€1.2B GDPR fine for Meta
noyb.eudupe kinda https://news.ycombinator.com/item?id=36028845
OTOH it's behind a stupid paywall
> “It took us ten years of litigation against the Irish DPC to get to this result. We had to bring three procedures against the DPC and risked millions of procedural costs. The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland - the EU Member State that did everything to ensure that this fine is not issued."
Kinda crazy how Irish regulators did everything in their power to avoid this outcome. But I guess that's why Meta and other big players are situated in Ireland, they rely on them not enforcing stuff and some meager taxes.
How often do you see a state-employee doing "everything in their power"? Did they have any special incentives?
Doing everything in their power here is to do nothing, so that's quite easy. My guess is push from above to be as lax as possible, so that companies choose to stay in Ireland vs other EU countries. Or the funding to the data protection agency is intentionally nerfed to keep them from being able to actually do anything.
Wait. 10 years?
So $120m/year fine?
That’s a rounding error
The decision goes further than a fine, though. It orders Meta to stop transferring personal data of people in the EU to the US.
How is this actually supposed to work in practice, other than sharding EU and non-EU customers and having them unable to communicate across the shards?
Meta’s chock full of very smart, highly paid people. I’m sure they’ll figure something out.
Why unable to communicate? Is there any reason why the relevant non-EU customer data cannot be stored within the EU as well?
If someone in the US visits a profile page of someone in the EU, that necessitates a transfer of data outside of the EU.
Perhaps that's an extreme and pedantic example though.
Confidential Cloud computing is the answer and hyperscalers work on that. You literally put your data in a black box.
Note that in the last 5 years (since GDPR came in), Facebook has also been fined €405m, €390m, €265m and €225m on other occasions: https://www.politico.eu/article/eu-hits-meta-with-record-e1-...
Facebook has made approximately 20 billion in profit yearly for the last 5 years. They don't break down profit by country, but EU represents a small portion of users. About 10% overall. Speculating that overall profits are 2billion from EU means that the fine represents about 5% of profits.
Not that bad
The team at noyb is consistenaly amazing. Makes me really happy that I'm a card carrying member. (Yes, supporters get a plastic member card. It has no function afaict, but it's the one useless thing I carry in my wallet at all times, just so I can call myself a card-carrying member. It's the only such card I carry, for anything.)
> These hopes may however be shattered soon. It is not unlikely that the new deal will be invalidated by the CJEU - just like the two previous EU-US data deals (“Privacy Shield” and “Safe Harbor”). Such invalidations have retroactive effect.
If I understood correctly, if they keep transferring data to the US before CJEU considers that the nee deal does satisfy regulations, they may just be setting themselves up to another record fine.
I'm fine with this.
The locality where data rests on disk shouldn't matter for the legal process of getting access to it, and the US law takes this position. Otherwise we're going to have rampant protectionism under the guise of data protection which is part of the EU regulatory apparatus.
Lack of data protection is becoming a competitive disadvantage for US companies, costing the US tax money.
Is Meta a government entity now? Last time I checked, it was a public for-profit company, the money they pay the fine with is money they extracted from other companies, not from the government itself.
Last I checked the US government taxed US corporations based on profits. One would assume that if US corporations are making less profit due to fines, then they’re also paying less taxes to the U.S. government.
Break the law to potentially get oversized profits, pay no tax if you are caught breaking the law. That's a perfect business plan.
Generally I don't think you count profits that never happened as "cost to the taxpayer".
What if Facebook spend 2B USD on a product that was supposed to be wildly successful, but it failed big time, does that count as "costing the US tax money" as they never made the profit they could have made?
The point you're missing here is that it's US regulations ("we can look at your customers' data at any time and you can't even notify them") that makes it so that US companies are losing lots of money and customers from the EU. So it's not a company making a wrong bet or so. It's companies being directly hampered by their connection to the US.
> It's companies being directly hampered by their connection to the US.
No, the companies are being hampered by not following local (EU) regulation, so they get fined because of it. Has nothing to do with where the company is from, it might as well have been Indian, Chinese or from South Africa, it has to follow the regulation in the places it does business.
I believe the point is that if the US government had policies to never use such data for anything (e.g. criminal investigations, intelligence agencies perhaps), then the EU would not be worried about the data being in the US. The US government’s behavior is why they are worried about it.
That income is never repatriated and just sits in offshore accounts to avoid paying us taxes.
>One would assume that if US corporations are making less profit due to fines, then they’re also paying less taxes to the U.S. government.
I'm not familiar with U.S tax law but in the UK fines are not tax deductable. Not sure whether it matters that the fine was imposed by a foreign country.
It doesn’t really matter if the fine is tax deductible. Less profits means less tax. The U.S. doesn’t tax based on revenue.
If fines don't count as an ordinary and necessary business expense then taxable income will be higher and you pay more tax.
For something to be tax deductible means that it reduces taxable income. Essentially it works like this:
Revenue - tax deductable business expenses = taxable income.
Politically, stopping data transfers to the US is not viable, because it would impact the deal between the EU and the USA (US covers EU defence for access to the EU common market).
For this reason, I don't think we'll ever see a Chinese-style expulsion of US tech companies from the EU.
Therefore, we've seen over a decade of a dance between the judiciary banning data transfers to the US (Safe Harbor ruling, etc) and then politicians overturning these rulings before it actually impacts anything.
> US covers EU defence for access to the EU common market
Care to point me in the direction of more information about this?
As far as I can infer I think they might be referring to NATO?
What are you talking about? GDPR is pretty clear.
I mean, I would agree. The EU courts have ruled pretty much every cross-border data sharing agreement with the US as illegal (e.g. Safe Harbour ruling eight years ago). The EU Commission considered that data transfers to US were not compliant back in 2000, which led to the Safe Harbour in the first place.
Despite all of this, we haven't seen any creation of an EU internet, and even in this latest ruling, they've suspended the ruling until they hope the new system comes into place that will allow cross-border data transfers to the US.
The point being that politically, there is no desire in the EU to cut themselves off from the US internet as you see in China, Russia, etc.
The decision PDF is lengthy but boils down to the following two instructions on page 73:
> 273. In light of the above, the EDPB instructs the IE SA to impose an administrative fine on Meta IE for the infringement of Article 46(1) GDPR that is in line with the principles of effectiveness, proportionality and dissuasiveness under Article 83(1).
> 279. In light of the above, the EDPB instructs the IE SA to include in its final decision an order for Meta IE to bring processing operations into compliance with Chapter V GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within 6 months following the date of notification of the IE SA’s final decision to Meta IE.
I understand the financial incentive for Ireland to be an attractive host country for tech companies, but as the article points out, this took on truly ridiculous dimensions. Even more so after May 2018, when the GDPR was published, which -- by recognizing the protection of PII as a fundamental right -- dealt a massive blow to the "productize your customer" business model.
> Ten years, three court proceedings and millions in legal costs. The Irish DPC’s role in this procedure is exceptional, as it has consistently tried to block the case from going ahead, in 2013 it rejected the original complaint as “frivolous” – requiring Mr Schrems to go all the way to the CJEU. The DPC then took the view that it cannot take action, given that Meta made use of so-called “Standard Contractual Clauses”, which was again rejected by the CJEU, who told the DPC that it must take action. Finally, the DPC tried to shield Meta from a fine and the deletion of data that is already transferred, just to be overturned by the EDPB. Overall these procedures lead to costs of more than 10 million Euro - the fine, however, will go the Irish state.
It is also a big blow to the DPC. There are also many other other questionable DPAs and national legislators, some of which are already under infringement proceedings.
This is big news:
"Furthermore, the EU's Collective Redress Directive must also be implemented this summer, which will for the first time allow collective actions by European user for GDPR violations."
Should be much higher. Time for some more fines for others of Big-Tech/GAFAM spyware corporations.
I always thought this would be a cool thing to do if I ran Evil Corp...
A = <totally random bits>
B = <personal data> XOR A
Store A in USA
Store B in EU
The data is not stored in EU, and it's not stored in USA either. It's not stored elsewhere. But Evil Corp still has it!
Why do you think encrypted personal data ceases to be personal data?
Encrypted PII are still PII, so this scheme would count as "data stored in the EU and key stored in the USA".
"The current conflict between EU privacy laws and US surveillance laws are also a problem for all other large US cloud providers, such as Microsoft, Google or Amazon"
Globalised tech companies caught in the middle here, hard to see how they can continue to service global markets without a huge per-country localisation effort. Ones that could do it will increase cost (passed onto users of course), those that cannot withdraw from the market, furthering the fragmentation of the global internet. May not be a bad thing overall, especially for local players and for national sovereignty evangelists
I don't see how they can continue the service, even with huge localisation effort. The capital sin is to be a US company. That subjects them to US law, including CLOUD act, which the UE considers to be incompatible with privacy guarantees.
Even if cloud providers use local datacenters they are still in "violation". If the US makes a data request using CLOUD act, they will have to comply, no matter where these servers are sitting.
Ironically, the UE intelligence services are happy to take the anti-terrorist information that the US is extracting with the CLOUD act and sharing with them.
To my understanding, the CLOUD Act is nothing like FISA already because it is about criminal law. Besides, the EU also recently enacted its own quite similar "e-evidence" law, and similar laws are pushed globally through the Budapest Convention. The biggest problem here probably is that the mutual legal assistance system is being replaced internationally by much more opaque practices. (And as for cyber crime, some major "players" are not participating.)
The intelligence services are not advocates for privacy laws.
Don't try to paint the US as the victim here because it's honestly ridiculous.
> which the UE considers to be incompatible with privacy guarantees.
Well, the whole "global jurisdiction" is iffy for the rest of the world.
> May not be a bad thing overall, especially for local players and for national sovereignty evangelists
Yep, especially if they have to play by different rules and have different values then the companies they try to compete against.
> hard to see how they can continue to service global markets without a huge per-country localisation effort
You (the company) could maybe instead protect everyones data equally (or rather, avoid slurping up as much personal data as they possibly could), then you won't have to go through the whole process of making everything per-country localized.
By GDP, the European market is the second largest in the world, it's hard to imagine US companies would try to avoid it without thinking about it for a good while.
You are suggesting two approaches, one (or even both) of which are not feasible.
The problem with protecting everyone's data equally (and the point of why EU courts are rejecting the current regime) is that national laws override company intent. If a US company is served a national interest letter, they are giving up the data and keeping mum about it, or someone is potentially going to jail. And nobody will go to jail to protect the data of a user of a free (or a $8/mo, whatever) service.
This happens similarly in other countries - China, obviously; UK has a similar "national interest" rule; I don't know about the EU but I wouldn't be surprised if their spies and law authorities have also codified access on an as-needed basis for themselves. It's all the other kids that must be kept out of the personal data sandbox.
Avoiding collecting the data in the first place is far more robust against this sort of government behavior. There are organized government efforts to mandate centralized data collection and facilitate access anyway (e.g. UK's attempts to ban end-to-end encryption), so we'll see if that approach holds.
Yes indeed. If you do business in a country, adhere to the rules of this country. Simple.
True globalization (one global rulebook) is a probably not to achieve, considering all the different aspects of societies in this world (degree of capitalism, degree of privacy, degree of social class responsibility, degree of liberal society, degree of ...).
The G7 countries (aka US, EU, JP, Australia) are lucky to have a rough idea on what that should be. When you talk to China then you start banning stuff instead of playing court fines and regulatory alignment.
Not simple because the US CloudAct contradicts EU GDPR
Yes, correct. But that is something they can figure out.
One has to take a step back, a compromise isn't possible.
AWS has zoned services and Amazon has country specific websites. It's not that difficult.