Markets Act (DMA), which will force Meta to make Facebook or WhatsApp interoperable with other rivals, or the Digital Services Act, which will increase the company’s costs to monitor and remove illegal content from its platforms. The company is aware that even if the DMA and DSA enter into force by the end of 2022, “the requirements under the final regulation will likely be subject to further interpretation and regulatory engagement”, reads Meta’s quarterly report. This suggests that Big Tech companies could push back the implementation of the law and, ultimately, judges may need to decide on the interpretation of some legal provisions. This could mitigate to a certain extent the impact of these regulations on Meta in the short term.
The problem with the cross-border data flow is that Meta is already waiting for a final decision that could jeopardize its ability to transfer data from the EU to the US and this could significantly affect its Facebook and Instagram operations in Europe.
In 2016, the European Union and United States agreed to a transfer framework for data transferred from the European Union to the United States, called the Privacy Shield, but the Privacy Shield was invalidated in July 2020 by the Court of Justice of the European Union (CJEU). The other bases upon which Meta relies to transfer such data are Standard Contractual Clauses (SCCs) but in August 2020, Meta received a preliminary decision from the Irish Data Protection Commission (IDPC) that concluded that Meta Platforms Ireland’s reliance on SCCs in respect of European user data does not achieve compliance with the GDPR and preliminarily proposed that such transfers of user data from the European Union to the United States should be suspended.
In February 2022, Meta received a draft decision in which the IDPC maintained its preliminary conclusion that Meta Platforms Ireland’s transfers of European user data from the European Union to the United States should be suspended for the users of the Facebook service. According to Meta, a final decision may be issued as early as the second half of 2022.
The company is relying now on an agreement in principle reached by the EU and the US on March 25 on a new Trans-Atlantic Data Privacy Framework that would allow companies to continue with data flows. However, if this data transfer agreement is not adopted, Meta admitted that “we will likely be unable to offer Facebook and Instagram in Europe, which could materially and adversely affect our business”.
Next week, on May 15-16, representatives of the EU and US governments will discuss topics of common interest during the U.S.-EU Trade and Technology Council, and the issue of data governance and cross-border data flows could be part of the agenda.
