This week Meta was ordered to suspend Facebook EU’s data flows and was hit with a fine of 1.2 billion Euros under GDPR. This fine has big implications for the way these companies will be allowed to collect and share data and it may lead to big changes - either in the laws that govern the use and protection of data, or in the way Meta and other tech giants operate at a fundamental level - or both. In this episode, Natasha Lomas is here to break down a years-long security saga that’s still unfolding.
This week Meta was ordered to suspend Facebook EU’s data flows and was hit with a fine of 1.2 billion Euros under GDPR. This fine has big implications for the way these companies will be allowed to collect and share data and it may lead to big changes - either in the laws that govern the use and protection of data, or in the way Meta and other tech giants operate at a fundamental level - or both. In this episode, Natasha Lomas is here to break down a years-long security saga that’s still unfolding.
Articles from the episode:
The TechCrunch Podcast posts every Friday. Subscribe on Apple, Spotify or wherever you listen to podcasts to be alerted when new episodes drop. Check out the other TechCrunch podcasts: Equity, Found and Chain Reaction.
.
Darrell Etherington 0:02
The World Wide Web may indeed span the globe as the name implies, but we live in a world broken up into countries, regions and states that all have different rules around security and data sharing on the internet. This can cause huge headaches and even existential risk for big tech companies like Mehta, and have a nasty habit of pushing the boundaries of how much data they collect about who and how that data is monetized. This week, Mehta was ordered to suspend Facebook ease data flows and was hit with a fine of 1.2 billion euros under the General Data Protection Regulation, also known as GDPR. And while the fine is fairly small to accompany with Metis annual revenue, it has big implications for the way these companies will be allowed to collect and share data. And it may lead to big changes either in the laws that govern the use and protection of data, or the way meta and other tech giants operate at a fundamental level, or both. I'm Darrell Etherington, and this is a TechCrunch podcast where we talk about the top stories in tech with the people who cover them. Today Natasha Lomas is here to break down a year's long security Sega that's still unfolding. Natasha, how's it going?
Natasha Lomas 1:09
Hey, Darryl. It's pretty good. How are you?
Darrell Etherington 1:11
Good. Good. So this week has been busy in European privacy world, I guess.
Natasha Lomas 1:20
Privacy sphere? Yeah. It's been a busy one.
Darrell Etherington 1:23
Yeah. So we had this sizable for us normal people. I don't know about sizable for meta privacy fine. Come down 1.2 billion euros, which is roughly $1.3 billion. Even? Yeah, yeah. Current trading American dollars. Yeah, a lot more, let's say but not the most that they could have been? Is my understanding from reading your article that they could have received under this particular penalty,
Natasha Lomas 1:51
I think is probably closer to the least they could receive.
Darrell Etherington 1:57
Yeah, so let's get into it. Because this is very complex, like it seems like and I know that depending on whose version of this you listen to, it's a very strong message sent to meta. But as you lay out so eloquently in your article, there's reason to believe that it seems like it was done very reluctantly, perhaps, and also that is de minimis when it comes to the actual enforcement term. So do you want to explain a little bit about that?
Natasha Lomas 2:24
I think that's fair. I mean, it's a very long running saga. So if you're at all deeply interested in this, I would urge you to go and read the article, because the article it goes. I mean, it really does. It's a very, very long, long running saga related to kind of linked originally, essentially to the Edward Snowden disclosures about US government surveillance, which if people remember back that far, there was a program called PRISM where the NSA was kind of scooping up data from social media, companies like Facebook. And that was kind of cropped onto you by a privacy activist, privacy campaigners, the law student at the time, I think, called Max rems, who is also known internally at Facebook, as I believe, the devil or somesuch. Monica. But he, he spotted that this was a big deal, and sort of started complaining. And he kind of targeted several companies. But he ended up sort of focusing his complaints on Facebook and asking their lead privacy regulator to stop transferring data, because data for the European users sent to the US then get spied on by American government, spies, spooks, whatever. And that's a problem because you under European law, you need to protect data when it's exported. So that's the kind of key conundrum European Union law we have this comprehensive data protection, the US does not. Some states have their own, but there's no comprehensive one. And there's certainly no protections for foreigners, goodness, under things like the FISA surveillance laws, and so on. So it's a huge clash, legal kind of clash of these conflicting systems. One, one in the US has obviously focused on national security and prioritizing all of that. And so surveillance is like part of that, and they can do what they want with data and then the European way, which is no, no, you have to protect data. It has to be, you know, privacy has to be respected and all of this. So that's the original conundrum. And it's just gone on and on down through years and years and years of these complaints being filed with the data protection regulator in Europe for Facebook, which remains the Irish data protection commission. It's been kicked back and forth through all sorts of procedural, dilly dallying. It's resulted in two high level data transfer pacts between the EU and the US being thrown on the scrap heap when the the top court in Europe struck them down, not being for not being legit. So that's shredders has many, many scalps already. But through all of this long saga, Facebook has still been transferring data hasn't actually, you know, had to stop transferring data. So that's kind of the irony, really, but this week, there was finally a suspension order coming out of the Irish DPC, which says They will have to suspend these data flows. However they have been given, I think it's up to six months to implement that. But they will also find at the same time, so that was the 1.2 billion, which is quite a big deal, in some ways, because Ireland didn't actually want to find them at all. So that's one area where the European regulatory kind of communities kind of made Ireland do that through a process that sort of baked into how the regulation works. So they were kind of forced to do that. So we've got this situation. Finally, after so many years of where meta is facing some immediate consequences, I guess the fine and then this looming consequence of in six months time, potentially, I'm to suspend the data flows, which of course they can't do, because their service isn't doesn't work like that, you have to kind of change the infrastructure radically for that to be possible. However, there will probably be a new high level data packs coming in this summer. So they will switch to that. So they'll probably avoid the suspension, but they won't avoid the fine. And if that wasn't enough, there's another element because the order kind of contains what looks like it could end up meaning that they have to sort of delete data that was transferred historically, without a legal basis, right. And then that could be complicated for them. Because by all accounts, matters, internal systems are not really very well sort of, sort of structured and controlled. So it may be very difficult for it to kind of, you know, find this data and delete it all. Together, as far as we can tell from sort of leaks over the years, it's a big old soup of people's information.
Darrell Etherington 6:33
And they are maintaining like, oh, but that will also kind of fall under the Data Sharing packs like that'll prevent us from having to deal with that as well is what they see.
Natasha Lomas 6:43
The key. Yeah, this is a key element, they are saying that they're saying this whole this new day to deal which you know, will absolutely, it's pretty inevitable, it will it will be at this point, it's only going to be signed, so it will come in good. Obviously, lots of other companies are affected by this legal uncertainty, not just Facebook. So lots rests on that. So yeah, they are Facebook are kind of seizing on it and say no, this will fix all of our problems, including our, you know, all of this data we transferred illegally in the past, which was amazing. I'm not sure law can do that, really. But you know, they're saying it does. There's some sort of doubt on that point. You could also sort of argue philosophically, you know, what is the data transfer, really, because it might be that some of this data that was historically transferred, had subsequently been re transferred. So you could have kind of all sorts of academic and sort of technical questions about what really when, when does the data date back to anyway, so I think ultimately, what we'll get is a fudge, which is what usually happens, and meta may well get away with sort of that fudge, right, they're not going to get away with fine unless they do succeed in their appeal, because they have obviously, now we have finally got this regulatory decision, they can still appeal it to the court. So they will certainly go down that route. So they could in theory, succeed and overturning it through the courts, that will take several years more obviously, at the same time, we will also get trims or someone else challenging the new high level data deal. And that will probably also, that could also end up being struck down again. But we wait to see. So yeah, it's a recurring cycle. It's a doom loop. We're back here every day, but at least now we do have a tangible sort of find to hit them with. And that's interesting, because Ireland didn't want to propose it. And they were forced to, again, by the sort of community of European data regulators through the edpb, which is the body that ultimately issued the binding decision on Ireland to issue this decision. So they had limited choice in what they could do. But they did have some choice, which was over the level of the fine. And I think the edpb said that they could set that between 20% and 100% of the maximum allowed under the GDP are and so the maximum would have been something like over 4 billion,
Darrell Etherington 8:46
right? Because it's a percentage of their total,
Natasha Lomas 8:49
total annual turnover. Yeah. So yeah. So I think my masters, right, they could have been on the hook for over 4 billion. So really, it's quite cheap. I would say they go Yeah, the lower the lower end of the of the finance so that they did get a fine, but they were forced to have that. But yeah, they got they got off with less than it could have been
Darrell Etherington 9:07
so yeah, and that. I mean, there's so much delay on there. But it is I think for a lot of our US listeners, like it's essentially like similar situation to how California kind of governs, except the opposite. Right? California is the most stringent in the States. And so if they set laws, like everybody has to follow them, basically but this is kind of the reverse in that everybody bases all the large tech companies base their stuff in Ireland because I learned is known to be the most lenient of all the sorts of data protection commissioners of the various EU states. And so they feel like by being there, they can probably get away with more and that seems to have been the case right to date. Yeah, yeah, it's Ireland does that because it's very good for business in addition to their tax, right, like they have very favorable tax rates for tech companies and they have this which means that most people headquarter their European operations in Ireland
Natasha Lomas 9:58
Yeah, Apple and There's a few exceptions or the Amazon is over in Luxembourg, but all of the Google Apple, all of these Facebook, tick tock, they're all Yeah, they're all in Ireland for this for this reason. It's, it's a friendly jurisdiction. Yes. Well, yeah, this kind of regulation. So,
Darrell Etherington 10:13
yeah. So that leads to things like the general you being like, Well, no, like, we need this to be effective. And so we have to step in at some point, which I think I mean, they do so reluctantly, right. Like, it's not like the story of all of this and the time it takes and everything is like, we don't want to infringe on the sovereignty of our member states, as much as we have, like, we only want to do as much as we have to, right, which is like, Okay, well, we've had to after years and years and years and years, it's been like, okay, and this relates to the other story, which is the tick tock. So basically, they called, What is her name? Helen Dixon to tap
Natasha Lomas 10:50
the Irish DPC? Yes. She's like the commissioner. She's the head of the DPC, essentially.
Darrell Etherington 10:55
Yes. And members of the European Parliament had her sort of present her progress today when it comes to tick tock and privacy regulation, because they're headquartered there. And that means that as Ireland regulates, so goes, the rest of the European Union member states, right, so they have her up because they have an investigation ongoing, but they're not happy with the pace of it. There's a lot of accusations of Ireland dragging their heels when it comes to all this stuff. Right. There
Natasha Lomas 11:21
is there is no the libre committee as its name, which is like the civil liberties committee is very unhappy with the DPC for various reasons. Like they invited Dixon previously, I think it was last year and she she essentially refused. So they were not they were not at all happy, because they wanted to have she would have been in the room with Max rems. And so she was like, This is unacceptable. So no, she outright refused. So they were pretty mad. And I think they sent a delegation sort of, to the DPC to sort of dig around and then obviously, she did finally appear agree to appear before them today on this on not say this week on this Tik Tok session. But it was amusing because she used most of she's a big chunk of her introductory remarks to sort of defend the DPC, which was then point of Mbps and pointed out well, that's not why we invited you here today that we could have talked about that last year when you didn't come. We actually wanted to, you know, question you about tick tock. So they were kind of there was some satirical sort of sarcastic comments being thrown at her about that. And then yeah, she was defending the record on tick tock, which I mean, it's kind of hard to defend when you consider it has been like for years and no real action of regulatory action in the EU on tick tock, despite matters of concern. So it's not only being raised by like privacy. Regulators, also by the consumer protection regulators have had a bunch of concerns for years. So it's really been like, this huge kind of ball of problems, but no, no real enforcement. But again, so the DPC she was Dixon was extremely robust in her defense of their busy enforcement, she was couching it and all this stuff. And was Brooking no criticism and suggesting that it's simply you know, the time taken is what's required? Do you know, a careful fact sifting job, etcetera, etcetera? I don't think that the labor committee bought that, and I don't the criticism of Ireland is not going to is not going to dim. But in terms of timelines, I think we will see we will it's from what she suggested, I think we'll get one of their two inquiries, we'll get a decision probably on that later this year, maybe around sort of fall so October time, but the big data transfers investigation, which was mirrors what what's happened with with meta, because they're also they are also investigating Tik Tok. But it doesn't translate to the US transportation of China, which, you know, may actually be more concerning to some people. And perhaps, perhaps to many people,
Darrell Etherington 13:31
is a total black box, right? Like the US, at least they kind of know, because there is like friendly diplomatic relations. So they have to like kind of be upfront about what they're doing, even if you don't like what they're doing. And they're probably still obviously getting a lot of it. But still, yeah, it's a very different story of the China where you're like,
Natasha Lomas 13:47
I've been definitely, you know, I suppose. Yeah. Right. Yeah. So that investigation of tiktoks data transfers, I don't think we're gonna get that for a long while. Yeah. So mate. Well, I mean, maybe maybe, I mean, next year, presumably. But again, who knows the timelines, and these things really can defy, you know, rational, logical predictions. So yeah, maybe next year, if we're lucky.
Darrell Etherington 14:10
So I think question with all of this is like, it just feels like tech companies are effectively happy to do this plate spinning basically, which is just like keep it up in the air. And then like, hey, lawyers go keep this all up in the air for as long as possible. And we'll just keep doing our thing. As long as they keep jumping from proposed data sharing agreement or whatever, or tentatively accepted data sharing agreements, attentionally accepted data sharing agreement, which it seems like they might be able to do forever, then it's fine, right? Like they can continue to operate with the appeals and status processes and everything like that, like today. So the question is, like, why not? I think Max mentioned this or talked about it, like they may have to move to Federation, like, why not just do that sooner where you're like handling and deriving insights from the data in country and then the other would be why not just do the derived insights part, right? Why not? say like, are like doing those things in concert. So you're like, Oh, well, we collect the data here in Europe, we store it in Europe. And then we derive insights from it. And that's not customer data, because Facebook's great about doing this, right? Like they're always like, we don't sell your data. And it's like Asterix, Asterix, we sell all the insights derived from your data, which could easily be like reverse engineered to be your data effectively. But, I mean, why don't they just do that stuff? Is it simpler to pursue this kind of like, totally Byzantine, legal, whatever?
Natasha Lomas 15:28
I mean, maybe? Maybe, although, I mean, yeah, the other complication they have on that kind of side in Europe is that the GDPR takes a very broad definition of personal data is not California, for example, is much more narrow, and what it considers to be personal data, that's not at all the case with GDPR. It's actually very, very broad. So these inferred insights are personal data still. So there's no, I mean, method might argue they're not, but they would probably end up coming up a cropper on that again, legally. So it's quite tricky for them to sort of wiggle out of that. And their business model is ultimately based on people mining, isn't it and people farming and all that. So how you can kind of claim that's, you know, privacy safe is just sort of it doesn't work, so federating their infrastructure, that's what trim suggests. Yeah, I mean, obviously, they don't want to do that, because it's cripplingly expensive, I'm sure. And it probably also would create new problems for them, you know, if you're forced to sort of have local infrastructure, you may then be more prone to be having to kind of cleave to local laws, and that might be a problem, you know, for them in certain, you know, more authoritarian jurisdictions, suddenly, they could be, you know, forced to do things that they might be uncomfortable with. And it philosophically goes against how they operate, which is to be, you know, a massive global platform, and they talk about a global community, and they're one rules and so on. So I think it just goes so against what they want to do, they're trying to do everything possible for that not to be the outcome. However, it may, it may end up having to be the outcome. But I think, you know, we've probably got several more cycles of this sort of merry go round of regulatory Whack a Mole. Before, we know, the only other way this could resolve is if there's some reform of us surveillance. I don't know how plausible that prospect is. But maybe every time we go round this, you know, doom loop, maybe it gets a little bit more likely because people start to see how annoying this is, for everyone how expensive this is for everyone, how many businesses are disrupted, because it's like 1000s of businesses that are involved in exporting data, you know, this is how a lot of the internet works doesn't just affect matter. So if we can start to see this cost of you know, what these, you know, warrantless surveillance kind of protocols mean for businesses, US businesses, and they sort of lobby government, maybe we will see some meaningful reform and some proper sort of checks and balances put on their systems, which they should be obviously, yeah, from a human rights point of view. So that's one, one possible. Other outcome, I guess, if all of this, you know, seemingly madly frustrating, endless effort?
Darrell Etherington 17:49
Yes, yeah. And put it it all comes down to those lobby dollars, right. It's like, where are they directed? And what problems do the companies want to solve with them? And which makes most economic sense, right, because they direct that based upon what is hurting us the most in our pocketbooks. And that's the fix, right? So right now, it's not focused, I don't think on the US privacy laws and like us privacy protections, but it could be Yeah, it could be if the financial incentives move on balance to that if they're like, look, we can't fix it through these papering overs with these, like privacy agreements that don't actually change the substance of the US privacy laws. So that might be your and,
Natasha Lomas 18:25
and like, a 1.2 $1.3 billion, fine for meta is still not a big deal in the grand scheme of it is revenue, etc, etc. However, it's big enough that they will, you know, that's something they can't just ignore, plus, especially when you consider that this is just for one thing. So more of these fines could be coming. It's not like with the FTC, when they got the big privacy settlement of 5 billion that was a sort of indemnity kind of situation where they were kind of buying themselves out of any other problems to do with what they've been doing. There isn't such a sort of pact here. So there's all sorts of aspects of their business that remain under, you know, regulatory investigation, so they could be seeing, and they have seen several last year, there was another big find out not as big, but to do sort of children's data processing on Instagram. So there's all sorts of these, it comes with this sought to be a pipeline of fines that, uh, you know, several billion, or at least a billion or something, or several millions, hundreds of millions. That's something that the C suite usually can't just, you know, flick away, unless your CEO is Elon Musk. And even he might have trouble with dealing with so many large fines, you know, so I think it's something they will have to start to sort of consider and weigh up and then whether the equation then tips, and they start to think actually, we do have to, you know, reconfigure routes around the damage by changing the infrastructure. But so far, they've resisted that. So it's a really interesting question of whether this will finally kind of force potentially a business model change on them, which would be a very interesting
Darrell Etherington 19:48
yeah, for sure. All right. Well, thanks very much, Natasha. And I'm sure you'll keep watching this and keep reporting as it winds its way through European
Natasha Lomas 19:57
nightmare cycle. I will do my best to stay to stay awake.
Darrell Etherington 20:03
All right. And yes, please do go read those stories. We only touched the surface of it here, but you get to follow all the twists and turns. And Tasha has laid it out very clearly. And it's a quite thrilling read actually. So
Natasha Lomas 20:16
it sounds like yeah, Thriller data protection thriller.
Darrell Etherington 20:21
Hear the stories everyone's talking about this week. Twitter spaces played hosts the official announcement by Ron DeSantis of his run for the 2024 presidential race earlier this week. Elon Musk was clearly thrilled by the prospect of Twitter acting as the pulpit for this moment. But his full glory was flooded by technical issues as the live stream cut out just after launching a second space finally got going around 30 minutes later, but to a much reduced audience. You can check out more on that from Taylor hatmaker on TechCrunch. Social media is getting the cigarette treatment in that it's now subject to a public health warning from the US Surgeon General. The Warning admits that while social media participation could have benefits for kids, it also seems highly likely that it can cause a ton of harm. Basically it hedges a lot based on the current relatively early state of research on the subject, but says people should watch out regarding their kids social media usage. Check out more from Taylor hatmaker on TC. Virgin orbit continues at slow motion collapse this week with a sale of different aspects of his business two different companies. Three bids acquire three different bits of Richard Branson's former small satellite launching business Rocket Lab picks up its Long Beach based manufacturing facility launcher picks up its Mojave facilities and its launcher aircraft go to Stratolaunch all told the bids totaled $36 million. A far cry from Virgin Orbitz former sky high valuation of $3.7 billion more on TC from ARIA LML ODI open AI has officially launched an iOS app for chat GPT. At the very least this should clear up a lot of confusion and eliminate potential exposure to scam apps. It's a ton of third party software claiming to be some form of mobile chat GPT have emerged. It's a free app but limited to us users only. Also if you want to use GPT four instead of the older GPT 3.5. You need to be a chat GPT plus subscriber. The company says an android version will follow soon. More on this from Sarah Perez on TechCrunch. That's it for this episode. Thanks for joining us, you can read all of our stories@techcrunch.com and if you'd like what you hear give us a five star rating and review. Join us at disrupt 2023 in San Francisco this September save up to $600 when you buy your pest now through August 11 and save 15% more on top of that with promo code crunch. Visit techcrunch.com/disrupt to learn more. As always don't Miss Taylor Tec podcasts we have found equity and chain reaction. See you next week. The TechCrunch podcast is hosted by myself Managing Editor Darrell Etherington were produced by Maggie Stamets with editing by Cal Bryce Durbin is our Illustrator Alyssa stringer leads audience development and Henry pic of it manages TechCrunch his audio products. Thanks for listening. We'll be back next week.
Transcribed by https://otter.ai