Threads ‘will have to clean up its data practices’ in order to launch in EU

Amid scrutiny from European regulators over the app’s data protection and privacy practices, Meta has hit the brakes on its EU debut.

But what exactly are the holdups – and how likely is it that Threads will soon enter the European market?

In information required to be made public on iOS devices, Threads says it collects swaths of user data, which may include sensitive information about users such as health and financial data, browsing and search history, precise location and more. Meta has long gathered such information to profile and track users to serve targeted ads to them; nonetheless, European regulators are increasingly souring on these practices.

Under the EU’s sweeping privacy legislation, the General Data Protection Regulation (GDPR), sensitive information, such as users’ health data, can only be collected if users give explicit and informed consent via an opt-in mechanism. And Meta has already run afoul of the GDPR this year. In January, the Irish Data Protection Commission fined the company $410m, claiming that Meta’s legal defense for processing users’ data was unlawful under new rules from the GDPR’s enforcement body, the European Data Protection Board.

Another recent roadblock came in May when the Irish Data Protection Commission slapped Meta with a $1.3bn fine over its data handling practices and ordered it to cease transferring EU user data to the US within five months. The decision has implications for Threads’ rollout; essentially, it would require the app to be housed entirely on EU servers without US access. (It’s worth noting that earlier this week, the European Commission greenlit the new EU-US Data Privacy Framework, under which transatlantic data exchanges will be allowed. However, the new framework won’t go into effect immediately and is already facing legal challenges, meaning that Meta and other tech titans will likely be treading gently for the time being.)

Then, just last week, Meta lost an appeal to the European Court of Justice over its use of user data in Germany. The court gave Germany’s antitrust enforcement agency, Bundeskartellamt, the go-ahead to forbid the social media giant from combining data it collects about users across its owned platforms and from external sites and apps.

These recent decisions – within the context of Meta’s broader history of facing regulatory blowback – may contribute to its hesitance to launch in the EU. “Several privacy concerns with Threads in the EU tie back to Meta’s history of concerning – and, in some cases, illegal – privacy practices. Meta has been fined in the EU for violation of children’s privacy, data breaches, consent violations, breaching data transfer requirements and using an improper legal basis for processing personal data,” says Calli Schroeder, senior counsel and global privacy counsel at the Electronic Privacy Information Center (EPIC), a nonprofit research organization focused on privacy and freedom of expression online.

Moreover, forthcoming EU regulations will forbid the use of sensitive data for advertising – so the health and financial data collected by Threads, for example, will not be able to be used for profit. “All of these [issues] pose huge obstacles to Threads launching in the EU,” says Schroeder.

Jeff Jockisch, partner at privacy tech firm Avantis Privacy raises another potential issue: Threads’ immutable integration with Instagram. Because the two are linked, the company has said that users cannot delete their Threads account without deleting their Instagram account. “This seems designed to prop up numbers,” Jockisch says. “It’s wild that they launched this way – it’s something I would expect from a Silicon Valley startup with $50m in funding, not Meta. I can’t see any way it’s GDPR compliant. Frankly, every privacy regulator – and many antitrust regulators – should have a problem with this.”

If the issue is raised among regulators, Jockisch predicts that Meta will argue that the app is part of Instagram’s business and that its user data cannot be disambiguated since it’s linked to users’ existing Instagram accounts.

Generally speaking, says Jockisch, Threads’ data privacy issues “are large and unaddressed.”

Nonetheless, Meta isn’t the first to push pause on launching a product in the EU over potential data privacy hurdles. Just last month, it was reported that Google’s artificial intelligence platform Bard will not roll out in the EU until the tech titan can address privacy concerns raised by the Irish Data Protection Commission.

“There is a trend happening with tech companies – and big tech companies in particular: they’re being much more restrained before launching a new product in the EU,” says Gabriela Zanfir-Fortuna, vice-president for global privacy at the Future of Privacy Forum, a Washington, DC-based think tank. “It’s a result of the very strict legislation about personal data – and not only the legislation itself … but also super intense enforcement. In the past year, we’ve seen very serious enforcement actions under the GDPR – the regulators, the data protection authorities, the privacy commissioners... they are very active, very vocal and starting to be comfortable with the new powers and competencies that the GDPR has provided.”

In essence: Meta is being extra cautious to avoid becoming entangled in new privacy allegations and potentially being subject to significant fines in the EU. “Big tech companies are more apprehensive and do much more due diligence than in the past before launching a product in the EU,” Zanfir-Fortuna says.

As for how Meta might proceed, only time will tell. The company may attempt to collaborate with regulators to address their apprehensions. “It would be beneficial – both for regulators and companies – to engage [to work together toward a solution],” says Zanfir-Fortuna.

However, if the company goes this route, it won’t be able to skate by, says EPIC’s Schroeder. It will be forced to change its ways. “It would likely have to – at a minimum – clean up its practices for obtaining consent, limit what it collects from users and put strict limits on what information it uses for advertising before launching in the EU.”

Advertisers in Europe, meanwhile, will be playing the waiting game.

For more, sign up for The Drum’s daily newsletter here.