Ruling Against Meta May Signal How Companies Must Rethink Data Traceability and Storage

The design of platforms increasingly needs to be re-engineered from the ground up for the emergent requirements of different data protection regimes around the world, says David Carroll.

The pressure valve on the free flow of data across borders hit the red zone this week, with the latest EU ruling and fine against Meta by the data protection regulator in Ireland. Indeed, the fine is large ($1.3 billion) but as we know by now, the sum is just the cost of doing business for such a large tech firm, and it is not the most interesting element of this story. Perhaps far more significant is what the company is being ordered to do in less than six months: to stop sending data on Facebook users from the EU to the US.

Stepping back from the specifics of this particular ruling, it’s also possible to regard this moment in time as about the convergence of larger forces and narratives that have shaped the way nations think about data protection and privacy. In one possible reading, this is the saga of three young men that are about the same age: Edward Snowden, Max Schrems, and Mark Zuckerberg. Each of their destinies intersect and clash in in various ways, and each are tied to why the free flow of data across the Atlantic to the United States is increasingly at risk:

Edward Snowden, the former NSA contractor, revealed the gory details of how social media platforms like Facebook are hacked with ease by U.S. intelligence agencies (see his disclosures on PRISM, etc.). His exile in Russia persists. Certainly less well-known outside of privacy nerd fandoms is Max Schrems. This entrepreneurial privacy attorney and activist from Austria responded to Snowden’s revelations by legally challenging and toppling not one (SafeHarbor), but two (PrivacyShield) international cross-border data treaties from the vantage point of Brussels by successfully arguing that Europeans are not adequately protected from the U.S. surveillance state. That, in turn, is a problem for Mark Zuckerberg’s business model, which is premised on the free flow of data across borders..

Negotiations continue to progress in fits and starts between the Biden Administration and its counterparts in the EU on establishing a more Schrems-proof cross-border agreement. Meanwhile, this week’s ruling by the Irish Data Protection Commission ratchets up the regulatory pressure on Meta to further reckon with its original sins, such as how it has designed its data structures and storage models without European data protection in mind.

Last spring, I wrote a hot take for Tech Policy Press under the headline “Leak Reveals Facebook Data Management At Odds with GDPR.” I pointed out that Facebook tracks its users, which is legal, but it doesn’t track how it uses or stores its users’ data, which likely isn’t legal, at least according to EU law. This article was based on a document leak reported by Motherboardthat offered a rare peek into the internal data control structures and practices deep within the bowels of Facebook’s software stacks and ‘data lakes’ of pooled personal data. The basis of these “lake leaks” was later corroborated by unsealed files from the California class-action lawsuit which included deposition from employees who described a “terrifying” culture where no one knows where the data goes.

Yesterday’s headline – “Meta Fined $1.3 Billion for Violating E.U. Data Privacy Rules: The Facebook owner said it would appeal an order to stop sending data about European Union users to the United States” – is just in time for the five-year anniversary of the EU’s General Data Protection Regulation (GDPR) coming into force. As usual, most reporters buried the lede behind a big number to drive the news cycle. The order that Meta must cease the flow of data across territories and the potential implications for disgorgement are extraordinary. As Dr. Johnny Ryan of the Irish Civil Liberties Council surmised in the Times, ““It is hard to imagine how [Meta] can comply with this order,” leaving bulk data destruction as the only other imaginable alternative, if Meta’s appeal is unsuccessful. By pooling data into lakes, a kind of digital geography that confounds the borders of actual political boundaries, companies risk what seems a liability of untraceable supply chains of increasingly regulated personal information originating from data protecting jurisdictions.

I’ll leave the broader and deeper analysis of what this means for global software firms to experts like Anupam Chander, and the pros over at IAPP. But the bottom line for non-lawyers like me is that the design of platforms increasingly needs to be re-engineered from the ground up for the emergent requirements of different data protection regimes around the world. Interestingly, Max Schrems points to federated social networks as a possible solution to the conundrum. All this might make one bullish on otherwise fringe platforms like Mastodon and Bluesky, which ask people to rebuild their social graph in exchange for the independence afforded by federated social networks. It’s certainly no wonder that Meta is reportedly experimenting with new federated protocols as well.