The Irish Data Protection Commission says it will block Facebook from sending user data from Europe to the US. Without a new bulletproof cross-border data treaty, a ‘Splinternet’ may be on the horizon, says David Carroll.
When mid-20th century telecom engineers envisioned an internet that would come to animate 21st century dynamics, they designed their networks and protocols to enable a free flow of data. Global electronic connection promised to unify communications and elevate humanity’s collective experience. While the architects of the early internet imagined how data would metaphorically envelope our planet within an atmospheric layer of information governed by technical protocols, they also underestimated the resilience of nation states to reimpose borders, controls, and enforce ratified rights.
Today, the term ‘Splinternet’ describes a notion that the digital revolution’s original unitary global connectedness is giving way to the forces of national or regionalized digital territories that may or may not interoperate. China serves as the most striking example of the Splinternet, as the most populous nation is effectively firewalled from the rest of the world’s internet by an integrated regulatory and business apparatus engineered at both the hardware and software layers.
Less well understood, though, is that the European Union is increasingly asserting its own data territoriality, unexpectedly putting it at odds with close allies such as the United States. Being a mid-20th century modern political construction—and thus not having been penned on parchment by candlelight with a quill—the EU grants its residents fundamental digital data rights in its charter (Title II, Article 8). These enshrined human rights have manifested in robust technology regulation, especially compared to the US, which does not enumerate explicit privacy rights in its Constitution. Without a founding mandate nor amendment, Congress has yet to enact anything vaguely close to Europe’s General Data Protection Regulation, or its newest iterations of acts to oversee digital services and markets.
This transatlantic chasm between enumerated and unenumerated privacy rights has been exploited by legal activist Max Schrems, whose successful lawsuits illustrate how the US and EU’s data protection regimes are incompatible. Schrems continues to prove in European courts that the US cannot demonstrate adequacy to European regulators that it is capable of being a trusted partner to protect the data of European residents (our intelligence apparatus is a key sticking point). Schrems’s lawsuits toppled not only Safe Harbor, but also the subsequent PrivacyShield treaty that followed. Left to scramble without a treaty, companies like Facebook (Meta) have fallen back on standard contractual clauses.
Now, a recent action by Facebook’s regulator for Europe, the Irish Data Protection Commission, has even toppled Big Tech’s fallback position, risking service blackouts without a cure for compliance. No adequacy. No Instagram.
This action by Ireland to enforce rights enshrined in the EU’s Charter pressures the Biden administration to devise yet another data flow treaty with Europe to somehow bridge the gap between a population with fundamental data rights and one without. Indeed, ratifying a Schrems-proof treaty will be difficult, the devil being in the details, with national security postures at stake.
Unfortunately, press coverage of this policy problem generally takes a simplistic both-sides approach, making the US and EU positions somehow equivalent, lacking only the requisite policy needle-threading. But such coverage fails to present readers with a deeper perspective on how Schrems has revealed the shortcomings of the US approach to data rights. As a result, the Splinternet looms large, with disruptive potential to reorder American dominance in digital media platforms, all because both Congress and big platforms have failed to recognize that achieving adequacy in data protection rights with Europe preserves the free flows of data which enabled the primary business growth of the past two decades.
Alignment with Brussels would assure higher standards are met, but American arrogance that US approaches are adequate obscures the realization that the US is stuck with an 18th century approach to data privacy (and, perhaps, civil rights more generally). Unless the Biden administration and Congress take decisive action, the failure to modernize policy is going to injure American business interests while further erasing the early promise of the internet. As under-resourced European regulators act at glacial speed, American lawmakers in this Congress have a fleeting opportunity to enumerate essential 21st century privacy rights and confront the structural dilemma of a Splinternet with Europe.
David Carroll is an associate professor of media design at Parsons School of Design at The New School. He is known as an advocate for data rights by legally challenging Cambridge Analytica in the UK in connection with the US presidential election of 2016, resulting in the only criminal conviction of the company by the Information Commissioner’s Office. This work is featured in the BAFTA and Emmy nominated Netflix original documentary The Great Hack (2019) and his writings on the effort have been published in WIRED, PAPER, Quartz, The Guardian, Motherboard, and The Boston Review. He was awarded prizes from The Philosophical Society and the Law Society at Trinity College Dublin in 2019. He received a BA from Bowdoin College and an MFA from Parsons.