Press play to listen to this article
Voiced by artificial intelligence.
Five years and almost €4 billion worth of fines stemming from tougher privacy enforcement and the European Union is still asking if it’s doing enough to protect personal data.
Social media giant Meta was the latest to face a big penalty Monday when Ireland’s privacy watchdog fined it a record €1.2 billion euros for privacy violations under the European Union’s General Data Protection Regulation (GDPR).
The blockbuster levy hits at the heart of the technology sector’s ability to transfer data across the Atlantic and orders the company to stop moving Europeans’ data to the United States until Washington provides sufficient checks to keep such personal information safe.
For GDPR’s supporters, the fine from Ireland’s Data Protection Commission (DPC) serves as a vindication that the EU’s most feared tech law has bite, not just bark.
The law, which came into force on May 25, 2018, has prompted businesses — from Big Tech giants to hotel chains, cellphone companies and mom-and-pop businesses — to tighten privacy policies. Many have cleaned house on how they handled people’s personal data, aided by the prospect of being fined up to 4 percent of annual turnover.
“I think the DPC really has hit its stride now,” said Helen Dixon, the Irish Data Protection Commissioner, whose agency oversees many of Silicon Valley’s biggest names because these firms are headquartered in Ireland.
Yet the decision also lays bare what almost everyone now admits: Europe’s efforts to set the West’s de facto privacy standard have major shortcomings, with watchdogs continuously fighting over who has the final say over how Meta, Google, TikTok and other tech firms access Europeans’ data. In a statement following the decision, the Irish regulator said it disagreed with the fine and measure but it had been forced by its European peers to impose them after Dublin’s initial decision was challenged by four other privacy regulators.
Enforcement hinges on regulators’ ability to impose such fines. And that’s where the privacy regime has sputtered.
Under Europe’s privacy regime, companies are supervised by national regulators where they have their EU legal headquarters. That means Ireland and Luxembourg — whose low tax rates have attracted many Big Tech firms’ European headquarters — hold the lion’s share of enforcement powers. Ireland, in particular, relies heavily on corporate tax revenue from a small number of tech giants.
“The GDPR gave the authorities these vast powers for very serious enforcement but then in practice, we do not see that the powers are actually used by the authorities,” said Max Schrems, the Austrian privacy activist whose decade-old case against Facebook led to Monday’s record privacy fine.
If other European privacy watchdogs disagree with how these agencies enforce GDPR, there is a complex and opaque mechanism to reach a European consensus. After five years of infighting, some of the EU’s privacy authorities are now at open war with each other.
In internal discussions published Monday, other European enforcers rebuked Dublin for failing to go hard enough against Meta’s privacy violations, forcing Ireland to impose a fine. French, German, Spanish and Austrian agencies also called out their Irish counterparts for not demanding that the social networking giant delete all Europeans’ data shipped to the U.S. via so-called standard contractual clauses.
Ireland, Big Tech island
The Irish decision relates to 2013 revelations from Edward Snowden, the U.S. National Security Agency contractor, that American spooks were unlawfully accessing people’s personal information via the country’s tech giants. Schrems filed claims against Facebook for infringing his privacy rights, setting off a decade-long legal challenge.
On Monday, Dublin officially ruled that Meta could no longer use so-called standard contractual clauses, or complex legal instruments that allow companies to move EU data to the U.S. until Washington improves legal checks to protect Europeans’ data. The social media giant is appealing that ruling and has until October to comply with the order. Brussels and Washington are in final negotiations over a new, separate transatlantic data pact that will provide an alternative legal structure for such EU-U.S. transfers to continue.
Dublin’s hefty fines against the tech giant only came after other EU regulators forced the Irish to impose a massive levy because these agencies believed the Irish had not gone far enough to hold Meta to account. Ireland believed its proposed remedies — stopping Meta from using standard contractual clauses to ship EU data to the U.S. — was sufficient.
The decision against Meta masks a decade-long struggle that predates GDPR and has split the bloc’s privacy regime.
Earlier this year, the Irish privacy watchdog took the the European Data Protection Board (EDPB) — the pan-EU body of privacy regulators that coordinate privacy decisions — to Europe’s highest court over accusations it overstepped its remit by compelling Dublin to further investigate cases on WhatsApp, Facebook and Instagram.
“It’s all about whether Ireland’s data protection authority is taking into national economic interests, and therefore are not sufficiently stringent in enforcing the rules,” said Patrick van Eecke, co-chair of the global cybersecurity, data protection and privacy practice at Cooley, a law firm.
Rewriting the rules
Faced with mounting frustration that the GDPR has failed to rein in the worst data protection abuses from Big Tech companies, the European Commission is preparing a new law for this summer to improve cooperation in cross-border rows over enforcement.
Privacy campaigners hope the reforms could strengthen the GDPR and reduce years of waiting for action on complaints. Yet the most ardent critics say it still won’t change a model in which some countries like Ireland and, to a lesser extent, Luxembourg, oversee the bulk of Big Tech companies.
Industry watchers also argue that Europe’s privacy regime has become a mere tick-in-the-box exercise that has not boosted privacy protection as a focus on arcane legal procedure took over.
Deciding which agency would have the final say on enforcement decisions was one of the trickiest issues during the negotiations around Europe’s new privacy regime, a political tussle that led to a fudge in which national regulators would have the final world, but with binding input from others.
“The issue is if the system has sort of like a built-in limit, it’s like if you want to run in a race in a Subaru, and you need to have the speed of a Ferrari, you can push the pedal to the floor and tune the car to run as fast as possible, but there’s going to be a limit beyond which it can go,” said Christopher Kuner, co-director of the Brussels Privacy Hub at the Vrije Universiteit Brussel.
But after five years chairing Europe’s network of regulators, Austria’s privacy chief Andrea Jelinek, who is stepping down as head of the pan-EU body of privacy agencies that oversaw the disputes, brushed aside such criticism.
“If you’re an activist, it’s quite clear, it can never be enough,” she told POLITICO. “If you’re a regulator like we are, we have our duties, we have the law, and we are here to defend the fundamental rights of the citizens.”
