The Atlantic has always been the great physical divide between Europe and the Americas, between the Old World and the New World — as it was described 500 years ago, when seafaring adventurers set off from Spain, Portugal and the Netherlands to find riches.
During World War 2 the crossings took on a different tone, as desperately needed supplies from the US were transported in a dangerous voyage, with German U-boats lurking.
In the past two decades, that vital economic flow, now in data, has been reversed. The personal information of hundreds of millions of Europeans has been ending up on the stateside servers of big tech companies.
Two weeks ago Facebook was slapped with a record €1.2 billion fine by Ireland’s Data Protection Commission (DPC) and ordered to stop transferring its European users’ data across the Atlantic.
Chalk one up for the General Data Protection Regulation (GDPR), the EU privacy law designed to thwart the surveillance capitalism of (mostly US) big tech firms.
Apple, Amazon, Google, Facebook, Netflix and Microsoft have been shipping this data across the Atlantic, using a legal protection called Privacy Shield, an agreement between the US and the EU.
But Edward Snowden’s revelations about how the US’s National Security Agency was harvesting this data set off alarms in Brussels and with Europeans in general.
Privacy advocate Max Schrems took the agreement to the European Court of Justice in Luxembourg, Europe’s highest court, where it was overturned in 2020.
“Unless US surveillance laws get fixed, Meta will have to restructure its systems fundamentally,” Schrems said on Monday, referring to Facebook’s parent company. “The fine could have been much higher, given that the maximum fine is more than €4 billion.”
It may be bigger, because the ruling applied only to Facebook, not Instagram and WhatsApp, which are surely in the same position.
The EU has been flexing its data protection muscle with increasing vigour, even though there is much debate about whether the GDPR is being enforced effectively or aggressively enough.
The DPC says Facebook’s legal agreements do not “address the risks to the fundamental rights and freedoms” of Europeans who use its service. It has a five-month deadline to “suspend any future transfer of personal data to the US”. It must also stop processing or storing any EU personal information in the US, which Facebook transferred despite the GDPR.
Meta’s president of global affairs, Nick Clegg, says that “without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on”.
Arguably only big tech sees that as a problem; it is sure to be expensive and eat into its profits. But, as whistle-blower Frances Haugen warned last year, Meta “prioritises growth over safety”.
Meta, valued at $630 billion, is having a tough time as its surveillance capitalism business model unravels. Apple has blocked it from tracking iPhone users, which, as Meta CEO Mark Zuckerberg admitted, cost it $10 billion in lost revenue. Last year its value tanked 70%. After betting big on a 3D virtual “metaverse” called Horizon World, which has cost the company $36 billion since 2019, it’s a dismal failure that has been pilloried by geeks and gamers.
Meanwhile, its toxic environment and poor user experience have led to advertisers fleeing to TikTok. Meta laid off 11,000 staff members last November and another 10,000 in March.
So much for Zuckerberg’s “year of efficiency”.
The GDPR is also proving costly in terms of Facebook’s lax approach to user data — Cambridge Analytica was able to steal the data of 87 million users.
This year Meta was fined €390 million for forcing European users to accept new terms and conditions to allow personalised advertising to be directed to them.
Last November, the EU fined it €265 million over a data breach, and in December it settled a Cambridge Analytica class action suit for $725 million.
The EU accounts for about 10% of global advertising revenue, Meta CFO Susan Li said in April. Total revenue was $117 billion last year.
Meta’s troubles are on both sides of the Atlantic. In April, the US Federal Trade Commission (FTC) reopened its investigation of privacy issues stemming from a 2012 consent decree, for which Facebook paid a $5 billion fine when the FTC “identified several gaps and weaknesses” in how data is handled.
As FTC bureau of consumer protection director Samuel Levine said at the time: “Facebook has repeatedly violated its privacy promises. The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.” It’s hard to disagree.