At home, use social media to talk about social distancing, Working From Home concept.getty
Meta (formerly Facebook), the ubiquitous social networking giant, has been hit with a record €1.2 billion GDPR fine for its decades-long involvement in US mass surveillance, with a particular focus on the cross-border transfer of sensitive EU data. This latest ruling, coupled with the introduction of stricter data transfer policies, could mark the beginning of a tectonic shift in global data governance that threatens to unravel the very fabric of the Internet.
In a landmark decision spanning ten years and three court cases, the European Data Protection Board (EDPB) has ordered Meta to halt all transfers of European personal data to the United States. This policy stems from the fact that because Meta is subject to US surveillance laws such as FISA 702, Meta appears to be in breach of EU data protection rights.
The implications of this ruling are profound, not just for Meta, but for all major U.S. cloud providers, including Microsoft, Google, and Amazon. All are subject to the same US surveillance laws, and with FISA 702 reauthorization looming by December 2023, there is increasing pressure for significant changes to US surveillance laws.
International transfers make the internet borderless
The verdict thwarts Meta’s plans for future data transfers and could mean the same for the rest of the internet. The company hoped to bank on a new EU-US data transfer agreement, which has already drawn strong criticism from the European Parliament and is expected to come into force later this year. However, if previous data deals between the EU and the US are any indication, the new deal could be declared invalid by the Court of Justice of the European Union (CJEU), with retrospective consequences.
Over the years, the Irish DPC, whose job it is to regulate Meta in Europe, has attempted to sidestep the procedure by dismissing initial complaints and attempting to get Meta cleared of the fine. However, the European courts have repeatedly rejected these attempts, resulting in legal costs of over 10 million euros. Interestingly, the record fine goes to the Irish state, which tried to prevent the penalty from being imposed.
What can Meta do?
The question now is: how exactly will meta work? And what impact will this have on European and non-European users? There are three possible ways forward:
Withdraw from Europe completely, leaving the country with huge gaps in the technical infrastructure for communications. I’ve had friends abroad who feared they might lose access to communicating with their friends and business associates around the world if it got too strict. Despite rumors that Meta may end its services in Europe, this is highly unlikely as Europe is its largest source of revenue outside of the US and the company has already started developing data centers in the EU. Ignore the law, as we’ve seen Meta do in the past, and keep paying fines as if they were a cost of doing business. If we’re being honest, this isn’t a bad option for Meta given the size of the fine: $1.3 billion over 10 years, during which the company generated $553.5 billion in revenue , which is a paltry 0.2% of sales. What to keep in mind, as Max Schrems pointed out in the NoYB press release, “The fine could have been much higher considering the maximum fine is more than 4 billion and Meta knowingly broke the law to make a profit to achieve for ten years.” Comply with this by creating a “federated” social network model where most personal data stays within the EU, with exceptions for “necessary” transfers. This is a questionable solution in terms of strict regulatory compliance, but in the short term and until no one is able to dig into Meta’s core business, it should satisfy regulators enough to get rid of Meta for a while. But will this be technically feasible for all companies providing services to the EU? A project of this magnitude will likely cost Meta in the hundreds of millions of dollars, meaning small and medium-sized vendors are unlikely to be capable of such a feat. Will this ruling stifle innovation and create an even bigger wall garden for big tech in Europe? Legal considerations in determining a way forward
In a press release from the European Data Protection Board (EDPB), Andrea Jelinek, Chair of the EDPB, said: “The EDPB found that the Meta IE breach is very serious as it involves systematic, repeated and continuous transfers.” Facebook has millions of Users in Europe, therefore the amount of personal data transferred is enormous. The unprecedented fine is a strong signal to organizations that serious violations have far-reaching consequences.” We can all be sure that Meta will seek to reverse the decision, but it’s doubtful there will be any significant changes to the decision. So what can they legally do to resolve this situation?
There is no such provision in the GDPR for “necessary” transfers without an adequacy decision, and Article 49 even allows exceptions only for such transfers “…if the transfer is not repeated, only affects a limited number of data subjects, is necessary.” the purposes of the overriding legitimate interests of the controller, which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances related to the data transfer …” We have already seen that the courts are considering you Advertising does not qualify as “legitimate interest” and it is certain that they do not intend to change their stance on the subject anytime soon.
Meta might lean towards consent, but legitimate consent in the EU is an incredibly strict standard. Section 1(a) of Article 49 provides for exceptions where “the data subject has expressly consented to the proposed transfer after being informed of the possible risks of such a transfer for the data subject due to the lack of an adequacy decision and appropriate safeguards”. However, this is impossible due to the technical complexity of Facebook’s architecture, provider ecosystem and business model. And derived consent, perhaps because they’ve formed a friendship in the United States, doesn’t count as express, informed consent.
For a federated social network, this can reduce the volume of transfers, but it would be difficult to claim that the transfers were “non-recurring”, limited and balanced in terms of legitimate interests. Meta has over a billion users. Repetition and limited margins will never be possible. And obtaining explicit, informed consent from all of these users is dubious. This means there is no technical way for Meta or anyone else to strictly comply with the law without a significant technical breakthrough or an adequacy decision.
An additional note on the recent ECJ ruling is that users may be able to claim emotional damages for violations of their privacy rights. For example, the Dutch consumer rights organization Consumentenbond is currently lobbying Dutch Facebook users to assert their claims over EU-US data transfers, and the forthcoming implementation of the EU Collective Redress Directive will allow class actions for breaches of the GDPR for the first time . While the current $1.3 billion fine sounds like a big number, it could be tiny compared to what we might see in the future. This could actually mean death by a thousand cuts if Big Tech doesn’t make significant changes to its data operations.
Are we headed for a Splinternet?
Meta’s hefty GDPR fine is a sign of the growing global conflict over data governance and privacy laws. While the decision gives Meta six months to comply with an order to stop Facebook transferring personal data from the EU to the US, the outcome could differ depending on how and when Washington signs a transatlantic deal with the EU terminates to allow data transfers.
Depending on the outcome of those decisions and Facebook’s internal response, the case could herald the beginning of internet fragmentation as the world’s largest tech companies struggle to comply with an increasingly complex and conflicting matrix of regional privacy regulations. Much like this case takes legal precedence in cross-border data transfers, Meta’s technical response will surely take precedence in developing solutions going forward.
During my time at the World Economic Forum (WEF), such a legal conundrum was not unexpected. Executives spoke of these relationships less as a matter of technology or law and more as a matter of power. Discussions detailed how we can envision a future where the Internet reflects physical, nation-state jurisdictions. It’s easier to understand the world where we have a US internet, a European internet, a Chinese internet (which you could argue already exists), an Indian internet and an internet for every other nation, which has the power and technical knowledge to define its internet jurisdiction. That would be modern colonialism and one could argue that we have been in this process for a decade.
The formation of internet jurisdictions seems like a logical future based on what we see today. Governments are unwilling to give up their power to a borderless society, and many citizens are not interested in global government either. Replicating physical, nation-state jurisdictions also makes sense because progress often comes from the familiar — the easiest way for people to conceive innovations, whether technology or law, is to build on what we already know. As similar decisions are made by courts around the world, and solutions are designed or redesigned to accommodate new restrictions, one cannot help but wonder: Are we on the brink of a fragmented internet?
Follow me on Twitter or LinkedIn. Check out my website here or some of my other work.
Joe is an award-winning designer, author of Automating Humanity, international keynote speaker and expert on Netflix’s The Social Dilemma. He currently spends his days analyzing risk in data transactions online at DataGrade.
Read moreRead less