Meta’s Regulatory Battles Sound the Alarm for Big Tech 

Meta has been fighting legal battles on several fronts in the past year, with some victories and some setbacks. One of these cases could have wider ramifications for the tech industry.

In the U.S., the social media giant first won an antitrust case against the FTC in February, winning the right to buy virtual reality startup Within Unlimited. Then, it beat back another antitrust suit bought by 48 states over its acquisitions of WhatsApp and Instagram. That doesn’t bode well for the FTC, which is currently pursuing a landmark case over the same issue.

Meta’s recent fortunes in Europe have been less positive. The bloc’s lead data regulator, Ireland’s Data Protection Commission, was not historically known for its aggressive data privacy rulings. That has changed recently as the DPC has repeatedly stepped up to the plate with more penalties. After several fines against Meta since the fall of 2021, the DPC dropped a financial bomb in May. It fined the social media giant €1.2bn for violating GDPR principles by transferring data collected from European Facebook users to the U.S.

When SSCs Aren’t Enough 

The E.U. and the U.S. do not currently have an adequacy deal in place for transferring data between the two countries, although they are working on one. There were two such deals before – the Safe Harbour arrangement of 2000 and the Privacy Shield. Both of these were struck down after Austrian lawyer and privacy activist Max Schrems challenged them.

Instead, Facebook has relied on Standard Contractual Clauses (SCCs), which are templated agreements for bilateral data exchange agreements between organizations in the E.U. and the U.S. The European Commission updated these in June 2021.

In its May ruling, the DPC determined that while SSCs offer some protection for E.U. users’ data, they only apply to contracted parties. The U.S. government is not a signatory to these contracts, meaning that it cannot prevent it from applying its aggressive data collection and mass surveillance policies to user data.

Last October, the White House attempted to address this issue in its Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. This establishes a Data Protection Review Court to review the U.S. government’s data-slurping on a per-case basis. Individuals or governments in qualifying states could complain to the Court about the collection of their residents’ data after it had been transferred to the U.S.

The problem, according to the DPC, is that the E.U. is not yet considered a qualifying state, meaning that its residents cannot yet take advantage of the Court. That leaves their data vulnerable in the U.S., no matter what the SCC says.

Having ruled the SCCs insufficient when dealing with the U.S., the DPC concluded that transfers are not allowed. Along with the fine, it demanded that Meta stop transferring E.U. users’ data to the U.S. within five months. It must also bring any current data about E.U. users into compliance with GDPR within six months (which means deleting it).

Broader Effects 

The DPC’s decision effectively removes the SSC as a tool for companies wanting to send E.U. residents’ data to the U.S. Section 10.11 of the DPC judgment warns that the ramifications of this case could spread far wider than Meta. It said:

“…the analysis in this Decision exposes a situation whereby any internet platform falling within the definition of an electronic communications service provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA.”

Just how catastrophic could this be for the tech sector? Meta has already warned that it might have to shut down many of its services in Europe if it is not allowed to transfer data back home. Other companies relying on user-generated content and social graphs will likely have the same problem.

What Now? 

Meta still has options. It doesn’t need to comply with the data deletion requirements until this October and is appealing the ruling.

One option might be for companies like Meta and others to invest more in EU-based data centres to store data on E.U. residents locally, solving the data sovereignty problem.

The window also provides time for work on a third adequacy agreement between Europe and the U.S. That agreement is already well underway and could be completed this summer. A lot will depend on the E.U.’s ability to become a qualifying state so its citizens can complain to the Data Protection Review Court.

More Trouble Ahead 

In the meantime, Meta faces further action in Europe. The European Commission said in December last year that the company’s Marketplace online classified ads business breached antitrust rules. Pairing it with the social networking service gives it an unfair advantage, regulators complained. The E.U. also accused the company of using other services’ online data.

If that case is successful, Facebook faces a fine of up to 10% in revenues, potentially putting it on the hook for $11.8bn in penalties. Meta has challenged information requests from the E.U. in that case, but the General Court rejected that, paving the way for the case to proceed.

“Move fast and break things” used to be Meta’s internal slogan. It might have relinquished that, but it still adheres to a more general rule of thumb adopted by the tech sector at large: “Act first, and ask for forgiveness later.”

Tech firms have considered penalties incurred under this broader doctrine a cost of doing business in a high-growth, high-stakes sector. As regulators level increasingly higher fines and even mull breaking up tech firms, that might be set to change.