On Monday, Ireland’s Data Protection Commission fined Meta, Facebook’s parent company, more than a billion dollars for breaching the European Union’s data-privacy rules, and ordered the social network to stop sending data that it has collected from European Facebook users to the United States. The fine is one of the largest to have been levied since the EU adopted the General Data Protection Regulation, a data-privacy law more commonly known by the initials GDPR, in 2016. The Irish decision calls into question not just Facebook’s data-collection apparatus—and the multibillion-dollar business model that it supports—but the similar data-handling and monetization practices of almost every other global social network and online service. Nick Clegg, the head of global affairs for Meta and a former deputy prime minister of the UK, said that the ruling risks carving the internet “into national and regional silos.”
Despite the apocalyptic tone of its response, Meta’s data-handling practices won’t have to change any time soon. The ruling offers a grace period of five months before the company has to take action; Meta has also said that it plans to appeal the decision and ask for the order to be stayed in the meantime, a process that could drag on. In part, that’s because the ruling is just the latest salvo in a longer-running battle over how data should be handled by global businesses like Meta—one that dates back to when the GDPR was first being developed.
As part of the negotiations over the regulation, the US and the EU came up with a bilateral agreement known as the Privacy Shield, also known as the “adequacy decision,” which required that the transfer of personal data could only take place if the receiving country “ensures an adequate level of protection.” What this entails has been the subject of much debate, not least because the EU’s Charter of Fundamental Rights enshrines the right to both a “private life” and the “protection of personal data.” In the summer of 2020, after several years of cooperation under the Privacy Shield arrangement, the EU’s Court of Justice—or ECJ which is based in Luxembourg—ruled that the framework of the agreement was “no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.” At the time of the ECJ’s decision, more than five thousand companies relied on the Privacy Shield agreement to do business with the EU, including Google and a number of other large technology providers.
Note: This was originally published as the daily newsletter for the Columbia Journalism Review, where I am the chief digital writer
The 2020 decision followed a long-running campaign by privacy organizations, but stemmed in large part from the efforts of one man: Max Schrems, an Austrian lawyer and activist who had been waging a war against Facebook and its data-sharing practices for nearly a decade. Schrems started raising the alarm about the company in 2011, when he was still a college student, mounting a campaign that grew into a grassroots revolt, called Europe Versus Facebook, which saw tens of thousands of users contact the company’s European headquarters in Ireland and demand copies of their data. Viviane Reding, the primary architect of what would eventually become the GDPR, cited Schrems’ activism in the process of lobbying for tighter controls over how internet services handle personal data in Europe.
After Schrems asked the Irish Data Protection Commission to force Facebook to hand over all of the data that it had on him—and Facebook responded by sending a CD-ROM containing over a thousand pages of text—he realized that Facebook had access to personal information that he had never agreed to provide, including his physical location, and that the company had also retained data that he had deleted. The Irish regulator ordered Facebook to make changes to the ways in which it handled user data, but Schrems argued that this response didn’t address his more substantial complaints, and so, in 2013, he appealed to Ireland’s High Court. That court in turn referred the question to the ECJ, asking it to rule on whether individual countries should independently investigate the data-handling practices of internet companies, or whether they could rely on investigations by a third country.
The 2016 Privacy Shield was a result of this case. But Schrems continued his legal battle even after that framework was created, arguing that it didn’t do enough to prevent US intelligence agencies from getting access to personal data using methods that Edward Snowden, the former US national-security contractor, had exposed when he leaked a trove of sensitive internal documents in 2013. Schrems also argued that the Cambridge Analytica affair, in which personal data from Facebook was sold to a company that subsequently used it to target voters, would not have been possible if his concerns had been addressed. That case eventually led to the ECJ’s 2020 decision invalidating the Privacy Shield agreement, and forcing the US and the EU to develop a new version of the data-protection rules.
Last year, President Biden announced a new agreement, called the Data Privacy Framework. This was supposed to address the ECJ’s decision by making it more difficult, at least in theory, for US intelligence agencies to gain access to the personal data of non-US citizens. But the latest decision from the Irish court effectively ruled that even this new framework doesn’t go far enough.
So what happens now? The US and the EU are said to be working on (another) updated version of the data-privacy framework, but it’s unclear whether they will be able to address all of the concerns raised by the ECJ or by privacy activists. “Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” Schrems said in a statement on Monday. He added that one solution would be to keep most personal data belonging to European users within the EU, but to exempt “necessary” transfers that might occur, for instance, when an EU user sends a direct message to a user in the US. Schrems isn’t the only one thinking along these lines. According to the Information Technology and Innovation Foundation, a nonprofit US-based think tank, the number of laws, regulations, and government policies worldwide that require digital information to be stored in a specific country more than doubled to a hundred and forty-four between 2017 and 2021.
The sort of system described by Schrems could weaken Meta’s advertising business, which relies in part on the use of aggregated personal data to target users—a business that generates more than a hundred billion dollars a year. And the implications of the order go far beyond Meta alone. The European Data Protection Board said that Meta’s infringement of personal data protections was especially serious because it “concerns transfers that are systematic, repetitive and continuous.” But this describes the behavior of many other internet-based services as well. Meta might end up being “the canary in the coalmine,” Joe Jones, of the International Association of Privacy Professionals, told the British newspaper The Telegraph, adding that dozens of companies have disclosed, in public investor reports, that the disruption to transatlantic data sharing has brought higher costs, among other negative impacts. “Thousands of other companies, including small businesses, depend on transatlantic data transfers,” Jones said.
Schrems, for his part, has noted that global tech companies such as Facebook and Google are protected by the way that the US conceives of the use of personal data. The US still has “this very nationalistic view of [what it means to be a] citizen or not citizen, which comes out of the Fourth Amendment,” Schrems said during a privacy debate in 2021. “It’s a bit like Swiss banks saying ‘give us all your gold, but once your gold is in Switzerland, there’s no property rights anymore for foreigners.’” Ultimately, the tension between the European and American approaches to handling personal data, which Schrems has spent more than a decade highlighting, stems from a fundamental difference: between a social and regulatory structure that prioritizes the protection of personal privacy, and one in which there are no overarching federal laws regulating the handling of personal information. The US has a hodgepodge of state and national laws that cover some data, for some users, some of the time—with acronyms like HIPAA, FERPA, GLBA, and COPPA—but nothing that protects the privacy of all personal data as a fundamental right.
Is there a way to bridge between these two, very different philosophies? The US and EU will try again to build one—trillions of dollars in economic activity depends on it. But their systems may be fundamentally irreconcilable. And Facebook may not be the only company to pay the price.