A company asks regulators to approve its plan to comply with a new law. The regulators say, “fine, go ahead.” Four years later, the same regulators say “No, you have broken the rules and must pay a huge penalty.”
That’s what has happened to Meta — and its woes underline much of what is wrong with Europe’s strong privacy rules. More than causing financial pain, the punishment threatens to fragment the Internet, making it difficult to transfer data across the Atlantic — and threatening to explode improving transatlantic tech ties.
How did we get to this impasse? Five years ago, on May 25, 2018, the EU’s pathbreaking GDPR went into force. It required companies — from small mom-and-pop operations to multinational giants — to implement tough policies to protect Europeans’ privacy. As a political move, GDPR proved a resounding success — setting a global standard, raising the importance of privacy protections, and pleasing European voters.
Yet GDPR, like the protagonist in a Shakespearean tragedy, suffers from a fatal flaw — botched enforcement. National regulators where companies have their EU headquarters are mandated to enforce the rules. That means Ireland, home to Meta and Alphabet, among others, and Luxembourg, home to Amazon, must do the heavy lifting. As small countries, with small data protection agencies, they struggled.
The two countries also took a more lenient view than privacy hardliners desired. When Meta proposed using “contracts” to transfer data across the Atlantic, the Irish regulator judged them legal. But four continental privacy regulators later opposed the Irish green light. In a statement announcing the €1.2 billion fine, the Irish regulator said it disagreed, but it had been forced by its European peers to impose them.
The Irish DPA plans to fight the ruling. Earlier this year, it sued the European Data Protection Board — the pan-EU body of privacy regulators that coordinate privacy decisions — arguing that it overstepped by compelling Dublin to impose fines on Meta.
Meta also plans to appeal. In a statement, it called the decision “flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.” For the company, the fine must seem enormous, given the circumstances. What worries it even more than the money involved is the threat to its business model, ending its ability to transfer data to the US.
Ostensibly, the motive is to protect EU citizens from American government surveillance. In 2020, the EU’s Court of Justice ruled that US surveillance programs violated GDPR.
The ruling created a mess. It didn’t take into account that European spy agencies do as much or even more spying on their own populations the US does, and that in the wake of Edward Snowden’s revelations, the US has enacted reforms of its intelligence gathering. In contrast, the EU Court has no powers to restrict national security snooping because national security is outside the EU’s scope.
Above all, the court judgement didn’t provide a clear method for companies to transfer data between the regions. Facebook and others relied on contracts to transfer data across the Atlantic Ocean. These now have been ruled illegal, creating risk not only for Meta, but almost all US companies conducting transatlantic business with European customers.
To their credit, the Biden Administration and the European Commission recognize the danger and have agreed on a new transatlantic data deal. It would establish a new US Data Protection Review Court that would allow European citizens to file claims if they believe their data was collected in violation of GDPR rules.
European authorities must move fast to put the new deal in place. It’s also imperative that Europe clean up its enforcement of tech regulations. Instead of outsourcing to national governments, a single European-wide enforcer would be preferable. This would avoid diverging decisions that cost Meta.
Upset about the GDPR enforcement mess, the EU seems to be learning. For the new Digital Services and Digital Markets Acts, the Brussels-based European Commission will take the lead, although national regulators continue to play a potentially divisive role.
While Meta and Ireland’s appeals run their course, Facebook’s European users should notice no change in services. But if the appeals fail, Meta would be forced either to shut down on the continent, something it has threatened in the past, or more likely, attempt to separate its European user data from its non-European user data and store the European data within the EU.
This will be costly — and threatens the viability of a global democratic Internet, divorcing the European Internet from the US Internet. China and Russia already have split away to form their own authoritarian digital model. It would be disastrous if democracies divide their digital worlds.
Bill Echikson is a non-resident CEPA Senior Fellow and edits CEPA’s Bandwidth section.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.