As Meta is hit with EU data ban and $1.3 billion fine, what happens next?

You can read all about the bombshell decision and the history behind it here—and I recommend doing so but, the tl;dr is that, since Meta is not able to prevent American intelligence agencies from collecting and accessing European users’ personal data in the U.S., the company illegally fails to guarantee Europeans’ privacy rights when it transfers data to the U.S.

Now, let’s discuss what happens next. There are essentially just four possible ways this could play out:

Option 1 — New deal: The European Commission adopts a new data-sharing pact with the U.S., giving Meta a legal basis for its transatlantic data transfers before the clock runs out in mid-October.

Option 2 — Adapt: Meta finds a way to stop sending EU personal data to the U.S., without messing up the functionality of Facebook and Insta.

Option 3 — Fight: Meta successfully appeals the decision and this all goes away.

Option 4 — Exit: None of the above happens, and Meta pulls Facebook and Insta from the EU (Mexit?), as it has previously warned it will.

The first option is probably the most likely outcome—and certainly the most attractive for other U.S. corporations that are just as vulnerable as Meta. However, the new agreement would be the third of its kind, with the previous two having been struck down by the EU’s highest court because they didn’t rein in U.S. mass surveillance. And it’s far from clear that the new deal (known as the Data Privacy Framework or DPF) would achieve that aim. 

The European Parliament and the EU’s data protection authorities have already said they think the U.S.’s promised surveillance safeguards are too vague and potentially ineffective. The Commission could ignore their warnings and seal the deal—if the EU’s member states agree—but if those deficiencies go unresolved, there’s a very high chance the Court of Justice of the EU will kill this agreement as it did their predecessors.

Max Schrems—the Austrian lawyer whose 2013 complaints to the Irish regulator set everything here in motion—believes the problems can be fixed if the U.S. puts real limits on how its agencies surveil people from allied countries.

“Basically my personal ideal outcome is a ‘no spy’ agreement giving people of democratic countries baseline guarantees, no matter if their data stays local or not,” Schrems told me this morning. And his second-favorite potential outcome? “The ‘federalized’ social network with an EU and U.S. branch, where only the necessary data is sent to the U.S. anymore (e.g. a message to a U.S. friend).”

This approach to data management may be a legally viable option for Meta—it could then claim necessity as the legal basis (under the EU’s General Data Protection Regulation or GDPR) for those limited transfers—but the company really doesn’t want to go down that route. 

“In our opinion, localisation is not the answer,” said a Meta spokesperson. “Global services need global connections, and the internet is based on an open global model. Meta cannot simply wall off EU user data from non-EU user data. People don’t use our services to have this type of experience, which is inconsistent with the very nature of how global services like ours are designed to operate.”

As Schrems points out, Meta’s chances of a successful appeal are low, because the EU’s highest court has more than once confirmed how U.S. surveillance practices make transatlantic data transfers illegal. So the activist lawyer reckons Meta will cave in at the last minute and move to a federated model for its social networks. He characterizes the company’s warning of a withdrawal from Europe—from which it derived 22% of its Q1 revenue this year—as “laughable.”

Two final thoughts from my side. Firstly, this whole affair has shredded the reputation of the Irish Data Protection Commission (DPC), which didn’t want to levy any fine against Meta but was then brutally slapped down by its peers on the European continent. The Irish DPC is the most important of the EU privacy watchdogs because so many multinationals are headquartered on its turf, but it has long been seen as ineffective because of its glacially slow pace of enforcement. It always claimed underfunding was to blame; now it looks like reluctance is the problem.

Secondly, the EU’s watchdogs also collectively ensured that the Irish decision forces Meta to delete the European personal data it has already funneled into its U.S. systems over recent years. As civil liberties activists have pointed out, unsealed documents from a U.S. case suggest Meta does not have a good grasp on where data goes in its systems—so getting it out within the next six months, as it is now supposed to do, will be very difficult indeed.

Want to send thoughts or suggestions to Data Sheet? Drop a line here.

David Meyer

Data Sheet’s daily news section was written and curated by Andrea Guzman.

NEWSWORTHY

Another Twitter competitor. After a March report from Platformer that Meta was exploring a text-based app, more evidence has piled on since celebrities and influencers have reportedly started testing such an app from Instagram. According to a screenshot of an early app description, the platform could be available in June, and may be compatible with other Twitter rivals like Mastodon. The move from Meta adds to the difficult job ahead for incoming Twitter CEO Linda Yaccarino, who will also be trying to convince advertisers who reduced their activities on Twitter to return. But she appeared ready for the challenge, tweeting about the fresh competition on Sunday in a post that said “Game on.”

China’s chip ban. China’s Cyberspace Administration warned operators of key information infrastructure to stop purchasing Micron products over “significant security risks.” This comes more than a month after China announced an investigation on imports from the largest memory-chip maker in the U.S., furthering the semiconductor battle between the two countries. The Wall Street Journal reports that about a fifth of Micron’s sales in China could be affected by the ban. Electronic products built in China which include Micron chips but which are intended for sale outside of China are not affected by the ban.  

AX-2 crew docks at ISS. A four-person crew traveling in SpaceX’s Dragon capsule docked at the International Space Station this morning after the chartered multimillion-dollar flight took off from the Kennedy Space Center on Sunday. The group, which includes stem cell researcher Rayyanah Barnawi who is now the first woman from Saudi Arabia to travel to space, will be at the station for about a week before returning to the Florida coast. It’s the second private flight to the space station organized by the private space infrastructure developer Axiom Space, and the crew will complete multiple science and tech experiments in areas like human physiology and physical sciences, SpaceX says.

On This Day in Tech History

Programmer Laszlo Hanyecz bought two pizzas for 10,000 Bitcoins in 2010, in what’s often considered the first time the currency was used for purchasing goods. Now, people celebrate the day with events online and around the world, like Binance’s event in Italy, though Hanyecz may be less cheery about the transaction given that the bitcoin he used to purchase the two pies would be worth $269 million at today's Bitcoin price.

IN CASE YOU MISSED IT

Uber puts its diversity head on leave after employees voice fury at events titled ‘Don’t Call Me Karen’, by Eleanor Pringle

Gen Z and millennials say social media is pressuring them to buy what they can’t afford, and it’s sending them into an anxiety spiral, by Jane Thier

Dan Ives says China is losing the A.I. race as Wedbush sees ‘discernibly more clients in Asia’ rotating toward Silicon Valley, by Tristan Bove

OnlyFans’ 37-year-old female CEO doesn’t really want to talk about porn, by Alexandra Sternlicht

Apple, Goldman Sachs, and Samsung among growing list of companies banning employees from using ChatGPT at work, by Paige McGlauflin

BEFORE YOU GO

Microsoft’s Xbox PC games coming to Ukraine's Boosteroid. To get regulators on its side for its proposed Activision Blizzard deal, Microsoft has signed 10-year deals with cloud gaming competitors. One of these cloud platforms is a Ukrainian company called Boosteroid, which has offices in Kyiv and Kharkiv and has continued operating out of the country amid Russia's invasion. Starting on June 1, games like Deathloop, Gears 5, Grounded, and Pentiment will be available to Boosteroid's roughly 4 million subscribers.

While Microsoft and Activision move to appeal U.K. regulators' block of the deal, Microsoft said it’s committed to enabling players to stream games through their chosen cloud gaming service once the acquisition closes. “It remains our goal to empower people to play the games they want, with the people they want, where they want, on the devices they want,” Microsoft wrote in a release.