On Monday, Ireland’s Data Protection Commission fined Meta, Facebook’s parent company, more than a billion dollars for breaching the European Union’s data-privacy rules, and ordered the social network to stop sending data that it has collected from European Facebook users to the United States. The fine is one of the largest to have been levied since the EU adopted the General Data Protection Regulation, a data-privacy law more commonly known by the initials GDPR, in 2016. The Irish decision calls into question not just Facebook’s data-collection apparatus—and the multibillion-dollar business model that it supports—but the similar data-handling and monetization practices of almost every other global social network and online service. Nick Clegg, the head of global affairs for Meta and a former deputy prime minister of the UK, said that the ruling risks carving the internet “into national and regional silos.”
Despite the apocalyptic tone of its response, Meta’s data-handling practices won’t have to change any time soon. The ruling offers a grace period of five months before the company has to take action; Meta has also said that it plans to appeal the decision and ask for the order to be stayed in the meantime, a process that could drag on. In part, that’s because the ruling is just the latest salvo in a longer-running battle over how data should be handled by global businesses like Meta—one that dates back to when the GDPR was first being developed.
As part of the negotiations over the regulation, the US and the EU came up with a bilateral agreement known as the Privacy Shield, also known as the “adequacy decision,” which required that the transfer of personal data could only take place if the receiving country “ensures an adequate level of protection.” What this entails has been the subject of much debate, not least because the EU’s Charter of Fundamental Rights enshrines the right to both a “private life” and the “protection of personal data.” In the summer of 2020, after several years of cooperation under the Privacy Shield arrangement, the EU’s Court of Justice—or ECJ which is based in Luxembourg—ruled that the framework of the agreement was “no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.” At the time of the ECJ’s decision, more than five thousand companies relied on the Privacy Shield agreement to do business with the EU, including Google and a number of other large technology providers.
Note: This was originally published as the daily newsletter for the Columbia Journalism Review, where I am the chief digital writer
Continue reading “Facebook, the EU and the future of data privacy”