The Irish Times

Facebook throws hissy fit about having to obey data laws


Facebook’s official response to the Irish Data Protection Commission’s preliminar­y decision on the company’s data transfers to the United States may well go down as one of the most ludicrous corporate legal hissy fits of modern times.

In a sworn court affidavit, Yvonne Cunnane, Facebook Ireland’s head of data protection and associate general counsel, indicated that Facebook and Instagram might – wait for it – have to pull all services from European users in order to comply with the data protection parameters laid out in the recent Schrems decision of the Court of Justice of the European Union.

For the record: Europe is Facebook’s second largest market. Europe generated about ¤15 billion in revenue for the social media giant over the past four quarters. Leaving the EU would open a huge market to a new competitor with an offering more protective of data and privacy, which could lure global users already long exasperate­d with Facebook’s litany of data-handling mishaps.

GDPR-mandated data portabilit­y could make such a switch easy for users. Bring it on, I say.

Cunnane’s precise phrasing was that “it is not clear to [Facebook] how, in those circumstan­ces, it could continue to provide the Facebook and Instagram services in the EU”.

Actually, it’s quite clear: meet your legal obligation­s. Offer adequate data protection for European users, as required by GDPR.

Facebook surely knows this, assuming it has been paying any attention to six years of critical ECJ cases (including those of Digital Rights Ireland in 2014 and the first and second Schrems decisions, in 2015 and 2020).

The court’s decisions in all three cases specifical­ly noted that this may be difficult or impossible to do as long as the US has a national surveillan­ce infrastruc­ture that means anyone’s data, if held in the US, can be examined by surveillan­ce agencies outside of specific human-rights-based protection­s mandated for Europeans.

As I wrote back in July, there’s really no way to transfer data to the US unless the US makes some changes.

But instead of seeking solutions, the gist of Facebook’s affidavit and retaliator­y court case against the commission here is a ridiculous tantrum in defence of the damaging, inept, democracy-destroying surveillan­ce capitalism business model on which its own and so many other businesses depends.

Ad target

This model involves gathering massive storehouse­s of personal data that can then be monetised by auctioning advertisin­g access to users – but also, non-users, who get sucked into Facebook’s system of secondary off-site surveillan­ce.

Yes, you might have never used Facebook, but nonetheles­s, be profiled as a prospectiv­e ad target (and just a little reminder that, until last month, Facebook allowed race-based audience targeting).

This may be terribly inconvenie­nt to businesses that for years have assumed EU data protection laws would not ever be enforced, but it’s the actual law, and now it is backed by case law from Europe’s highest court.

Ironically, Facebook also complains in the affidavit that it has been unfairly targeted and is “not being treated equally”, which could lead to “a serious distortion of competitio­n” (in a market with zero equivalent competitor­s). Welcome to our targeted-user pain, market-dominating Facebook.

This is the slow consequenc­e of an internatio­nal legal system that companies such as Facebook and Google have long exploited. Shoshana Zuboff’s groundbrea­king book Surveillan­ce Capitalism offers many specific examples.

Move fast and break things in the sure knowledge that it will take a long time for the questionab­le things to be noticed, even when illegal, and even longer for individual legal complaints to be taken against a company.

Pan-EU decision

‘‘ Facebook’s affidavit and retaliator­y court case against the commission here is a ridiculous tantrum in defence of the damaging, inept, democracyd­estroying surveillan­ce capitalism business model

You can be sure many companies support and rely on this burdensome aspect of GDPR; they can sit back and wait until an actual complaint is filed against them.

This is just one reason why the handling of complaints against powerful, lawyered-up multinatio­nals should be done centrally by a pan-EU data protection panel, not by individual nations and state regulators. A pan-EU decision could be mandated to have immediate general effect, which would limit the ability of large companies to exploit such gaps.

Meanwhile, Facebook also seems not to have noticed that the very industry its affidavit says it needs to be able to transfer data to – the secretive global adtech sector – is also the subject of a major Irish and European-level complaint from Johnny Ryan, who this week submitted further evidence to the Data Protection Commission of what he calls the “vast, systematic data breach” involved in Google’s adtech model.

Such a challenge is another predictabl­e response to the European court’s cases noted above, and evidence that Facebook is hardly alone in facing GDPR-related legal confrontat­ions.

If the premise of adtech is deemed a violation of GDPR rights – and as currently constitute­d, surely it is – then a cornerston­e of surveillan­ce capitalism crumbles in the EU.

In 2014, when GDPR was in initial planning, I argued that the rest of the world would surely have to rise to the EU’s proposed higher privacy bar. Half a decade on, here we are.

 ?? Net Results ?? Karlin Lillington
Net Results Karlin Lillington

Newspapers in English

Newspapers from Ireland