If Meta is not given the option to transfer, store and process data from its European users on U.S.servers, Facebook and Instagram may be shut down across Europe.
"If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results.
"For example, the Privacy Shield, a transfer framework we relied upon for data transferred from the European Union to the United States, was invalidated in July 2020 by the Court of Justice of the European Union (CJEU).
"In addition, the other bases upon which Meta relies to transfer such data, such as Standard Contractual Clauses (SCCs), have been subjected to regulatory and judicial scrutiny.
"In August 2020, we received a preliminary draft decision from the Irish Data Protection Commission (IDPC) that preliminarily concluded that Meta Platforms Ireland's reliance on SCCs in respect of European user data does not achieve compliance with the General Data Protection Regulation (GDPR) and preliminarily proposed that such transfers of user data from the European Union to the United States should therefore be suspended.
"We believe a final decision in this inquiry may issue as early as the first half of 2022.
"If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.
"We have been subject to other significant legislative and regulatory developments in the past, and proposed or new legislation and regulations could significantly affect our business.
"For example, the GDPR includes operational requirements for companies that receive or process personal data of residents of the European Union that are different from those previously in place in the European Union, requires submission of personal data breach notifications to our lead European Union privacy regulator, the IDPC, and includes significant penalties for non-compliance with the notification obligation as well as other requirements of the regulation.
"The GDPR is still a relatively new law, its interpretation is still evolving, and draft decisions in investigations by the IDPC are subject to review by other European privacy regulators as part of the GDPR's consistency mechanism, which may lead to significant changes in the final outcome of such investigations." ■