Meta’s handling of personal data has been questionable

Meta, Facebook’s parent company, has just been hit with

an eye-watering €1.2 billion (S$1.74 billion)

fine

for breaches of the European Union’s General Data Protection Regulations (GDPR). Unfortunately for Meta and its shareholders, earlier penalties mean it now faces a total fine of close to €2.5 billion.

Meta is often used as an example of how not to do privacy, but this is not a simple case of organisational greed or disregard for legislation. As is the case with most events of this nature, there is a lot more going on.

The GDPR legislation, introduced in 2018, governs how data relating to citizens of the European Economic Area or EEA (which comprises European Union countries, as well as Iceland, Liechtenstein and Norway) can be used, stored and processed. In many cases, this means undertaking all data-related activities within the EEA.

Exceptions are allowed, provided the protections for individuals’ privacy are aligned with those under the GDPR. This is referred to as an “adequacy decision”.

This sounds relatively simple; if you are a German citizen, then your data should not be exported outside the EU. But organisations such as Meta operate on a global scale. Considering that users’ nationality and residential status are often changing, managing their data can be challenging.

In 2016, the EU-US Privacy Shield legal framework was introduced, enabling large organisations such as Meta to continue to process data for EU citizens in the United States. This framework replaced the previous International Safe Harbour Privacy Principles, which were invalidated in 2015 after a complaint by Austrian privacy campaigner Max Schrems.

However, in 2020 the EU-US Privacy Shield also became invalidated following a determination by the Court of Justice of the European Union (CJEU). The court essentially ruled that the US did not offer personal data protections that were comparable to those offered under the GDPR.

One significant issue was that US surveillance laws allowed for the potential interception of, or access to, data relating to EEA citizens, in particular, the Foreign Intelligence Surveillance Act and Executive Order 12333. Some concerns related to disclosures made by Edward Snowden in 2013. Those leaks identified a secretive US programme code-named Prism, which allowed the US National Security Agency to collect data across a range of popular consumer platforms.

Although the CJEU determination was delivered in 2020, it took until 2023 for the outcome to be announced due to legal challenges and conflicting viewpoints on the penalties.

The outcome led the Irish Data Protection Commission, the entity which regulates Meta across the EU, to impose the fine. The commission initially did not intend to impose the penalty, but was overruled by the European Data Protection Board, which acted on objections raised by yet another body – the EU/EEA Concerned Supervisory Authorities.

Apart from the €1.2 billion fine, it was determined Meta should stop transferring any personal EEA citizen data to the US within five months, and ensure EU/EEA user data stored within the US is compliant with the GDPR within six months.

What happens now?

While the reports may seem dramatic, it is possible nothing will really happen (at least for a while) as Meta has lodged an appeal against the decision. Meta highlighted that even the Irish Data Protection Commission acknowledged the company was acting in good faith.

Once the appeal is under way, Meta and the EU may face court hearings lasting months. By the time a decision is made, a newly proposed EU-US Data Protection Framework could be in place (although a recent vote by members of the European Parliament may further delay things).

In a worst-case scenario for Meta, the tech giant could be forced to not only pay the fine, but also address the large volume of EEA user data held on US servers, and establish a fully EU-based infrastructure to deliver Facebook functionality. This is a mammoth task, even for an organisation of Meta’s size.

It might prove impossible to extract years of data from Meta’s global network of servers and distribute it to appropriate regional locations. Imagine a Spanish citizen who currently lives in the US, for whom 10 years of data was collected while he was in Germany, and who also spent time in the United Kingdom before and after Brexit!

If Meta does have to move data to different servers around the world, this may impact its ability to use the data to profile users. This could decrease its advertising effectiveness and the relevancy of users’ Facebook feeds.

As for simply pulling Facebook services from the EEA, it is unlikely Meta will do this, as this would entail walking away from the billions of dollars of advertising revenue it receives from European users. As Mr Markus Reinisch, Meta’s vice-president for public policy in Europe, has stated: “Meta is not wanting or ‘threatening’ to leave Europe.”

Why does it matter where data is kept?

The reality is, most of us have neither awareness nor interest in where our personal data is stored for the services we use. Yet, where a company chooses to store our data can end up having a major impact on how the data is accessed and used.

Meta has chosen to store large volumes of data in the US (and elsewhere) for commercial reasons. This choice could be based on cost, convenience, technical requirements, or countless other reasons.

Some organisations deliberately distribute data in regional data centres that are geographically closer to their customers. This can help reduce the time it takes for customers to access their services.

For others, hosting data in a specific country can be a good selling point. For example, offering a guarantee of data sovereignty will appeal to those wanting to keep their data out of sight of foreign governments (or perhaps away from their own).

The EU has taken responsibility for ensuring the safe and secure processing of personal data belonging to citizens of the EEA. In Meta’s case we have yet to see how, or if, this will ultimately be done. While the company’s focus on privacy has improved in recent years, perhaps its next few steps will reveal how far this commitment goes.