Meta (formerly Facebook), the ubiquitous social networking giant, has been struck with a record €1.2 billion GDPR fine for its decade-long involvement in US mass surveillance, with a special focus on its cross-border transfers of sensitive EU data. This recent ruling, coupled with the imposition of stricter data transfer policies, may mark the beginning of a tectonic shift in global data governance, threatening to fracture the very fabric of the internet.
In a landmark decision spanning ten years and three court procedures, the European Data Protection Board (EDPB) has mandated that Meta cease all transfers of European personal data to the United States. This directive stems from the fact that Meta, being subject to US surveillance laws such as FISA 702, is seen to be in violation of EU privacy rights.
The implications of this ruling are profound, not only for Meta but for all large US cloud providers, including Microsoft, Google, and Amazon. All are subject to the same US surveillance laws, and with the impending reauthorization of FISA 702 by December 2023, the pressure for substantial changes to US surveillance laws is mounting.
International Transfers Make The Internet Borderless
The ruling throws a wrench into Meta’s plans for future data transfers and could do the same for the rest of the internet. The company hoped to rely on a new EU-US data transfer deal, which already faces severe criticism from the European Parliament and is expected to come into effect later this year. However, if previous EU-US data deals are any indicator, the new deal could be invalidated by the Court of Justice of the European Union (CJEU), leading to retroactive consequences.
Throughout the years, the Irish DPC, tasked with regulating Meta in Europe, has attempted to circumvent the proceedings by dismissing initial complaints and trying to shield Meta from the fine. However, the European courts have consistently overruled these attempts, leading to legal costs exceeding €10 million. Interestingly, the record fine will go to the Irish state, the very entity that tried to prevent its issuance.
What can Meta do?
The question now becomes: how exactly will Meta operate? And what impact will that have on its users, both European and not? There are three potential routes forward:
- Pull out of Europe entirely, leaving the country with major gaps in technical infrastructure for communications. I’ve had friends overseas concerned they may lose access to communications with their friends and business associates around the world if this gets too strict. Despite rumors of Meta potentially discontinuing its services in Europe, it’s highly unlikely given Europe’s status as its largest income source outside the US and the fact that they’ve already begun developing data centers in the EU.
- Ignore the law, as we’ve seen Meta do in the past, and continue to pay fines as if they are a cost of doing business. If we’re being honest, this isn’t a terrible option for Meta if you consider the scope of the fine—$1.3B over a ten-year period, in which they earned $553.5B in revenue representing a measly 0.2% of revenues. The thing to keep in mind, as Max Schrems pointed out in the NoYB press release, “The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years.”
- Comply by creating a ‘federated’ social network model where most personal data stays within the EU, with exceptions for ‘necessary’ transfers. This is a questionable solution in regards to strict legal compliance but in the near term, and until anyone is capable of digging into the meat of Meta’s operations, this should satisfice regulators enough to get them off Meta’s back for a while. But will this be technically feasible for all companies providing service to the EU? A project of this scale will likely cost Meta hundreds of millions of dollars, meaning it’s unlikely smaller and mid-sized providers would be capable of such a feat. Will this ruling stifle innovation and create an even bigger walled garden for Big Tech in Europe?
Legal Considerations When Defining A Path Forward
In a press release from the European Data Protection Board (EDPB), Andrea Jelinek, EDPB Chair, said, “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences.” We can all be sure that Meta will attempt to get the decision reversed but it’s doubtful we’ll see any material changes to the ruling. So what can they do, legally, to resolve this situation?
There is no such provision within GDPR for ‘necessary’ transfers without an adequacy decision, and even derogations Article 49 only allows for such transfers “…if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer…” We’ve already seen that the courts don’t consider advertising “legitimate interest” and it’s a safe bet they’re not looking to change their stance on that topic anytime soon.
Meta may lean into consent but legitimate consent in the EU is an incredibly strict standard. Section 1(a) under Article 49 provides derogations where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards” but this is impossible due to the technical complexity of Facebook’s architecture, vendor ecosystem, and business model. And inferred consent, perhaps because they made a friend connection in the United States, does not count as explicit, informed consent.
With a federated social network, this may reduce the volume of transfers but it would be difficult to claim the transfers to be ‘not repetitive’, limited, and balanced under legitimate interests. Meta has over a billion users. Repetition and limited scope will never be possible. And to get explicit, informed consent from all of these users is doubtful. That means there is no technical way for Meta, or others, to strictly comply with the law without a significant technical breakthrough or adequacy decision.
An additional note to the recent CJEU ruling is that users might be able to claim emotional damages for violations of their data protection rights. For example, the Dutch consumer rights organization Consumentenbond is currently signing up Dutch Facebook users to bring their claims over EU-US data transfers, and the imminent implementation of the EU’s Collective Redress Directive will allow collective actions for GDPR violations for the first time. So while the current $1.3B fine sounds like a large number it may be minuscule compared to what we could see in the future. This may truly be death by a thousand cuts if Big Tech doesn’t make significant changes to its data operations.
Are We Headed Towards A Splinternet?
Meta’s massive GDPR fine is indicative of the growing global clash over data governance and privacy laws. While the decision will give Meta six months to comply with an order to stop transfers of Facebook’s EU personal data to the U.S. we could see a different outcome depending on how and when Washington finalizes a transatlantic agreement with the EU to allow data transfers.
Depending on the outcome of these decisions and Facebook’s internal response, the case could herald the start of a fragmentation of the internet, as the world’s largest tech companies grapple with adhering to an increasingly complex and contradictory matrix of regional data privacy regulations. Similar to this case leading legal precedence on cross-border data transfers, Meta’s technical response is sure to set precedence on how to architect solutions for the future.
During my time with the World Economic Forum (WEF), this type of legal conundrum was not unexpected. Leaders spoke about these relationships less as a matter of tech or law and more in terms of power. Discussions detailed how we may see a future where the internet mirrors physical, nation-state jurisdictions. It’s easier to understand the world where we have a United States internet, a European internet, a Chinese internet (which you could argue already exists), an Indian internet, and an internet for every other nation that has the power and technical knowledge to define its internet jurisdiction. This would be modern-day colonialism and it could be argued we’ve already been in the process of this for the last decade.
The formation of internet jurisdictions seems like a logical future based on what we’re seeing today. Governments are not prepared to give up their power to a borderless society and many citizens, similarly, are not interested in a global government. Replication of physical, nation-state jurisdictions is also reasonable because often progress is born from the familiar—the easiest way for humans to conceptualize innovations, whether tech or law, is to build upon what we already know. As similar decisions come from courts around the world and solutions are architected or re-architected to meet new restraints, one can’t help but wonder: are we on the brink of a splintered internet?
Source: https://www.forbes.com/sites/joetoscano1/2023/05/23/does-metas-13b-eu-fine-mean-a-splintered-internet-in-the-future/