Facebook’s unlucky strike with the Irish illuminates US data security shortcomings

September 26, 2020

We all know that social media platforms like Facebook gather data (and metadata) about us while we absent-mindedly scroll-click-scroll, but do we really know how much data those companies collect and the significance of that stockpile? A quick look at Facebook’s data policy will show you that Facebook collects virtually everything about you, from the data you physically input into the system, to the type of device you’re using to browse and that device’s battery level. Facebook says that it uses this data for various purposes, including “innovat[ing] for the social good,” but it also makes a whopping 98% of its quarterly revenue ($18.3 billion) from using personal data to sell targeted advertising space to various marketing firms eager for its scoop on consumers.

Unlike Europe, the US lacks a uniform law regulating digital corporate intrusions, and instead leaves it up to the individual fifty states to parse out personal data protection. The European Union (EU), on the other hand, is much more protective of Europeans’ data, boasting the General Data Protection Regulation (GDPR) as the “toughest privacy and security law in the world.” This law came into effect in 2018 and applies to any person or company (even outside of Europe) that collects or processes data from EU citizens or residents. The GDPR enforces a number of privacy protections, including the “right to be forgotten,” and reserves the right to fine noncompliant companies up to 4% of their global revenue.

Prior to this summer, companies in the US, including Facebook, used to comply with the terms of the GDPR via the Privacy Shield, a mechanism that rated companies’ data transfer practices for “adequacy” with respect to the strict European standard. However, this summer the EU’s top court struck down the Privacy Shield, effectively removing the only mechanism companies like Facebook, Apple, Google, and Amazon had to comply with the GDPR. Now, a recent Irish preliminary order wedges an even deeper digital divide between the US and Europe, during a pandemic where really the only contact between Europe and the US is digital.

The preliminary order recently issued by Ireland’s Data Protection Commission, a privacy and digital watchdog, calls for stopping Facebook’s data transfers from its European users to the US. This order would likely require Facebook to stop serving the European market altogether unless it can adapt its platform to conform to EU privacy standards. If Facebook fails to comply, it could face up to $2.8 billion in fines, corresponding to 4% of its annual revenue. Facebook appealed the preliminary order a few days after it issued, seeking an injunction and requesting review of the agency’s procedure in determining data security risks.

If Facebook’s appeal in stopping the order is unsuccessful, it could be the first of many orders blocking data transfers between the US and Europe, jeopardizing billions of dollars in data-related trade.

If Facebook’s appeal in stopping the order is unsuccessful, it could be the first of many orders blocking data transfers between the US and Europe, jeopardizing billions of dollars in data-related trade. While the sheer size of the disruption to the economy that a block of transatlantic data-flow will cause is terrifying, it’s worth remembering that the economic trade-offs go both ways, and it begs the question as to why the EU values privacy as a fundamental right over corporate gains more than current US policymakers.

While it could be easy to lament the enormous cost of potential measures necessary to comply with the GDPR, this recent EU order against Facebook provides an opportunity to reflect on whether US lawmakers should take a tougher stance on Big Tech and data privacy. This year has already featured some of the biggest data leaks to date, including the infamous Twitter breach. Data concerns are especially salient with the upcoming presidential election, wherein Russian hackers have already allegedly targeted 200 organizations to tamper with the democratic process. If the EU is unwilling to do business with the US and risk billions of dollars in trade because of potential data breaches, we should probably be advocating for stronger data protection in the US akin to the GDPR. The GDPR grants individuals the right to know who’s using their data, stop third parties from disseminating their data, and be swiftly notified of data breaches, among other rights. California has already passed a more rigorous privacy act, and it’s time for other states (or the federal government) to follow suit: our economy, our nation’s security, and our own personhood depends on it.

September 26, 2020 | Alexandra Farquhar