Q&A: Is Meta data-transfer fine enough to allay privacy concerns?
Facebook’s parent company, Meta, has been fined a record $1.3 billion for violating European Union data protection laws.
Regulators determined on Monday that the technology giant had unlawfully sent the personal data of European users to the United States.
They gave it five months to stop sending European user data to the US and six months to bring its data activities into compliance “by ceasing the unlawful processing, including storage, in the US” of its personal data. European users who violate the 27 member block privacy rules.
Meta said it had been singled out and announced plans to appeal what it called a “flawed” and “unjustified” sentence by the Republic of Ireland’s data protection commissioner.
The fine comes after a decade-long battle by privacy activists that began when US whistleblower Edward Snowden revealed that tech giants were knowingly handing over data to surveillance agencies.
In previous rulings, EU courts ruled that the privacy of European citizens was not adequately protected by US law.
EU and US leaders are working on a new agreement on data flows that they say will enable essential data transfers while safeguarding civil liberties.
But the European Parliament and regulators have expressed concern. Campaigners fear US law enforcement still have access to EU citizens’ data and say people in the bloc should be given the same legal protections from surveillance as US citizens.
Al Jazeera spoke to Estelle Masse, senior policy analyst at Access Now, a global digital rights group, about the fine imposed on Meta. A slightly edited version of the interview follows.
Al Jazeera: This is a huge fine even for one of the largest companies in the world. Is it justified?
Estelle Mass: It’s a record fine under EU privacy law, so in that sense the number might seem like good news from a privacy perspective. But we are still disappointed with the decision that underpinned it.
The crux of the issue is whether Meta and Facebook can keep our information and move it to the United States. Time and time again, we have found that the United States did not have the necessary protections to ensure that our information would be protected once it moved there and also that it would not be accessed unlawfully by other authorities.
Meta was in the middle of this situation, but took no steps to adequately protect Europeans’ information.
We are therefore grateful that this fine finally comes after 10 years of legal battle. But we expected the decision to order Meta to be removed immediately [of data by] Meta and not to give it a six month deadline.
Al Jazeera: Can you explain how user data transfer works? A user goes on Facebook, Meta collects their data and then sends it to the US where it is used for ad targeting. But as part of that process, the EU says data is vulnerable to being scrapped by US surveillance programs. Is this accurate?
mass: That’s a great summary of it. And the US has no federal data protection or privacy law that protects non-Americans as it protects Americans.
What’s been particularly problematic for years is that… tech giants monetize personal data of millions of us around the world, when there’s no federal level of protection for commercial sector information, and then the scope of the surveillance law in the US so wide.
And that is why it is very important to see European regulators step in and impose a very large fine on a company that does not take the necessary steps to protect our information.
But by asking for the core of the decision to be complied with within six months, we actually think Facebook might not have to do anything, because a new agreement between the EU and the US will probably be in place in six months to allow the transfer of information and Facebook will be able to retain all data.
Al Jazeera: What are your specific concerns about this potential new deal?
Masse: Our concern with the new deal – even though it’s an improvement on the previous two that were rejected by our highest court – is that the US has not fundamentally changed its approach to surveillance.
It does what we call “bulk surveillance”, meaning it collects a disproportionate amount of information to find later what is or isn’t relevant. This means that information about anyone can be accessed, stored or kept in the US in case they need it later – and this creates a wide range of privacy risks.
Now the United States is taking steps in this new agreement to say that it would only be allowed access to this information under specific circumstances and with specific assessments.
But the level of corrective action and the level of oversight we as Europeans would get would not match what US citizens necessarily have, or even the level of oversight and oversight we have over the surveillance regime in Europe.
So this discrepancy about how much the state has access to your data and how much companies should be able to keep about you in the first place is still not fully addressed in this new agreement.
Even if it’s a step forward, we’re not there yet and we would have asked the two sides to continue negotiating to improve that deal. But in practice, today’s decision creates a sort of six-month deadline for the two sides to finalize the deal. Otherwise, Facebook would be in a very complicated legal and political situation and might have to delete tons of information it needs to function.