Filings with the U.S. Securities and Exchange Commission show Meta is preparing for a stop on its EU-U.S. data flows and a EU General Data Protection Regulation fine. The company's Q1 2023 Form Q-10 and Q1 2023 earnings report explained to investors the impacts of the imminent final decision from Ireland's Data Protection Commission on the legality of its EU-U.S. transfers.

The DPC order, expected to be formally published by 12 May, could force a halt to Meta’s EU operations if an adequacy decision via the proposed EU-U.S. Data Privacy Framework is not granted before the order takes effect. Additionally, Meta is planning for a potentially steep monetary fine and corrective measures from the DPC after recommendations from the European Data Protection Board.

"We expect the Irish Data Protection Commission to issue a decision in May in its previously disclosed inquiry relating to transatlantic data transfers of Facebook EU/EEA user data, including a suspension order for such transfers and a fine," Meta explained in its earnings report.

In the Q-10 filing, Meta added the fine could be "substantial" and it expects the DPC order to require the company "to bring its relevant processing operations into compliance with the GDPR." Disclosures also explained the potential road ahead after the DPC's decision is finalized.

"We expect that the deadlines to comply with the (DPC) decision will be no earlier than the fourth quarter of 2023," Meta wrote. "Once the final decision is issued, we will have an opportunity to appeal and seek a stay."

IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, said the expected stop transfers order and any yet-to-be-announced corrective measures could prove more meaningful than even a record penalty, noting curtailed data flows and subsequent change in data-driven business model "could have even larger financial implications for Meta and thousands of other companies."

A new data transfer mechanism to replace the EU-U.S. Privacy Shield Framework remains the top solution for Meta's transfer woes.

The timeline for finalization of a new mechanism remains undetermined as the European Commission works toward the final adequacy decision with the U.S. under the proposed EU-U.S. DPF. European Commissioner for Justice Didier Reynders previously indicated the DPF could be finalized as early as July, which could be just in time if the order includes a three-month implementation window, as some previous orders have.

"Our ongoing consultations with policymakers on both sides of the Atlantic continue to indicate that the proposed new EU-U.S. Data Privacy Framework will be fully implemented before the deadline for suspension of such transfers, but we cannot exclude the possibility that it will not be completed in time," Meta wrote in its earnings report. "We will also evaluate whether and to what extent the (DPC) decision could otherwise impact our data processing operations even after a new data privacy framework is in force."

During an investor call discussing the filing, Meta Chief Financial Officer Susan Li said "there’s a lot we don’t know in terms of the specifics" and "important variables" concerning the DPC's order. Li added unknown factors, including "how long an order would last," will be "important in determining the overall impact" on the company moving forward.

In the wider scope of the looming order, Fennessy said, "This could lead EU businesses to demand data localization from U.S. business partners or to switch to domestic alternatives. Such shifts could well outlast the adequacy process. Privacy professionals across sectors should prepare their CEOs and boards for significant data transfer disruptions in the months to come."

Case origins

In July 2020, the Court of Justice of the European Union invalidated Privacy Shield and cast a shadow over the use of standard contractual clauses in what's commonly known as the "Schrems II" decision. In the wake of the CJEU decision, the DPC initiated an "own volition" inquiry under Ireland's Data Protection Act to consider whether Facebook's data transfers to the U.S. were legal.

Meta's legal challenges to the DPC's inquiry were denied by the High Court of Ireland in May 2021. That paved the way for the DPC to reach its draft decision to halt Meta from transferring personal data from the EU to the U.S. through its use of standard contractual clauses. The draft decision was sent to EU data protection authorities July 2022.

Meta responded by claiming its Facebook and Instagram operations in the EU may be shuttered pending the final decision and the timeline for a Privacy Shield replacement.

Delivery of the decision to DPAs triggered two EU General Data Protection Regulation-mandated processes concerning the European Data Protection Board. The EDPB first took up an Article 60 process that provided DPAs a month to deliberate, comment, or express "relevant or reasoned objection," on the DPC's draft decision. Objections were made, forcing an Article 65 dispute resolution among board members.

The EDPB's binding Article 65 decision issued 13 April resolved data protection authorities' differences on "whether an administrative fine and/or an additional order to bring processing into compliance must be included in the Irish DPA’s final decision."

The DPC has one month to adopt its final decision based on the EDPB's opinion and legal analysis. Irish Data Protection Commissioner Helen Dixon recently said she expects the final decision to be published no later than 12 May.