Facebook Fined $1.3B — Zuckerberg Furious in GDPR Fight

Mark Zuckerberg caricatureNo legal way to move Europeans’ data to the US since 2015. Cloud industry better take note.

Europe has finally decided to slap a €1.2 billion penalty on Meta. It’s for Facebook’s illegal processing of user data in the U.S., where there’s no privacy protection in law.

It’s taken 10 years to decide. In today’s SB Blogwatch, we see this rumbling on for another decade.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Async Forever.

GDPR Move for Mark’s Money

What’s the craic? Annabelle Timsit reports—“EU slaps Meta with record $1.3 billion fine”:

Longstanding political and legal struggle
It is the largest GDPR fine the bloc has ever handed down … after finding that Facebook’s parent company broke the bloc’s laws by transferring user data from Europe to the United States. [The] transfers were in breach of the E.U.’s General Data Protection Regulation (GDPR) … laws that restrict what companies can do with people’s personal data. [Specifically] Article 46(1).

Under the terms of the ruling, Meta will have five months to put in place measures to halt all future transfers of personal data to the United States and six months to stop “the unlawful processing, including storage, in the US of personal data of EU/EEA users.” [It] is the latest development in a longstanding political and legal struggle to reconcile American laws on consumer data with European laws, which are more protective of online privacy and security.

It’s been a long time coming. Natasha Lomas holds her breath—“Meta ordered to suspend Facebook EU data flows”:

Doom loop
It’s finally happened. … The decision … flows from a complaint made against Facebook … almost a decade ago, by privacy campaigner Max Schrems — who has been a vocal critic of Meta’s lead data protection regulator in the EU, accusing the Irish privacy regulator of taking an intentionally long and winding path in order to frustrate effective enforcement of the bloc’s rulebook. … The Irish regulator is routinely under-enforcing the GDPR on the most powerful digital platforms and doing so in a way that creates additional problems for efficient functioning of the regulation since it strings out the enforcement process, [which] does make a mockery of citizens’ fundamental rights.

Meta is far from the only company affected by the ongoing legal uncertainty attached to EU-US data transfers … so pressure is likely to be amped up on lawmakers on both sides of the Atlantic. … Reports have suggested the European Commission could adopt the new EU-US data deal in July, [which] would mean Meta gets a new escape hatch to avoid having to suspend Facebook’s service in the EU. … Earlier today [a European] Commission spokesman … discussed ongoing work towards adopting a replacement transatlantic data adequacy deal [saying] the Commission expects [it] to be “fully functional by the summer.”

At the same time, legal challenges to the new transatlantic data transfer deal are expected and Schrems gives the EU-US pact a tiny chance of surviving legal review. [He] has previously suggested the company will … need to federate Facebook’s infrastructure in order to be able to offer a service to European users which does not require exporting their data to the US. … So Meta and other US giants whose business models hinge on exporting data … could find themselves back in this doom loop soon enough.

Horse’s mouth? Max Schrems—“Decision required 10 years and 3 court procedures”:

The simplest fix
Ever since Edward Snowden’s revelations on US big tech aiding the NSA mass surveillance apparatus, Facebook (now Meta) was subject to litigation in Ireland. For ten years, Meta has not taken any material precaution, but simply ignored the European Court of Justice (CJEU) and the European Data Protection Board (EDPB).

For all future transfers, Meta now hopes to switch to a new EU-US data transfer deal. … These hopes may however be shattered soon: It is not unlikely that the new deal will be invalidated by the CJEU — just like the two previous EU-US data deals (“Privacy Shield” and “Safe Harbor”). Such invalidations [are] retroactive. … The new deal has maybe a [90%] chance of … being killed.

The simplest fix would be reasonable limitations in US surveillance law. … We need probable cause and judicial approval of surveillance. It [is] time to grant these basic protections to EU customers of US cloud providers. Any other big US cloud provider, such as Amazon, Google or Microsoft could be hit with a similar decision. … This decision may lead to civil litigation against Meta in Europe. This summer the EU also implements a new ‘class action’ system.

What does Meta have to say? Failed politician Nick Clegg offers, “Our Response”:

Regulatory and legal uncertainty
This is not about one company’s privacy practices — there is a fundamental conflict of law. … We will appeal the ruling, including the unjustified and unnecessary fine. … This decision is flawed, unjustified and sets a dangerous precedent.

In 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield – a key legal mechanism for the transfer of personal data from the EU to the US. This decision created considerable regulatory and legal uncertainty. … Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans.

Schrems’ argument is simple—“We need probable cause and judicial approval.” Donald Akins couldn’t agree more:

The hypocrisy is astounding. The U.S. wants to ban TikTok because of fears of China getting access to data on Americans, but … a U.S. company does the same with other countries’ data.

America used to have a reputation of character, liberty, protection of rights, a force of good, etc. Contrary to its current self-perception of virtue, the only real difference between the U.S. and any other country is latitude and longitude.

Another day, another slap in the face for Farcebork? This Anonymous Coward is feeling some déjà vu:

The US doesn’t have any privacy laws, except ones that cover medical records. … Facebook does ghastly things as part of their daily business, argues the fines down to basically nothing and moves on, and we all just ignore it.

But why didn’t Meta do something about it earlier? mackman runs the numbers:

The cost of setting up additional data centers in Europe and re-architecting your application with a different replication strategy is probably 10x-50x the fine. It would also take years and a sizable fraction of the engineering team to make it happen and there will be significant performance and reliability issues throughout the process. Easier to pay the fine and lobby for rules changes for a decade.

What happens to the money? 1s44c knows where it won’t go:

I’m betting not one single cent out of that massive fine will go to the people who were harmed by Facebook.

The Irish data regulator doesn’t come out smelling of roses. matsemann sniffs between the lines:

Kinda crazy how Irish regulators did everything in their power to avoid this outcome. But I guess that’s why Meta and other big players are situated in Ireland: They rely on them not enforcing stuff and some meager taxes.

“Doing everything in their power” here is to do nothing—so that’s quite easy. My guess is push from above to be as lax as possible, so that companies choose to stay in Ireland vs. other EU countries. Or the funding to the data protection agency is intentionally nerfed to keep them from being able to actually do anything.

Meanwhile, what’s the fundamental reason we’re in this mess? Virtucon cuts to the chase:

With the Patriot Act and the abuse of National Security Letters, your data is no safer in the US than it is in China.

And Finally:

Your NFTs are worthless

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: DonkeyHotey (cc:by; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 616 posts and counting.See all posts by richi