The European Union's highest court recently ruled that U.S. laws don't apply to European users' privacy for sites like Facebook (NASDAQ:FB). In the past, the "Safe Harbor" trade program let American companies in Europe send data on European users back to the U.S. and bypass the EU's strict data protection rules.
The new ruling, which invalidates the Safe Harbor program, allows national regulators to stop transfers of European users' data to the U.S. as they see fit. Speaking to The New York Times, London-based privacy lawyer Marc Dautlich stated it wasn't "going to be easy" for data-hungry companies like Facebook to gain regulatory approval in some of the EU's 28 countries.
The landmark case was started by Austrian law student Max Schrems, who sued Facebook's European headquarters in Ireland and claimed that Facebook and other American tech companies didn't adequately protect European consumer data from U.S. surveillance programs. Schrems requested that Facebook pay 500 euros ($563) to each affected user. The EU's ruling also remands Schrems' case to Ireland for further review.
What does this mean for Facebook?
Four years ago, Schrems claimed that Facebook's records on individual users were hundreds of pages long and included data that users had previously deleted. Those concerns came to a head in the separate "right to be forgotten" ruling in the EU last year, which enabled citizens to request that outdated data be removed from sites like Facebook and Alphabet's (NASDAQ:GOOG) (NASDAQ:GOOGL) Google and YouTube.
At the end of June, nearly a fourth of Facebook's 968 million daily active users came from Europe. However, Facebook's average revenue per user (ARPU) in Europe during the second quarter only rose 18% annually, compared to 44% growth in the U.S. and Canada, 19% growth in the Asia-Pacific region, and a global growth rate of 23%.
To generate more revenue per user, Facebook needed to gather more data to display more ads. If Europe throttles the amount of data Facebook can mine and deliver, its APRU growth could be adversely affected. However, it's highly doubtful Schrems' demand for Facebook to pay 500 euros to each European user, which would equal a fine of nearly $130 billion, will ever be carried out.
In Facebook's 10-Q filing for the second quarter, the company admits that "proposed legislation and regulations could significantly affect our business," and warns that the data protection regulation proposed by the European Commission could "include significant penalties for non-compliance." While the unfavorable EU ruling won't devastate Facebook, it could hurt its sales growth across the region while forcing it to seek alternative ways to gather data from EU users.
Stuck in the crossfire
Facebook's confrontation with EU regulators represents a heated intersection between several overlapping interests. Like many other tech companies, Facebook set up its European headquarters in Ireland to avoid paying U.S. income tax on foreign profits, which exposes it to EU regulators.
To calm regulators, Facebook and other tech companies have distanced themselves from the U.S. government ever since the NSA and PRISM revelations surfaced. Unfortunately, U.S. law enforcement agencies recently reignited suspicions by requesting "official" back doors to sites like Facebook and mobile devices. U.S. officials also defended Facebook against the recent ruling and accused the EU of making "inaccurate assertions" about its intelligence services.
Facebook isn't the only company to be torn between European regulators and the U.S. government. Last year, Microsoft (NASDAQ:MSFT) lost an appeal to block the U.S. government's search warrant for a customer's emails stored on an Irish server. The decision angered the Irish government, which called the U.S. decision to bypass Irish and EU authorities "potential infringements" of its sovereign rights. The German government also ditched Verizon (NYSE:VZ) last year because of allegations of NSA surveillance.
Who else will be affected?
The invalidation of the Safe Harbor program won't just affect Facebook. Around 4,000 U.S. and European companies rely on it to transfer data overseas. Many of those companies must now find alternative transfer solutions to appease national regulators.
Google, which already faces EU antitrust probes regarding allegations of search bias and Android app bundling, now has one more thing to worry about. Microsoft's grand cloud computing plans, which rely heavily on the widespread adoption of Windows 10, could also be affected.
The key takeaway
Over the past few years, large U.S. tech companies have found it increasingly difficult to conduct business in key markets like Europe and China. Part of that might be attributed to competition, but most of it seems to come from protectionism and concerns regarding the U.S. government's surveillance methods. The invalidation of the Safe Harbor program will aggravate those problems and could impact both American and European companies.