Looks like Facebook picked the wrong month to stop sniffing glue
- July 24, 2020
- Posted by: Tim Walters, Ph.D.
- Categories: Data & Privacy, Technology, The Content Advisory
All it wants to do is conduct surveillance operations on a global scale, build detailed dossiers on users and non-users alike, determine their psychological profiles, preferences, hot buttons, and vulnerabilities, and sell their souls to advertisers in order to rake in shareholder-satisfying piles of revenue while brushing aside a rising tide of suicide, genocide, and democrocide.
Ok, it’s not the highest calling, but hey, a multi-billionaire’s got to make a living, right?
But then the pesky courts keep getting in the way. Worse, they’re European courts, so obviously anti-American and jealous of Facebook’s world-conquering popularity.
The antitrust problem
First, in late June, one of Germany’s supreme courts (it has many) confirmed the 2019 finding by the country’s antitrust regulator (the Federal Cartel Office, or FCO) that Facebook may not combine personal data from its various platforms (Facebook, Instagram, WhatsApp), and from the millions of sites with “Like” buttons, without first securing the user’s consent.
That sounds like a case for the GDPR and data protection authorities. But the court agreed with the FCO that Facebook was abusing its near-monopoly status as a social platform to effectively force users to accept onerous data processing conditions.
As I noted in “Has Germany Opened a Path for US Antitrust Action Against Facebook”:
Second, as the title of that piece indicates, the German court may have illuminated a possible line of attack for antitrust action against Facebook in the US – namely, by locating the “consumer harm” not with Facebook’s users, who pay nothing for the service, but with advertisers and competing advertising platforms.
The surveillance problem
Then in mid-July, in a case that directly implicated Facebook, the EU’s supreme court (the CJEU) struck down the Privacy Shield program that facilitated transfers of personal data from the EU to the US.
As David Meyer explained in Fortune:
The Privacy Shield deal gave American companies a relatively hassle-free way to serve EU users. Under EU law, Europeans’ personal data is only supposed to go to outside countries that have similar data protection rules to those in the EU. The U.S. lacks a strong federal privacy law and therefore doesn’t qualify—so the U.S. and EU agreed on the Privacy Shield register as a way for U.S. companies to say that they adhere to EU-grade privacy rules, even if U.S. law does not.
The problem is again surveillance, but this time it’s that practiced by US governmental agencies rather than by Facebook itself. In short, the court decided – as it did in 2016, when it struck down the previous Safe Harbor agreement – that because EU user data is not safe from systematic surveillance (whereas the data of “US persons” has a higher level of protection), US data protection is not adequately “similar” to that in the EU.
Perhaps more importantly, the court decision preserved data transfers under so-called standard contractual clauses (SCCs) – but with some core provisos that may make SCCs effectively useless.
David Meyer again:
On Thursday morning, the court said SCCs remain valid precisely because they allow a data protection authority to suspend data flows, if the company using the SCCs either breaches its terms or if it is “impossible to honor them” because of the laws in the country to which the data is flowing. Given that the court slammed U.S. privacy and surveillance laws when striking down Privacy Shield—it said there still weren’t enough limits on U.S. intelligence agencies’ access to Big Tech’s user data, and that Europeans didn’t have a meaningful way to complain about that access—it follows that any company relying on SCCs for their EU-to-U.S. transfers is potentially in trouble.
But who precisely is in trouble? According to one interpretation of the court’s decision, it’s, as Meyer says, “any company relying on SCCs.” Or as one observer brilliantly put it on Twitter:
However, another camp focuses on a previous phrase in Meyer’s summary: “US intelligence agencies’ access to Big Tech’s user data.” On this view, SCCs are effectively dead only or mainly for the so-called “electronic communication service providers” that are subject to surveillance under FISA 702. I haven’t found a complete list of such providers (here are some examples) but it seems to be relatively few, and indeed concentrated on Big Tech: Google, Microsoft, Amazon, Apple, AT&T, Verizon, etc.
And of course Facebook. So regardless of your interpretation of the validity of SCCs going forward, it’s clear that Facebook can no longer rely on them. (The company was not using the Privacy Shield program.)
Facebook in rehab?
Privacy advocate Max Shrems, whose seven year old complaint against Facebook’s handling of EU data has culminated (so far) in the CJEU’s July decision, has called on the Irish data protection authority to promptly order that Facebook cease transferring EU user data to the US.
Don’t hold your breath about that. The data commissioner Helen Dixon has never demonstrated any enthusiasm for upsetting the US data giants headquartered in Ireland. (Witness those seven years since Shrems’ original complaint.)
Still, given the court’s decision, building data centers that obviate the transfer of EU data to the US is seemingly Facebook’s only solution.
But Facebook wouldn’t be Facebook if it simply accepted a supreme court decision and abided by the law. More likely, they’ll continue to deny, delay, and deceive – by, for example, again making the absurd argument that they have a “contract” with every Facebook user to deliver personalized advertising and are thus exempt according to the GDPR’s Article 49. (Which allows transfers that are necessary to service a contract, e.g., a hotel booking in the US made by a resident of the EU.)
Prediction: Mark Zuckerberg will appeal to his dinner companion in the White House to protect the vital interests of US tech innovators from the bullying bureaucrats in Brussels.
This is a company, after all, that justified the non-consensual aggregation of user data in the German case by claiming that it was necessary in order to . . . fight child pornography.