Europe has won a reputation for being the world’s leading watchdog on data protection, enacting robust privacy laws earlier than anywhere else and going after Big Tech. The reality is more mundane, and often looks like an endless game of Ping-Pong. Companies appeal, cases get tangled up in court, and privacy practices occasionally improve.
Expect much of the same in about a week’s time. Meta Platforms is expected to be hit with another data-protection order on May 22, according to E.U. officials, over how it transfers European data to the U.S. It will be painful, but not excruciatingly so. There will be a fine, likely in the hundreds of millions of dollars based on previous sanctions, and Meta will be told that it can no longer send European user data to be processed on U.S. servers.
The European Data Protection Board, which decides on such sanctions, contemplated an even more serious punishment: forcing Meta to delete all of the European data it has held in the U.S. for the past decade. Ten year’s worth of data. Bear in mind that personal data is critical to Meta’s targeted advertising business, and that it has admitted in court filings to being unable to identify all of the different user information it has in its disparate databases. This would have been a kick in the teeth for the company, and difficult to comply with. (Facial recognition firm Clearview AI was similarly ordered to delete millions of photos of French residents in 2021.)
But Meta can probably breathe a sigh of relief. It looks unlikely to get a deletion order next week, according to a person with knowledge of the matter who spoke on the condition of anonymity to discuss the deliberations.
Meta will also probably be able to carry on with the global cross-pollinating it does with people’s data. It will almost certainly appeal the forward-looking ban on bringing more European data to the U.S., delaying its impact by several months and possibly years, by which time the E.U. and the U.S. may well have reached a new legal agreement governing data transfer.
(Meta and other large technology firms currently use something called a standard contractual clause to transfer Europe user data to the U.S., a kind of loophole after the E.U. ruled in 2020 that American firms shouldn’t bring European data to the States because of the intrusiveness of U.S. data surveillance law.)
A spokesman for Meta declined to comment. The company has previously said that it welcomes “the progress that policymakers have made towards ensuring the continued transfer of data across borders.”
The worst part of the sanctions could well be the fine, which comes at a trying time for the company financially. Facebook is cutting thousands of jobs and Mark Zuckerberg has dubbed 2023 the company’s year of efficiency.
But the lack of a deletion order is also disappointing for anyone who thinks Big Tech’s data surveillance business has gotten out of control, and given that Meta has managed to spend more than a decade profiting from a free-for-all on people’s personal information with relative impunity.
“Fines are great, but when Google and others are found to have no legal right to use our data, they still have our data,” says Estelle Masse, global data protection lead for Access Now, a civil liberties group.
Ordering tech firms to delete large swaths of data seems drastic, but Europe’s enforcement of its General Data Protection Regulation regime has been relatively weak so far. In the never-ending Ping-Pong game between E.U. regulators and Big Tech, that would have delivered a rare smash.