On Monday,Ireland’s Data Protection Commission,acting at the behest of the European Protection Board,imposed a €1.2 billion ($2 billion) fine on Meta for not adequately protecting user data that was transferred from Europe to the US.
Mark Zuckerberg’s Meta says it is being singled out.Bloomberg
It would appear the Europeans wanted to make a high-profile example of Meta,given that there would be thousands,if not hundreds of thousands,of businesses that accumulate user data in Europe but transfer and store that data on their servers and in their data centres in their home countries.
Europe has arguably the toughest data privacy laws on the planet (),having enacted the General Data Protection Regulation laws in 2018 to impose obligations on those who target or collect data related to people within the European Union.
The big US tech companies have been fined regularly,and heavily,for breaches of the laws. The previous record for a fine was held by Amazon,which was hit with a €746 million ($1.24 billion) fine in 2021 for its alleged misuse of individuals’ data.
Meta/Facebook has previously been fined six times,for a total of about €1.3 billion,for breaches by the platform and its Instagram and WhatsApp businesses. It was also fined a massive $US5 billion ($7.5 billion) by the Federal Trade Commission in the US in 2019,where the Trump campaign gained access to the personal data of millions of users without their consent.
Pressure has mounted on social media giants to do more to stop youth crime antics from spreading online as Queensland grapples with a youth crime crisis.
Until 2020,the US and Europe had a “privacy shield” agreement that enabled the transfer of user data between Europe and the US,but revelations that the US intelligence agencies had been given access to the data held by social media platforms led to an EU’s Court of Justice ruling that the transfers of European data weren’t sufficiently protected in the US.
Subsequently,Meta and others relied on contractual clauses in agreements with users,but the European regulators determined that they didn’t provide sufficient privacy protections.
The EU and US are working to develop a new trans-Atlantic data privacy regime,potentially as early as July,that would provide safeguards and assurances of privacy protections for data transferred and stored in the US. With Meta promising to appeal the latest decision,an agreement might be reached in time to render this week’s judgement anachronistic.
What the decision and fine do demonstrate is that the Europeans take the data privacy of their citizens far more seriously than almost every other community,with,as noted,the possible exception of China. As Meta noted,there is a fundamental conflict between the approach the US and other Western governments take to access to data and the Europeans’ approach.
Indeed,there’s a massive difference to the way the US and other governments view big tech’s activities more broadly relative to the EU,where legislation regulating content moderation,the transparency of what they are doing with consumers’ data,and anti-competitive practices are far more stringent and prescriptive than in most other jurisdictions.
(Twitter,for instance,,is facing a forced exit from Europe if it can’t demonstrate an ability to comply with an EU code on disinformation that is soon to become law).
Meta made the point that the ability of data to flow seamlessly across borders is fundamental to how internet commerce functions. It’s not just the big social media and e-commerce platforms that collect and use user data – thousands of companies collect data from other countries’ citizens and,in an era of cloud computing,store it in data centres in their home countries.
“Without the ability to transfer data across borders,the internet risks being carved up in national and regional silos,restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on,” Meta said.
If the Meta decision stands,it might have to remove all the existing data it holds related to Europeans,which would be a costly,and perhaps impossible,nightmare.Bloomberg
In the absence of a new agreement between the EU and US,Meta and many others – particularly those pursuing the “data for service” model employed by the social media platforms – will find it difficult,if not impossible,to collect or hold data on Europeans in their home markets.
They could,at great cost,replicate their (predominantly US) infrastructure and operations within a tight EU silo or excise the EU from their businesses. In Meta’s case,Europe represents about 10 per cent of its global revenues.
As concerning,if the Meta decision stands,it might have to remove all the existing data it holds relating to Europeans,which would be a costly,and perhaps impossible,nightmare.
In some respects,the big tech companies have brought this outcome on themselves,and others.
They have been very aware that privacy is regarded very differently in Europe than it is in the US – the massive catalogue of fines they have built up would,by itself,have put them on notice – but they have ploughed on without significantly changing their practices.
The sooner the EU,US and other advanced economies can come up with a shared view of how to manage and protect users’ data,the better.
Meta is aggrieved that it has been singled out. Not only do thousands of other companies use the same contractual mechanism to operate within Europe,but so too does China. The EU hasn’t taken similar actions against China or Chinese companies,although,ironically,the US i that the EU has just done to Meta.
The sooner the EU,US and other advanced economies can come up with a shared view of how to manage and protect users’ data,the better.
While it is the US technology companies that have been caught within the collision of the EU regime and its less aggressive US counterpart,European companies are at a distinct disadvantage in trying to compete,given that they operate under the strictest of privacy laws while their competitors appear to treat the fines they face as something to be either endlessly appealed or perhaps just absorbed as the cost of doing business in Europe.
More broadly,the 21st-century global economy can’t function effectively or efficiently if data is quarantined within national borders. The EU and US,as the lead protagonists in the debate about the relationship between data privacy and borderless commerce,need to devise a framework that protects one without unduly burdening the other.
The Business Briefing newsletter delivers major stories,exclusive coverage and expert opinion..