“Worldwide” Web?: E.U. Privacy Fine Risks Creating National Borders On The Internet

Last Monday, the European Union fined Meta – formerly Facebook – a record-breaking 1.2 billion Euros ($1.3 billion) for violation of crucial privacy protection laws, citing concerns with how the company has handled user data such as names, emails, I.P. addresses, messages, viewing history, and other personal information. The decision came with a demand that Meta stop transferring users’ data from Europe to the United States within five months and “[cease] the unlawful processing, including storage, in the U.S. of European users’ data” within six. This is the largest, most significant privacy penalty seen since the European Union constructed a strict privacy administration with the enactment of the General Data Protection Regulation (G.D.P.R.) five years ago.

“The unprecedented fine is a strong signal to organizations that serious infringements have far-reaching consequences,” Andrea Jelinek, chair of the European Data Protection Board, said, but other parties have been less confident. “If the company has to scrub data for hundreds of millions of European Union users going back 10 years, it is very hard to see how it will be able to comply with that order [within the E.U.’s deadline],” warned senior Irish Council for Civil Liberties member Johnny Ryan.

It is uncertain whether Meta will cut off services for its European users. Meta has promised that there will be “no immediate disruption to Facebook in Europe,” but according to Austrian privacy activist Max Schrems, the company “will have to fundamentally restructure its systems” to comply with the court unless the United States changes its current surveillance laws. Without the legal grounds for transferring users’ data, Meta’s services in Europe will be forced to stop, the company says, “which would materially and adversely affect our business, financial condition, and results of operations.”

The company has publicly announced that it will be appealing the decision, foreseeing a prolonged legal process but holding to the claim that it is being unfairly punished for using data-sharing operations that many other tech companies use. “This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the E.U. and the U.S.,” said Nick Clegg, Meta’s global affairs president.

This case highlights the history of conflict between Europe’s severe data privacy laws and the U.S.’s comparatively relaxed views of privacy. The strict controls the E.U. has introduced regulating companies’ security and permissions regarding platforms and user data have been influential in regulating Big Tech’s power. U.S. policies, meanwhile, give intelligence agencies authority to intervene in communications, including digital messages from Europe.

An E.U.-U.S. data-sharing agreement known as the Privacy Shield Pact, which allowed companies like Facebook to transfer users’ data between regions, was shot down in a 2020 court hearing as part of a lawsuit from Austrian privacy activist Max Schrems. The European court sided with Schrems, finding that the pact was not adequate to protect residents’ fundamental rights from the U.S. government’s electronic spying.

An E.U.-U.S. data-sharing agreement known as the Privacy Shield Pact, which had allowed Big Tech companies, like Facebook, to transfer users’ data between regions, was shot down in a 2020 court hearing. The European court sided with Schrems, representing the other party in the case, and found that the pact was not adequate to protect the residents’ fundamental rights from U.S. government electronic spying.

Brussels and Washington have been in collaboration, and last year agreed on a revised Privacy Shield pact that could cover Meta’s usage. If it passes before the company’s five-month deadline, the company says its services “can continue as they do today without any disruption or impact on users.” However, the agreement is awaiting approval from European officials, and there is a high chance the E.U.’s top court will not approve a new pact. Even if a new privacy pact is passed, “this is likely not a permanent fix,” Schrems warns. “Unless U.S. surveillance laws get fixed, Meta will likely have to keep E.U. data in the E.U.”

Meta is not the only company that will be affected by this case, which raises concerns for how Big Tech as an industry will handle user privacy given the disjoint between E.U. and U.S. policy. Schrems’ proposed solution is a “federated social network,” where personal data would remain in the European Union except for “necessary” conditions where transferring would be acceptable, such as a European user sending a direct message to a user in the United States. But however we move forward, an answer must be found in order to keep the worldwide in worldwide web. “Without the ability to transfer data across borders,” Clegg said, “the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on.”