The Irish Times
Facebook throws hissy fit about having to obey data laws
Facebook’s official response to the Irish Data Protection Commission’s preliminary decision on the company’s data transfers to the United States may well go down as one of the most ludicrous corporate legal hissy fits of modern times.
In a sworn court affidavit, Yvonne Cunnane, Facebook Ireland’s head of data protection and associate general counsel, indicated that Facebook and Instagram might – wait for it – have to pull all services from European users in order to comply with the data protection parameters laid out in the recent Schrems decision of the Court of Justice of the European Union.
For the record: Europe is Facebook’s second largest market. Europe generated about ¤15 billion in revenue for the social media giant over the past four quarters. Leaving the EU would open a huge market to a new competitor with an offering more protective of data and privacy, which could lure global users already long exasperated with Facebook’s litany of data-handling mishaps.
GDPR-mandated data portability could make such a switch easy for users. Bring it on, I say.
Cunnane’s precise phrasing was that “it is not clear to [Facebook] how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU”.
Actually, it’s quite clear: meet your legal obligations. Offer adequate data protection for European users, as required by GDPR.
Facebook surely knows this, assuming it has been paying any attention to six years of critical ECJ cases (including those of Digital Rights Ireland in 2014 and the first and second Schrems decisions, in 2015 and 2020).
The court’s decisions in all three cases specifically noted that this may be difficult or impossible to do as long as the US has a national surveillance infrastructure that means anyone’s data, if held in the US, can be examined by surveillance agencies outside of specific human-rights-based protections mandated for Europeans.
As I wrote back in July, there’s really no way to transfer data to the US unless the US makes some changes.
But instead of seeking solutions, the gist of Facebook’s affidavit and retaliatory court case against the commission here is a ridiculous tantrum in defence of the damaging, inept, democracy-destroying surveillance capitalism business model on which its own and so many other businesses depends.
This model involves gathering massive storehouses of personal data that can then be monetised by auctioning advertising access to users – but also, non-users, who get sucked into Facebook’s system of secondary off-site surveillance.
Yes, you might have never used Facebook, but nonetheless, be profiled as a prospective ad target (and just a little reminder that, until last month, Facebook allowed race-based audience targeting).
This may be terribly inconvenient to businesses that for years have assumed EU data protection laws would not ever be enforced, but it’s the actual law, and now it is backed by case law from Europe’s highest court.
Ironically, Facebook also complains in the affidavit that it has been unfairly targeted and is “not being treated equally”, which could lead to “a serious distortion of competition” (in a market with zero equivalent competitors). Welcome to our targeted-user pain, market-dominating Facebook.
This is the slow consequence of an international legal system that companies such as Facebook and Google have long exploited. Shoshana Zuboff’s groundbreaking book Surveillance Capitalism offers many specific examples.
Move fast and break things in the sure knowledge that it will take a long time for the questionable things to be noticed, even when illegal, and even longer for individual legal complaints to be taken against a company.
‘‘ Facebook’s affidavit and retaliatory court case against the commission here is a ridiculous tantrum in defence of the damaging, inept, democracydestroying surveillance capitalism business model
You can be sure many companies support and rely on this burdensome aspect of GDPR; they can sit back and wait until an actual complaint is filed against them.
This is just one reason why the handling of complaints against powerful, lawyered-up multinationals should be done centrally by a pan-EU data protection panel, not by individual nations and state regulators. A pan-EU decision could be mandated to have immediate general effect, which would limit the ability of large companies to exploit such gaps.
Meanwhile, Facebook also seems not to have noticed that the very industry its affidavit says it needs to be able to transfer data to – the secretive global adtech sector – is also the subject of a major Irish and European-level complaint from Johnny Ryan, who this week submitted further evidence to the Data Protection Commission of what he calls the “vast, systematic data breach” involved in Google’s adtech model.
Such a challenge is another predictable response to the European court’s cases noted above, and evidence that Facebook is hardly alone in facing GDPR-related legal confrontations.
If the premise of adtech is deemed a violation of GDPR rights – and as currently constituted, surely it is – then a cornerstone of surveillance capitalism crumbles in the EU.
In 2014, when GDPR was in initial planning, I argued that the rest of the world would surely have to rise to the EU’s proposed higher privacy bar. Half a decade on, here we are.