The EU is tightening its grip on the transfer of personal data outside of the bloc, but according to Facebook, the European drive to protect privacy could come with unexpected – and costly – consequences for businesses and citizens alike.
The social media platform has published a new piece of research that it commissioned to economists from Analysis Group, which attempts to quantify exactly how much money could be lost if some organizations were suddenly unable to transfer personal data outside of the EU.
Specifically looking at the telecoms and pharmaceutical industries, as well as digital payments and services outsourcing, the research found that suspending data flows could cost several billions of dollars every year, with customers inevitably being impacted as a result by higher prices and lower quality of service.
The scenario is hypothetical: the economists commissioned by Facebook looked at an imagined situation in which the transfers of personal information outside of the bloc were no longer possible at all.
According to Facebook, however, this is a possible consequence that could stem from the EU’s recent ruling on transatlantic transfers of personal data, also known as Schrems II, which invalidated a crucial mechanism called the Privacy Shield that enabled personal information to flow freely between the bloc and the US.
Although over 5,300 companies relied on the Privacy Shield to carry out business across the Atlantic, last year the mechanism was ruled as invalid following a complaint lodged by Austrian lawyer and activist Max Schrems against Facebook. In light of Edward Snowden’s revelations about the US government’s spying activities, Schrems argued that the information sent outside of the EU to Facebook’s US servers could be at risk of exploitation by US law enforcement agencies.
The Schrems II decision ruled that companies would have to fall back on alternative contracts, known as Standard Contractual Clauses (SCCs), to transfer data between the EU and the US – but in some cases, warned the regulators, even SCCs might be insufficient to ensure that European citizens’ data is protected from foreign government snooping.
The exact implications of the decision are uncertain, stressed Facebook, and the report does not reflect the company’s views on the correct or even likely interpretation of the judgement. But according to the research, a strict application of the ruling could lead to a ban on all critical data transfers outside of the EU – not only in the US, but in every country where data protection laws do not meet GDPR standards.
“If the outcome of the current policy debate over the scope of the Schrems II decision leads to either a de jure ban on transferring personal data outside the EEA or, by substantially increasing transaction costs, a de facto ban, then the economic impact on the European economy could be significant,” said the researchers.
Travellers could no longer use international roaming during their holidays, according to the report, since the process involves exchanging some of the user’s personal data between their home network and the visited network. A pay-as-you-go service plan would therefore have to be purchased for each of the roughly 95 million trips that are taken by EU citizens outside of the bloc every year, which the economists estimated would cost them between €1 billion ($1.22 billion) and €4.5 billion ($5.5 billion) every year.
Without being able to send their personal information outside of the EU, consumers would also be stripped of digital payment services that require bank account information, like Apple Pay, Google Pay or PayPal. That could represent up to another €699 million ($852 million) worth of transactions lost every day.
EU companies would have to stop outsourcing functions that require access to customer or employee data, such as IT, contact centers or human resources, and instead “back-shore” those jobs inside the bloc, at a cost of up to €91.7 billion ($111.8 billion) per year. And keeping large databases of key patient information away from non-EU researchers could significantly lengthen the timeframe for drug development and approval, lessening the chances of saving up to €1 billion ($1.22 billion) per new drug developed.
Some of the examples laid out in the report seem rather implausible. Contrary to what the research suggests, for example, digital commerce is unlikely to be affected significantly, since the GDPR allows for the data transfer to take place if the data subject is willingly sending their own information, or if the transfer is necessary to honor a contract requested by the user – for example, to be given access to international roaming.
Public health is also given a special position in GDPR, and the European Data Protection Board (EDPB) even published guidelines at the start of the COVID-19 pandemic reminding regulators that the law includes provisions to allow the processing of personal data outside of the EU for the purpose of scientific research.
Even if those provisions didn’t exist, however, for Ben Rapp, the founder of data privacy consultancy Securys, the research commissioned by Facebook somewhat misses the point of the Schrems II decision.
“What Schrems is overtly concerned with is US mass surveillance,” Rapp tells ZDNet. “Facebook have latched onto the idea that somehow all cross-border data flows are going to be stopped by this, whereas the EU is only concerned by vast amounts of citizen data being slurped up and sold on to third parties or subjected to government surveillance. They are missing the point about what it is that concerns the EU.”
The GDPR, explains Rapp, was not implemented to stop EU citizens from benefitting from foreign services. When a transfer of personal information is necessary to bring a service to European users, for example to use a digital wallet or make phone calls when travelling, it is therefore unlikely that the transaction will come under the spotlight in the same way that Max Schrems shed light on the data flows underpinning Facebook’s business model.
The main reason that the social media giant needs to send EU citizens’ data back to the US, in effect, is to serve targeted online ads – which form the bulk of Facebook’s revenue but don’t provide any direct benefit to the user, according to Rapp.
“Were the data not to be transferred in the context of a wallet, the data subject would lose out because they would no longer get the functionality they wanted,” says Rapp. “If Facebook stops transferring data to the US, it is Facebook that loses out.”
“The problem is, in most use cases, it’s relatively easy to demonstrate that you can transfer data without it being subject to surveillance, or that on balance it is to the benefit of the data subject to make the data transfer. The problem is Facebook can’t make that second point,” he adds.
Rather than imagining an unlikely scenario in which all data transfers were to be suspended to the detriment of EU citizens, Rapp argues that Facebook should have rather commissioned a paper explaining why European users might lose out as targeted advertising becomes harder to implement in the aftermath of Schrems II – for example, if the social media platform had to start charging for its services.
“What utility do consumers have to lose if the flow of ad dollars is reduced? Is that loss of functionality outweighed by the benefits of not being subjected to US surveillance? That’s what this study should’ve looked at,” says Rapp.
Despite Facebook’s involvement in the industry, however, the report made no mention of the potential impact of Schrems II on digital advertising.
Facebook did not provide a comment at the time of writing.