Meta, to put it rather inelegantly, has a data non-compliance problem. That problem began in the original conception of Facebook, a social network conceived by that most anti-social of types, Mark Zuckerberg. (Who claims that these troubled sorts lack irony?)
On 22 May, the European Union deemed it appropriate to slap a $1.3 billion fine on the company for transferring the data of EU users to the United States. In so doing, the company had breached the General Data Protection Regulation, which has become something of a habit for information predators from Silicon Valley.
The data in question is the bread-and-butter of such companies, packed with the names of users, email and IP addresses, message content, viewing history, geolocation and the whole gamut of information used for targeted advertising. As the European Data Protection Board’s Chair, Andrea Jelenik, stated, “the EDPB found that Meta’s IE’s [Meta Platforms Ireland Limited’s] infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive.”
The outcome resulted from a binding decision by the EDPB of 13 April 2023 which instructed the Irish Data Protection Authority (IE DPA) to revise its draft decision and impose a fine upon the company, despite initial reluctance to do so. The board also instructed IE DPA to order Meta to bring its “processing operations into compliance with Chapter V [of the] GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of European users transferred in violation of the GDPR, within 6 months after notification of the IE SA’s final decision.”
The implications for Meta, beyond the inconvenience of a fine, is the operational difficulty of removing the transferred data. “This order to delete data is really a headache for Meta,” reasons Johnny Ryan, senior fellow at the Irish Council for Civil Liberties. To remove the digital material gathered from millions of EU users stretching back a decade posed seemingly insuperable problems regarding compliance.
The response from Nick Clegg, President of the company’s global affairs arm, and Chief Legal Officer, Jennifer Newstead, is coldly practical on the issue. (Clegg, former UK Deputy Prime Minister, has long been on the dark side.) Data is key; data is everything. Privacy, goes the insinuation, is an impediment, a needless intrusion by sentimental bleeding hearts. “The ability for data to be transferred is fundamental to how the global open internet works. From finance and telecommunications to critical public services like healthcare or education, the free flow of data supports many of the services that we have come to rely on.”
A favourite argument is mustered by the knight-in-digital-armour: the idea of an internet balkanised and fractured in the face of meddlesome regulations and bureaucrats. “Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos.” This would leave the “citizens in different countries unable to access many of the shared services we have come to rely on.”
Clegg and Newstead also lament those privacy business bodies in the Court of Justice of the European Union (CJEU), who dared invalidate the Privacy Shield mechanism agreed upon between the US and EU on the transfer of personal data to the US. “This [2020] decision created considerable regulatory and legal uncertainty for thousands of organisations, including Meta.”
What the court left intact was the Standard Contractual Clauses mechanism, which could function on the proviso that various safeguards were put in place regarding data processing. (An agreement reached on EU-US data transfers between Brussels and Washington on a revised Privacy Shield has yet to be signed off by European officials.) Meta proceeded to use these “believing them to be compliant with the General Data Protection Regulation (GDPR).” While the Irish Data Protection Commission initially found that Meta had acted in good faith and that no fine would be necessary, moans the company, the Data Protection Board thought otherwise.
Clegg and Newstead also expressed aggrievement at Meta being “singled out when using the same legal mechanism that thousands of other companies looking to provide services in Europe.” Brazenly, they praise the US for doing much “to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.” The company intends filing appeals on both the substance of the decision and its orders, seeking a stay in the courts.
Other US tech behemoths have also drawn the ire of the EU, demonstrating the divergence of views between the money hungry dictates of the information market and the importance of a user’s privacy. Between 2017 and 2019, Google caught their attention in the only way it could. That attention, based on the sheer scale of the company’s market dominance, brought the ledger of fines to 8 billion euros. In 2021, Amazon received a 746 million euro fine for violating data protections.
Despite the coos of satisfaction coming from EU officials, such companies have integrated the occasional spanking fine into their operating models, the laceration nullified by a thumpingly large financial base to work from. An economy of data transgressions has emerged, one permitted to thrive, despite the punishments and orders. That penalties run into the billions of euros or dollars hardly affects the overall business rationale. As a consequence, the respective world views of US corporatism and EU data protection find some peculiar, if uncomfortable accord, an economy that tolerates surveillance capitalism while occasionally punishing its excesses.