Sign up for The Media Today, CJRâs daily newsletter.
On Monday, Ireland’s Data Protection Commission fined Meta, Facebook’s parent company, more than a billion dollars for breaching the European Union’s data-privacy rules, and ordered the social network to stop sending data that it has collected from European Facebook users to the United States. The fine is one of the largest to have been levied since the EU adopted the General Data Protection Regulation, a data-privacy law more commonly known by the initials GDPR, in 2016. The Irish decision calls into question not just Facebook’s data-collection apparatusâand the multibillion-dollar business model that it supportsâbut the similar data-handling and monetization practices of almost every other global social network and online service. Nick Clegg, the head of global affairs for Meta and a former deputy prime minister of the UK, said that the ruling risks carving the internet âinto national and regional silos.â
Despite the apocalyptic tone of its response, Meta’s data-handling practices wonât have to change any time soon. The ruling offers a grace period of five months before the company has to take action; Meta has also said that it plans to appeal the decision and ask for the order to be stayed in the meantime, a process that could drag on. In part, that’s because the ruling is just the latest salvo in a longer-running battle over how data should be handled by global businesses like Metaâone that dates back to when the GDPR was first being developed.Â
As part of the negotiations over the regulation, the US and the EU came up with a bilateral agreement known as the Privacy Shield, also known as the “adequacy decision,” which required that the transfer of personal data could only take place if the receiving country “ensures an adequate level of protection.” What this entails has been the subject of much debate, not least because the EUâs Charter of Fundamental Rights enshrines the right to both a “private life” and the “protection of personal data.” In the summer of 2020, after several years of cooperation under the Privacy Shield arrangement, the EU’s Court of Justiceâor ECJ, which is based in Luxembourgâruled that the framework of the agreement was “no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.” At the time of the ECJâs decision, more than five thousand companies relied on the Privacy Shield agreement to do business with the EU, including Google and a number of other large technology providers.
The 2020 decision followed a long-running campaign by privacy organizations, but stemmed in large part from the efforts of one man: Max Schrems, an Austrian lawyer and activist who had been waging a war against Facebook and its data-sharing practices for nearly a decade. Schrems started raising the alarm about the company in 2011, when he was still a college student, mounting a campaign that grew into a grassroots revolt, called Europe Versus Facebook, which saw tens of thousands of users contact the company’s European headquarters in Ireland and demand copies of their data. Viviane Reding, the primary architect of what would eventually become the GDPR, cited Schremsâs activism in the process of lobbying for tighter controls over how internet services handle personal data in Europe.
After Schrems asked the Irish Data Protection Commission to force Facebook to hand over all of the data that it had on himâand Facebook responded by sending a CD-ROM containing over a thousand pages of textâhe realized that Facebook had access to personal information that he had never agreed to provide, including his physical location, and that the company had also retained data that he had deleted. The Irish regulator ordered Facebook to make changes to the ways in which it handled user data, but Schrems argued that this response didn’t address his more substantial complaints, and so, in 2013, he appealed to Irelandâs High Court. That court in turn referred the question to the ECJ, asking it to rule on whether individual countries should independently investigate the data-handling practices of internet companies, or whether they could rely on investigations by a third country.Â
The 2016 Privacy Shield was a result of this case. But Schrems continued his legal battle even after that framework was created, arguing that it didn’t do enough to prevent US intelligence agencies from getting access to personal data using methods that Edward Snowden, the former US national-security contractor, had exposed when he leaked a trove of sensitive internal documents in 2013. Schrems also argued that the Cambridge Analytica affair, in which personal data from Facebook was sold to a company that subsequently used it to target voters, would not have been possible if his concerns had been addressed. That case eventually led to the ECJâs 2020 decision invalidating the Privacy Shield agreement, forcing the US and the EU to develop a new version of the data-protection rules.Â
Last year, President Biden announced a new agreement, called the Data Privacy Framework. This was supposed to address the ECJâs decision by making it more difficult, at least in theory, for US intelligence agencies to gain access to the personal data of non-US citizens. But the latest decision from the Irish court effectively ruled that even this new framework doesn’t go far enough.
So what happens now? The US and the EU are said to be working on (another) updated version of the data-privacy framework, but itâs unclear whether they will be able to address all of the concerns raised by the ECJ or by privacy activists. “Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems,” Schrems said in a statement on Monday. He added that one solution would be to keep most personal data belonging to European users within the EU, but to exempt “necessary” transfers that might occur, for instance, when an EU user sends a direct message to a user in the US. Schrems isnât the only one thinking along these lines. According to the Information Technology and Innovation Foundation, a nonprofit US-based think tank, the number of laws, regulations, and government policies worldwide that require digital information to be stored in a specific country more than doubled to a hundred and forty-four between 2017 and 2021.
The sort of system described by Schrems could weaken Meta’s advertising business, which relies in part on the use of aggregated personal data to target usersâa business that generates more than a hundred billion dollars a year. And the implications of the order go far beyond Meta alone. The European Data Protection Board said that Meta’s infringement of personal data protections was especially serious because it “concerns transfers that are systematic, repetitive and continuous.” But this describes the behavior of many other internet-based services as well. Meta might end up being “the canary in the coalmine,” Joe Jones, of the International Association of Privacy Professionals, told the British newspaper The Telegraph, adding that dozens of companies have disclosed, in public investor reports, that the disruption to transatlantic data sharing has brought higher costs, among other negative impacts. “Thousands of other companies, including small businesses, depend on transatlantic data transfers,” Jones said.Â
Schrems, for his part, has noted that global tech companies such as Facebook and Google are protected by the way that the US conceives of the use of personal data. The US still has “this very nationalistic view of [what it means to be a] citizen or not citizen, which comes out of the Fourth Amendment,” Schrems said during a privacy debate in 2021. “Itâs a bit like Swiss banks saying âgive us all your gold, but once your gold is in Switzerland, thereâs no property rights anymore for foreigners.â” Ultimately, the tension between the European and American approaches to handling personal data, which Schrems has spent more than a decade highlighting, stems from a fundamental difference: between a social and regulatory structure that prioritizes the protection of personal privacy, and one in which there are no overarching federal laws regulating the handling of personal information. The US has a hodgepodge of state and national laws that cover some data, for some users, some of the timeâwith acronyms like HIPAA, FERPA, GLBA, and COPPAâbut nothing that protects the privacy of all personal data as a fundamental right.Â
Is there a way to bridge these two, very different philosophies? The US and EU will try again to build oneâtrillions of dollars in economic activity depends on it. But their systems may be fundamentally irreconcilable. And Facebook may not be the only company to pay the price.
Other notable stories:
- Last night, Ron DeSantis, the governor of Florida, launched his 2024 presidential campaign via a live audio conversation on Twitter. Eventually. The conversationâheld using the Twitter Spaces feature, and also starring Elon Musk, Twitterâs owner, and David Sacks, a tech investor and DeSantis donorâfailed to get off the ground for half an hour as the platform glitched; by the time the event started, half the initial listeners had floated away. DeSantisâs team claimed that the level of interest in his launch âbroke the internet.â By many metrics, the attendance was actually underwhelming, but it did at least break Twitter Spacesâa tool, CNN reports, that was designed for smaller-scale use. (One former Twitter staffer described Spaces as âa beta test that never ended.â)
- Earlier this week, the union representing most newsroom staffers at the Times reached agreement with management on a new contract, following years of negotiations and a walkout; Vanity Fairâs Charlotte Klein reports that a tiered wage-increase proposal was essential to breaking the impasse. In other media-business news, the startup Semafor raised nineteen million dollars in an investment round, replacing funding that it gathered from the disgraced crypto entrepreneur Sam Bankman-Fried. Benjamin Mullin has more for the Times. And another startup, The Messenger, which launched to a rocky reception last week, has already seen three editors resign. Mediaiteâs Isaac Schorr has the details.
- Kent Nishimura, a Washington-based photographer for the LA Times, writes that Dianne Feinsteinâthe eighty-nine-year-old California senator, whose capacity to serve has repeatedly been called into question of lateâhas been assiduously avoiding the press since returning to the Capitol following a severe recent case of shingles. Feinsteinâs staff âoften form a human barrier between her and the press corps, with one staffer pushing her wheelchair while others shout at photographers to move out of the way,â Nishimura writes. Her office has reportedly asked Congressional security to keep the press at bay. Â
- According to Article 19, a human-rights group, Marco Aurelio RamĂrez HernĂĄndez, a journalist and former public official in Mexico, was shot dead while driving his car in Puebla state this week. He became the second Mexican journalist to be killed this monthâfollowing the shooting of Gerardo Torres RenterĂa in Guerrero state, on May 11âand the third to be killed this year. So far, 2023 has been a less deadly year for journalists in Mexico than 2022 (as CJRâs Paroma Soni reported last year).
- And journalists at the Financial Times explored how Antigua News, a small news site in the Caribbean, scooped them (and the rest of the worldâs financial press) to an important story about the beleaguered Swiss bank Credit Suisse. Their inquiries led the journalists to Dario Item, who owns Antigua News while also working as a lawyer in Switzerland (and also serving as the Antiguan ambassador to Spain, Monaco, and Liechtenstein).
ICYMI: The Messenger is a news startup, but it feels like a blast from the past
Has America ever needed a media defender more than now? Help us by joining CJR today.