DCP Order Could Force Facebook to Withdraw Services in the EU

Since its implementation in 2018, the European Union’s General Data Protection Regulation (“GDPR”) has been held up as the model for stricter privacy laws and regulations.  As the United States’ federal government continues to remain silent about how consumers’ sensitive data and privacy should be safeguarded, many jurisdictions, both national and abroad, have passed their own derivatives of the GDPR.  Earlier this month, however, in response to a GDPR ruling, Facebook publicly stated that it may not be able to continue providing its services to consumers in the European Union (“EU”). 

Facebook Challenges DPC Order

Since the passage of the GDPR, Facebook has been sued and cited many times for violations of the law.  Under the GDPR, companies may be fined up to €20 million or up to 4% of the company’s worldwide turnover, which would mean approximately $3 billion in Facebook’s case.  The GDPR judgment at issue is its Data Protection Commission’s (“DPC”) preliminary order requiring Facebook to stop its transfer of data, regarding its EU users, back to its home servers in the United States. 

In response to the preliminary DPC order, Facebook filed both a lawsuit and sworn affidavit challenging the latest decision by the DPC, the regulators of the GDPR, stating that the DPC’s order could force Facebook to stop providing services to the EU, which means that over 410 million EU users would lose access to their Facebook and Instagram accounts.   

While Facebook has explicitly stated that its filings should not be construed as a threat to terminate services if the DPC does not withdraw its order, many experts have framed the issue as just that, describing the standoff between the DPC and Facebook as a high-stakes game of chicken where the losers would be the 410 million users caught in-between.  Facebook argues instead that the technology giant would truly have to terminate services because the DPC order would require Facebook to reengineer its entire platform in three weeks.  Moreover, Facebook alleges in its filing that the DPC’s decision unfairly singles out Facebook because other technology giants have not been ordered by the DPC to shut down their own data transfers.    

Effect of DPC Order on Facebook

While Facebook’s withdrawal from the EU would definitely impact the €208 billion in sales generated for EU companies that advertise on Facebook, privacy experts opine that Facebook’s latest filing against the DPC order is more an empty threat than an actual ultimatum because the ultimate cost to Facebook, for not operating in the EU, would be too costly to its bottom line.   

As such, regardless of Facebook’s intentions, the EU has currently issued a stay on the DPC order, allowing Facebook to continue its data transfers until Facebook’s lawsuit is decided.  Notably, however, the DPC still has time to challenge this ruling. 

Key Takeaways on Facebook’s Challenge of the DPC Order

Under the GDPR, the EU’s recent decision against Facebook has caused Facebook to threaten termination of their services to the EU because:

• Facebook believes that they have been unfairly targeted;

• Facebook alleges that the DPC is not impartial and operates with extreme bias; and

• Facebook believes that the three-week deadline handed down by the DPC is unfair, unreasonable, and impossible to meet.

For more insights on Data Privacy, see our Technology & Data Law Overview and Industry Focused Legal Solutions pages.

You may also be interested in: