The Massive Fine The EU Hit Meta With… Is Really About The NSA, Not Meta
from the privacy-or-privacy dept
You may have heard the news that the EU hit Meta with a $1.3 billion fine for violating EU “data privacy rules” and assumed that this was just Meta being Meta and being bad about your privacy. But that’s not really an accurate portrayal of what happened, and it hides how this fine is actually pretty problematic for a lot of reasons that have nothing to do with Meta whatsoever, and a lot to do with the NSA.
Also, it may actually be a total disaster for privacy.
And on top of that, it makes US politicians trying to ban TikTok over fears of China spying on users appear to be total hypocrites.
The Backstory:
Some background is in order. First, almost exactly a decade ago, Ed Snowden first revealed the existence of PRISM, which unfortunately was widely misreported in the original articles about it. The original reports suggested that it was a story of tech companies giving full access to their backend data for the intel community to search. The reality, which came out a few days later, was that it was more of a system for the intel community to request data via a (HIGHLY QUESTIONABLE) legal process, and for the companies to deliver that info. It was still extremely problematic, but not in the ways it was originally reported.
Still, the revelation of the program raised many reasonable concerns, including how it was that these very same companies who had been handling “data transfers” of EU user data to US data centers under what was called the data protection “safe harbor” agreement were doing so. Part of the safe harbor agreement between the US and the EU was that the US companies would protect the data of EU users, and this didn’t seem to be happening.
Privacy activist Max Schrems sued over this, and a few years later, the EU Court of Justice tossed out the “safe harbor” agreement between the US and the EU, saying that because of the PRISM revelations and NSA’s snooping, that the agreement did not comport with EU data protection laws. Sometime after this, the EU and the US came to a new agreement, which became known as the “privacy shield” to again allow data transfers from the EU to the US. But, as we noted, the problem wasn’t the agreement, the problem was the NSA’s surveillance. And if that didn’t change, we didn’t see how the “privacy shield” was any better than the privacy “safe harbor” agreement.
Once again, Schrems sued. And once again, the court said that the agreement was invalid. Last year, the US and the EU announced yet another deal on transatlantic data flows. And, as we noted at the time (once again!) the lack of any changes to NSA surveillance meant it seemed unlikely to survive yet again.
In the midst of all this, Schrems also went after Meta directly, claiming that because these US/EU data transfer agreements were bogus, that Meta had violated data protection laws in transferring EU user data to US servers.
And that’s what this fine is about. The European Data Protection Board fined Meta all this money based on the fact that it transferred some EU user data to US servers. And, because, in theory, the NSA could then access the data. That’s basically it. The real culprit here is the US being unwilling to curb the NSA’s ability to demand data from US companies.
So, this isn’t about Meta doing anything particularly egregious on its own (I mean, it likely has, but that’s not the crux of this ruling).
The Damage to Privacy
Of course, the end result of all this could actually be hugely problematic for privacy around the globe. That might sound counterintuitive, seeing as here is Meta being dinged for a data protection failure. But, when you realize what the ruling is actually saying, it’s a de facto data localization mandate.
And data localization is the tool most frequently used by authoritarian regimes to force foreign internet companies (i.e., US internet companies) to host user data within their own borders where the authoritarian government can snoop through it freely. Over the years, we’ve seen lots of countries do this, from Russia to Turkey to India to Vietnam.
And, now, because of this ruling, they (and others) can continue to justify the demands for privacy-destroying data localization by pointing to the EU decision.
There are different privacy interests at play here. And while some will cheer this on simply because it dings Meta/Facebook, the reality is that for much of the world, getting their user data out of their local country and onto Meta’s US servers actually is much more protective of their privacy.
Of course, there’s a simple way to solve much of this: the US could cut back on NSA surveillance. What a concept.
The Hypocrisy Issue
It’s kind of amazing that all this is playing out against the backdrop of bipartisan efforts all around the US to “ban TikTok,” claiming that there’s a (still unproven) direct link enabling the Chinese government to access TikTok data. Nevermind that the US has already pressured TikTok into localizing US user data in the US under “Project Texas” (which, as we’ve already described, might also undermine US national security).
So, just as we’re forcing TikTok to locate US user data in the US and freaking out that the Chinese government might access TikTok US user data… the EU is slapping Meta with a large fine and effectively forcing it to locate EU data in the EU and freaking out that the US government might access Meta EU user data.
Basically, we’re doing exactly what we’re freaking out and claiming China is doing. Maybe we should stop?
And, of course, there are some simple ways to fix this: seriously cut back the NSA’s access to data from US companies without a valid reason. The fishing expeditions need to stop. They were an affront to the 4th Amendment all along and now they’re having a large, negative impact on US internet companies.
And then, pass a real federal privacy law that is focused on actual privacy violations, not some nonsense that simply empowers the biggest companies (i.e., Meta) to gain more control over the market, and ends up with something silly and useless like more cookie popups.
But, instead, the US will go on freaking out about TikTok, pushing garbage, broken, fake “privacy” fixes (often on a state by state business where those laws will conflict with one another), and refusing to admit that maybe the powers we gave the NSA are the problem?
Filed Under: data localization, data protection, data transfers, eu, fines, hypocrisy, localization, nsa, prism, privacy, privacy shield, surveillance, us
Companies: meta
Comments on “The Massive Fine The EU Hit Meta With… Is Really About The NSA, Not Meta”
Other hypocrisy issue
This is good but ignores that there is another hypocritical aspect in that the EU has programs similar in function to access user data for state security. They might not qualify as HIGHLY QUESTIONABLE legally but they are at the very least questionable.
Re:
Oh yeah. And some EU countries rely on… the NSA for data.
This comment has been flagged by the community. Click here to show it.
Protect Your Interest
Or MAYBE facebook could setup some servers in the EU and not transfer the data at all. Then it wouldn’t matter what the NSA wanted, or how bad US-EU negotiators muck up the next privacy agreement.
Data localization can be used for both good and bad. I agree that the CIA should stop. But they can’t be trusted, so the EU requirements are legit. The same thing goes for the ChiComs; they aren’t trustworthy, so U.S. localization requirements are also legit.
This comment has been flagged by the community. Click here to show it.
I would a million times rather trust China than I would the USA 😛
This comment has been flagged by the community. Click here to show it.
Interesting, the Western-centric viewpoint
The West seems to think it has a god-given right to the data of every human being on the planet, whether living in their countries or not. This is where white-supremacist ideology gets you, the belief that white Western men are in charge and the rest of us just have to bow down to them!
We here in Africa differ with that interpretation 😛
This comment has been flagged by the community. Click here to show it.
It's proven.
This has been testified to by numerous engineers. It’s also just….y’know, obvious, if have any knowledge of how the CCP operates.
It’s proven. Just like the evidence of FBI and CDC suppression of dissent, you don’t get to pretend the abundant evidence doesn’t exist just cuz you like it.
But I am amused by your willingness to be suspicious of fed agencies clearly working against citizen interests….unless they’re helping carry out the ideological censorship you happen to agree with.
Perf, just perf.
Re:
So you have a citation then?
“the reality is that for much of the world, getting their user data out of their local country and onto Meta’s US servers actually is much more protective of their privacy.”
There’s a lot of areas we agree on, but I think we’ll have to agree to disagree on this particular area.
'We can't fine them so we'll fine you instead.'
Punishing Meta because the NSA has a ‘look at all the stuff‘ obsession is like suing and fining someone who owns an apartment complex because the local police department is known to frequently sneak onto their property look through bedroom windows ‘just in case’.
Re: Unfair to fine Meta because of NSA?
It’s sort of true that it’s not fair to Meta. On the other hand, Meta could locate all their storage somewhere safer, like Switzerland (which does have pretty strong data protection). It’s just that when everyone starts to complain that US biz is going overseas, it’s important to make sure they know NSA/Congress is to blame.
Re: Re:
They could, but would that help a US-controlled company? I vaguely recall Microsoft getting some pushback from the US government when they came demanding non-US data.
After years in government biden cannot even get a new FCC commissioner appointed. There’s little chance of a federal privacy law being passed .so EU data is likely to be accessed by the NSA once it is on American servers
Break into their computer networks and etade that fine.
“appear”?