There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines. Its possible this fine was intended to pre-empt the passing of any new frameworks and cash in on the uncertainty in the interim.
Fining foreign big tech over EU privacy nuances is like taking candy from a baby. The narrative zeitgeist on both sides of the pond is in support (stories of rigged elections for 4 years turned public opinion brilliantly).
While protecting your citizens rights is a noble cause, its hard not to see the moral hazard inherent in this approach.
Abusing your position as a desirable market to impose post-hoc tariffs via an endless stream of fines is questionable IMO. Especially while the US provides Europe with its extremely expensive military support blanket (NATO) against the angry bear at its door.
> Abusing your position as a desirable market to impose post-hoc tariffs via an endless stream of fines is questionable IMO.
There's a simple scenario in which Meta wouldn't have had to pay these fines: Don't break the law. And don't continue breaking the law after being told to stop it. It's not abusive to remind companies that actions have consequences in the language they understand and respect.
Do you honestly believe that Meta's hundreds (possibly thousands) of both full-time and contracted out lawyers would collectively advise them to break the law? Knowing full well the outcome would be $Billions in fines?
EU to US data transfers used to be okay for years, then there was a single ruling that brought that into question. Because government moves slow, there hasn't been a new framework implemented. Ruling for Billions in fines during the interim, while the US government and EU are still negotiating the details of the new framework is not an environment conducive to full compliance. US companies would essentially need to stop operating in the EU altogether if they wanted to be fully compliant.
Combine this with giant companies which also are slow moving (albeit faster than government) and you have a recipe for never-ending fines no matter how much you try to comply in good faith.
Corporate lawyering is basically about finding ways to break the spirit or letter of the law without being punished for it. Or to limit the punishment so that it is exceeded by the likely profit of breaking the law. So yes, Meta's thousands of lawyers probably recommend breaking (or "interpreting" certain laws in certain ways all the time because the cost/benefit analysis makes it worth it. And sometimes they miscalculate and the fines are larger than the profit or result in some unexpected political blowback. See also Apple's approach to its App Store and payment policies.
EU to US data transfers were questionable for years, until a whole string of rulings through several levels of national and E.U. courts made clear that they weren't under some circumstances. Other companies have found ways to deal with that, Meta obviously could have, but chose not to (because profits). One obvious way would be for Meta to save E.U. customer data on E.U. servers exclusively, splitting the social graph (and advertising shadow profiles, which likely is what they really care about). Good faith does not enter into the equation, would be my guess.
There was also a grace period during which time Meta made no substantive efforts to come into compliance. If Meta had even a half-baked EU solution they would not be so thoroughly and repeatedly punished.
Yeah, standing up a data center is not trivial, but Meta also hires the best in the world. Move fast and break things. In this case they didn’t even move at a medium speed, so they get no sympathy from me.
> Do you honestly believe that Meta's hundreds (possibly thousands) of both full-time and contracted out lawyers would collectively advise them to break the law? Knowing full well the outcome would be $Billions in fines?
Yes, absolutely. Laws are never clear and require human beings to interpret.
Lawyers jobs are about assessing risk. While they might not have explicitly said "you will get fined $B", they will definitely say "here is the likelihood that the EU fines you" and then meta management would make a strategic (e.g. do we want to risk this based on how much money we can profit) decision based on that.
I believe they can still at any point stop operating in the EU and not pay the fine? How would the EU implement the fine if Meta pulled out? I thought their leverage was just the threat of blocking the service in the EU.
Meta has plenty of EU-based assets which are not liquid enough to just pull out in a matter of months. The EU and national governments would also likely have options under insolvency laws and criminal statutes to freeze some of Meta's assets in the EU if the company made an attempt to pull out to avoid some fines. Of course Meta won't. The EU is a valuable market and even if Meta would stop making any profit (they won't), it can't just leave that market to the competition.
Does this apply to foreign companies? I’ve never heard of such a thing.
If it was a domestic company, of course, assets could just be seized to pay the fine plus whatever non payment penalty. Is there a criminal charge after asset seizure? Or does this just never happen because there is no incentive to do it domestically?
Not a lawyer, but shutting down a subsidiary to avoid overwhelming fines is de facto messing with the insolvency laws, isn't it? At least in Germany that is a criminal offense for which the executives of the (parent) company are ultimately liable.
Plus, Meta actually is a domestic company in the E.U. They handle all their E.U. business through an Irish subsidiary (which is why the Irish data protection agency is responsible for all of this) and they also have subsidiaries to manage political and customer relations in many other E.U. countries, as well as presumably data centers, etc. Removing all of this would be a big project and would give government agencies plenty of time to seize assets. These assets could also include non-tangibles, i.e. the .de/.fr domains for their websites.
The law is almost a moving target, based on the whims of the current political zeitgeist and public opinion.
And law isn't binary, yes/no. Much US law is very murky and ambiguous. It takes litigation and court action to actually figure out what the poorly worded laws mean. Congress is really bad at creating law for some reason.
The cost of setting up additional data centers in Europe and re-architecting your application with a different replication strategy is probably 10x-50x the fine. It would also take years and a sizable fraction of the engineering team to make it happen and there will be significant performance and reliability issues throughout the process. Easier to pay the fine and lobby for rules changes for a decade.
> There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
this will likely be found to be unlawful too in the way the last two were
the EU commission shouldn't be creating frameworks that it knows are unlawful (definition of malfeasance?)
Most likely even that, if and when it will be done will have flaws that sooner or later will cause the fall
Purely from a logical perspective, preventing the data of a company operating in the United States and Europe from contaminating or coming into contact is a pure utopia no matter how much effort it puts into goal or any other company operating in the same or similar field.
There will always be a point of contact and a way for European data to be under the lens of some American agency or body.
In addition to Facebook is not really famous for its transparency in data management so any commitment to the contrary I see it as a paper promise
NATO's excuse that because the US finances then anything is allowed is a fallacious argument.
> There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
There’s already been two attempts at this, both of which were ratified, then struck down by the ECJ.
There’s already clear indications that attempt there isn’t much better than attempt one and two, and the smart money is betting on it not being ratified, or being struck down if it is.
In the meantime it’s been illegal for a years to transfer EU data to the U.S. So even if it did suddenly become legal, those laws aren’t going to retrospect, and Facebook still engaged in blatantly illegal behaviour.
>"Especially while the US provides Europe with its extremely expensive military support blanket"
1) I think it is more than compensating by Europe agreeing to use USD as the reserve currency. The US gets enormous benefits as the result.
2) Angry bear seems not to be able to win over a single country. Beside the US does it for self serving reasons. It is not a charity. And if it did not I think the Europe is quite capable to create and maintain their own army and weapons.
> There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
Black Books (S01E01) put it best:
> NICK VOLEUR: This new system, it's very closely modelled on the old system, isn't it?
> BERNARD BLACK: I'd go further than that, Nick, I'd say it was more or less exactly the same[.]
Given the US side of said framework is established by executive order[1] and the “court” it creates is part of the executive (much like the “ombudsperson” office that the CJEU struck down Privacy Shield over), it’s unclear if it will work, or if the Commission (an executive body who can establish these things but is subject to judicial review) is setting itself up for a Schrems III another ten years down the line for foreign-relations reasons. The EU privacy regulator very politely said it was dubious[2], while the relevant parliamentary committee[3] and later the full parliament[4] expressed open scorn.
The US diplomats, for their part, are trying for a “you too” defence[5]—which might well be factually true to some extent, just does not change anything about EU law.
> Its possible this fine was intended to pre-empt the passing of any new frameworks and cash in on the uncertainty in the interim.
As the legal basis for a transfer is fixed at the time it’s performed, a framework cannot be retroactive (but “the Commission was wrong, the transfers weren’t lawful after all” decisions can be). So while the FUD may be real, the case could just as well have been decided after the new framework had been passed.
How do you process data about an international social graph only in the EU? When a friend in the EU posts something, should their post not be seen in the US? What happens when I have a group conversation between friends in the US and EU?
Well, if the US and other countries don't have equivalent laws, you can move everything to the EU.
Of course, this doesn't work if another country has such a law. But if it's a smaller country, then it doesn't have as much leverage (e.g. Facebook could accept the smaller fine or pull out).
I don’t know, maybe let adults make their own informed decisions and weigh the tradeoffs versus benefits based on their own priorities instead of depending on the government?
You seem to have picked " Or anything goes, no law" which as stated above, is not acceptable to the EU.
Naïve libertarian takes like "let adults make their own informed decisions" are all fine and well, but when there's a track record of their harm that can be pointed to already, it is, as stated, a non-starter.
So should we now pass laws that outlaw everything that can cause you harm - cigarettes? Alcohol? Gambling? Sugar? Do you also support the “war on drugs”?
How much power do you want to give the government because you are incapable of making your own decisions?
How so? The contention was that the government should protect intelligent adults because they are too dumb to use their own judgment. But adults are intelligent enough to use alcohol in responsible way (which statistically is clearly not the case), but not intelligent enough to use a social media platform?
>There’s a new EU-US data framework that’s expected to be ratified within a year which should make EU-US transfers possible again under new guidelines.
Until it's struck down by the court again.
The agreement will not - it cannot - satisfy the requirements of the GDPR and CFR unless and until the US changes its law.
No. For one, even taken literally the way I wrote it it's about two different sets of people -- the EU must defend their citizens (and residents, BTW), of course!
For another, if one looks past my vague wording, the EU (or at least Germany, which I'm most familiar with) doesn't have the dogma that it's required to set up a world spanning total surveillance state, no compromises beyond the ones absolutely necessary with their own constitution (and even those are followed within a rather "liberal" framework for the three-letter-agencies: they do have all possible data they can get their hands on, just pinky-promise to not abuse it, if US citizens are impacted, in the eyes of secret courts).
EU does no require a warrant for taking of data from residents [0] by LE. There is little legal protection from LE in Europe, "law enforcement agencies can access the personal data of citizens of any country as long as they are involved in investigating crimes related to the European Union."
GDPR (and the national laws it replaced) does not exist in a vacuum, but is an implementation of ECHR art. 8, and CFREU art. 7 and 8. If it is changed, odds are it will become stronger, not weaker. And it is quite foolish to think the CFR will be changed to accommodate companies like Meta.
Fining foreign big tech over EU privacy nuances is like taking candy from a baby. The narrative zeitgeist on both sides of the pond is in support (stories of rigged elections for 4 years turned public opinion brilliantly).
While protecting your citizens rights is a noble cause, its hard not to see the moral hazard inherent in this approach.
Abusing your position as a desirable market to impose post-hoc tariffs via an endless stream of fines is questionable IMO. Especially while the US provides Europe with its extremely expensive military support blanket (NATO) against the angry bear at its door.