from the privacy-or-privacy dept
You may have heard the news that the EU hit Meta with a $1.3 billion fine for violating EU “data privacy rules” and assumed that this was just Meta being Meta and being bad about your privacy. But that’s not really an accurate portrayal of what happened, and it hides how this fine is actually pretty problematic for a lot of reasons that have nothing to do with Meta whatsoever, and a lot to do with the NSA.
Also, it may actually be a total disaster for privacy.
And on top of that, it makes US politicians trying to ban TikTok over fears of China spying on users appear to be total hypocrites.
Some background is in order. First, almost exactly a decade ago, Ed Snowden first revealed the existence of PRISM, which unfortunately was widely misreported in the original articles about it. The original reports suggested that it was a story of tech companies giving full access to their backend data for the intel community to search. The reality, which came out a few days later, was that it was more of a system for the intel community to request data via a (HIGHLY QUESTIONABLE) legal process, and for the companies to deliver that info. It was still extremely problematic, but not in the ways it was originally reported.
Still, the revelation of the program raised many reasonable concerns, including how it was that these very same companies who had been handling “data transfers” of EU user data to US data centers under what was called the data protection “safe harbor” agreement were doing so. Part of the safe harbor agreement between the US and the EU was that the US companies would protect the data of EU users, and this didn’t seem to be happening.
Privacy activist Max Schrems sued over this, and a few years later, the EU Court of Justice tossed out the “safe harbor” agreement between the US and the EU, saying that because of the PRISM revelations and NSA’s snooping, that the agreement did not comport with EU data protection laws. Sometime after this, the EU and the US came to a new agreement, which became known as the “privacy shield” to again allow data transfers from the EU to the US. But, as we noted, the problem wasn’t the agreement, the problem was the NSA’s surveillance. And if that didn’t change, we didn’t see how the “privacy shield” was any better than the privacy “safe harbor” agreement.
Once again, Schrems sued. And once again, the court said that the agreement was invalid. Last year, the US and the EU announced yet another deal on transatlantic data flows. And, as we noted at the time (once again!) the lack of any changes to NSA surveillance meant it seemed unlikely to survive yet again.
In the midst of all this, Schrems also went after Meta directly, claiming that because these US/EU data transfer agreements were bogus, that Meta had violated data protection laws in transferring EU user data to US servers.
And that’s what this fine is about. The European Data Protection Board fined Meta all this money based on the fact that it transferred some EU user data to US servers. And, because, in theory, the NSA could then access the data. That’s basically it. The real culprit here is the US being unwilling to curb the NSA’s ability to demand data from US companies.
So, this isn’t about Meta doing anything particularly egregious on its own (I mean, it likely has, but that’s not the crux of this ruling).
The Damage to Privacy
Of course, the end result of all this could actually be hugely problematic for privacy around the globe. That might sound counterintuitive, seeing as here is Meta being dinged for a data protection failure. But, when you realize what the ruling is actually saying, it’s a de facto data localization mandate.
And data localization is the tool most frequently used by authoritarian regimes to force foreign internet companies (i.e., US internet companies) to host user data within their own borders where the authoritarian government can snoop through it freely. Over the years, we’ve seen lots of countries do this, from Russia to Turkey to India to Vietnam.
And, now, because of this ruling, they (and others) can continue to justify the demands for privacy-destroying data localization by pointing to the EU decision.
There are different privacy interests at play here. And while some will cheer this on simply because it dings Meta/Facebook, the reality is that for much of the world, getting their user data out of their local country and onto Meta’s US servers actually is much more protective of their privacy.
Of course, there’s a simple way to solve much of this: the US could cut back on NSA surveillance. What a concept.
The Hypocrisy Issue
It’s kind of amazing that all this is playing out against the backdrop of bipartisan efforts all around the US to “ban TikTok,” claiming that there’s a (still unproven) direct link enabling the Chinese government to access TikTok data. Nevermind that the US has already pressured TikTok into localizing US user data in the US under “Project Texas” (which, as we’ve already described, might also undermine US national security).
So, just as we’re forcing TikTok to locate US user data in the US and freaking out that the Chinese government might access TikTok US user data… the EU is slapping Meta with a large fine and effectively forcing it to locate EU data in the EU and freaking out that the US government might access Meta EU user data.
Basically, we’re doing exactly what we’re freaking out and claiming China is doing. Maybe we should stop?
And, of course, there are some simple ways to fix this: seriously cut back the NSA’s access to data from US companies without a valid reason. The fishing expeditions need to stop. They were an affront to the 4th Amendment all along and now they’re having a large, negative impact on US internet companies.
And then, pass a real federal privacy law that is focused on actual privacy violations, not some nonsense that simply empowers the biggest companies (i.e., Meta) to gain more control over the market, and ends up with something silly and useless like more cookie popups.
But, instead, the US will go on freaking out about TikTok, pushing garbage, broken, fake “privacy” fixes (often on a state by state business where those laws will conflict with one another), and refusing to admit that maybe the powers we gave the NSA are the problem?