Does the growing online muscle of the European Union mean the long-awaited arrival of real privacy online, or the creation of a “splinternet” as international borders begin to make their presence known online as well as off?
It’s an increasingly crucial question. On Monday, Facebook was handed a record fine for a GDPR breach. The social network’s parent company, Meta, was hit with a bill for more than a billion pounds over its ongoing data transfers from the EU to the US. From our story:
The [Irish Data Protection Commission] punishment relates to a legal challenge brought by an Austrian privacy campaigner, Max Schrems, over concerns resulting from the Edward Snowden revelations that European users’ data is not sufficiently protected from US intelligence agencies when it is transferred across the Atlantic.
Meta has also been given six months to stop “the unlawful processing, including storage, in the US” of personal EU data already transferred across the Atlantic, meaning that user data will need to be removed from Facebook servers.
This finding is an astonishingly long time coming: the fight between Facebook and EU regulators has been running for more than a decade so far. It starts even further back, in 2000, when the EU and the US agreed the “safe harbour privacy principles”, which basically stated that each regulator accepted that the other region’s privacy practices were acceptable. In 2011, Max Schrems, an Austrian lawyer, began attacking that agreement in court, arguing that Facebook didn’t comply with European regulations. But Schrems’ case was given a boost in 2013, when the Snowden revelations and the US government response revealed a fundamental problem: the American state didn’t respect the privacy rights of foreigners.
In 2015, after a two-year legal battle, the EU’s Court of Justice ruled in Schrems’ favour, and declared the Safe Harbour agreement invalid. A year later, the EU-US Privacy Shield was agreed, attempting to again ensure that European rights are upheld by American companies; and in 2020, that too was struck down, with the court ruling that the US still does not limit surveillance of EU citizens to that which is “strictly necessary”.
Those fights led to this week’s ruling, which found that by transferring data from European citizens to servers in the US, Facebook was exposing them to unacceptable risk that their “fundamental rights and freedoms” would be infringed.
If you’re wondering why it took almost three years to make that final ruling, there’s a second background plot here, which is the longstanding accusation that Ireland’s Data Protection Commission is too close to the tech companies it regulates. In this case, the Irish DPC initially declined to levy a fine, forcing the European Data Protection Board (EDPB), a transnational regulator that arbitrates disputes between national bodies, to step in. The EDPB overruled the Irish regulator and ordered that the record fine be imposed.
Splinternets
It’s unclear how Facebook intends to respond to the ruling. A blogpost co-signed by Nick Clegg, Meta’s president for global affairs, says the company intends to appeal “both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines”, complaining that the company has been “singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe”.
If that doesn’t work, Facebook is hoping that third time is the charm: where Safe Harbour and Privacy Shield failed, a new agreement, the Data Privacy Framework, might succeed. “If the DPF comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users,” Clegg and Meta’s chief legal officer Jennifer Newstead write, based on a finding by the Irish DPC.
But if the DPF gets held up on either side of the Atlantic – or if Schrems strikes again and gets a third international agreement torpedoed by the courts – then Facebook will have a much more difficult decision to make. Meta has insisted it is not possible to provide its services without the sort of data transfers that it was today fined for, even going so far as to warn in its most recent quarterly results that, without some sort of resolution, it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe”.
Few believe the maximal reading of the threat. The EU is a huge market, and Meta is unlikely to simply evacuate, even if it becomes harder to run profitably. But the days of multinationals unthinkingly pursuing global platforms already feel like a thing of the past, and this is another nail in that coffin.
For another example, take the launch of Google’s Bard chatbot, available in 180 countries and territories – but not the EU. From Wired:
after newsletter promotion
A number of experts who spoke to Wired suspect that Google is using Bard to send a message that the EU’s laws around privacy and online safety aren’t to its liking. But more than this, it could be a sign that generative AI technology as it exists now is fundamentally incompatible with existing and developing privacy and online safety laws in the EU.
The uncertainty around Bard’s rollout in the region comes as the bloc’s lawmakers are negotiating new draft rules to govern artificial intelligence via the fledgling AI Act. A number of existing laws, from GDPR to the Digital Services Act (DSA), may also be holding up the rollout of generative AI systems in the bloc.
And let’s not forget the UK government’s face-off with WhatsApp, another Meta company, over end-to-end encryption:
The UK government risks sleepwalking into a confrontation with WhatsApp that could lead to the messaging app disappearing from Britain, ministers have been warned, with options for an amicable resolution fast running out.
The limits aren’t just coming from the eastern coast of the Atlantic. As the American right jettisons its historic lip service to free speech, the country’s own internet regulations are threatening to impose state-level borders on the web. Take TikTok, which was banned in Montana last week:
Montana’s new law, which will take effect 1 January, prohibits downloads of TikTok in the state and would fine any “entity” – an app store or TikTok – $10,000 per day for each time someone “is offered the ability” to access the social media platform or download the app. The penalties would not apply to users.
I don’t want to overstate things. Warnings of a splinternet have been floating around the web for as long as I’ve been reporting on technology, with the outcome often cited as a lazy argument against any attempt to impose regulatory burdens on the net at large. But it feels closer to reality than it ever has before. Is that a good thing?
If you want to read the complete version of the newsletter please subscribe to receive TechScape in your inbox every Tuesday.