Note that there is a process for the regulators from other countries to object to DPC decisions, and this process has been used in the past to increase the fines issued by the DPC to Meta.
Ireland doesn't want to scare away tax revenue from US tech companies, so they strategically under-fund the DPC, effectively making them a bottleneck for GDPR enforcement across the EU as a whole. This has been a point of contention with other regulators.
Ireland's DPC might be taking the hint that it needs to get stricter. The big companies come to Ireland for tax reasons, not for lax enforcement. Enforcement can get a lot stricter without losing them.
They should really tune down the tax breaks too though. They're basically screwing the rest of Europe by allowing these companies to avoid taxes in the whole EU. Just for a few measly jobs (even Apple only has a few thousand employees in return for literally billions of revenue going through the country). https://www.theguardian.com/technology/2020/sep/25/european-...
That money could really have been put to good use in the EU. The EU should present a more united front here IMO instead of allowing companies to cherry pick countries and make them compete against each other for the lowest tax rates.
The juxtaposition of those two ideas is interesting! It raises the spectre of low cost data transfer jurisdictions particularly from policy bloc arrangements. Essentially, what is the lowest cost data egress (defined in $/policy offence) from a given zone!
If you took the top, single fine for one American company (Amazon). It is alone more than the sum of all domestic fines in all EU member states put together.
And yet, many European companies do routinely send data to the US, primarily in the context of using US-based service providers. They pretend that disclosing this transfer to the customer and pointing out that the ECJ has deemed US data protection as unacceptable allows them to do it anyway. In practice this may be true, but that’s only because the theory of what the GDPR requires is so rarely enforced in meaningful ways.
Yeah, especially when in the case of the fine for consent about personal ads, the fine was for violations before the law was in place.
That is an insane precedent. Most legal systems understand that applying laws retroactively is a really big no no, as it can create a massive overreach of power in the future, and also creates a hugely unpredictable present, if any time in the future you can be liable.
The EU's obsession with getting money from US tech companies is leading it down really dangerous paths.
> The EU's obsession with getting money from US tech companies is leading it down really dangerous paths.
Gotta love the menacing language.
If Meta is not happy with the fines they have multiple options:
1) Actually respect regulations. It's not that hard for a company with so many resources.
2) Stop operating in EU
There is no dangerous path for the EU here. The block has the right to define it's regulations, and companies have to comply or be justly punished. That's all there is to it.
>The EU's obsession with getting money from US tech companies is leading it down really dangerous paths.
Yeah shame on EU for issuing fines for the anti-consumer, privacy abusive and illegal practices of the saint ad-ware empires of US big-tech companies. How dare they protect their citizens? Don't they know big-tech should be left unregulated to abuse people so billionaires can become trillionares?
Speaking of double standards it's funny how the US keeps wanting to ban Chinese TikTok for doing the same abusive data collection Meta and Google was doing without issues.
This was teased in Meta's recent quarterly report [1]:
"On April 13, 2023, the European Data Protection Board (EDPB) issued a decision and we expect the IDPC to issue a final decision in this inquiry in May 2023. It is expected that in addition to the transfer suspension order, the IDPC will make an order requiring Meta Platforms Ireland to bring its relevant processing operations into compliance with the GDPR and imposing a fine. We continue to examine the decision and its potential impact on our operations. We expect that the deadlines to comply with the IDPC decision will be no earlier than the fourth quarter of 2023."
When Europeans communicate with Americans as expected on a social network, where does the data live?
Keeping the data solely in Europe only seems relevant for people who have no American friends who read their posts. As soon as there’s one American in the conversation, or even just someone visiting the US, it’s going to be delivered to the US.
Also consider that posts are often reshared.
To make this effective, it seems like there would need to be region restrictions in the UI? If there were a “Europe only” checkbox, how many would use it?
And Meta is so determined to do this that they're threatening to leave the EU. So again...what exactly is being done with this data that is impossible on EU turf but possible on US turf? I personally can't think of anything Kosher
The NSA / US govt are the ones we should be pissed at here, their data acquisition is what tanked Privacy Shield, that US companies doing business abroad depended on.
The way these systems typically work is that a US company builds its infra in the US, and gets economy of scale from shared infra, especially true for companies that run their own data centers. (Look at the map of Meta DCs).
The alternative is that you need to stand up a full copy of your infra (per what? In the limit, per country?) and that’s substantially more expensive, not to mention technically challenging. So the answer is simply that it was built the easy way, based on the assumption that the Privacy Shield treaty was sound.
Also, what does that even mean for an app like Meta? They are a graph. Where do the edges that span jurisdictions live? If a US user likes an EU user, is the “like” edge stored in the EU? There are reasonable answers to this sort of question, and the reasonable answers may overlap with how the regulators wrote the laws, or they may be mutually inconsistent with how other regulators wrote the laws.
It seems quite likely that the end state is as you describe, but I think around here of all places there should be a deep understanding of how hard it is to split your system like this.
Nothing new, until a proper legal basis is defined for transatlantic data transfer all services with us based company and data centers are in violation of GDPR
GDPR only comes into effect when the data is stored locally right? At my old company we worked on a bunch of private data from American citizens and were always careful to keep it in the cloud, since if we downloaded it onto our local computers we'd have to care about the people's privacy.
Article 3(1) of GDPR
"This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
Recital 14 of GDPR
"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
>GDPR only comes into effect when the data is stored locally right?
It applies to EU citizens globally. If you store data on EU citizens -- you're expected to comply with GDPR. This will be ineffective for small companies in the US or China but nearly all large companies will have a presence in the EU.
Ireland wants to lose money US corps pay them in order to bypass higher EU taxes I guess. I am wondering if they did some game theory scenario about what fine Meta can absorb before it's easier for them to relocate elsewhere with laxer standards that would love some more tax income.
I mean that's precisely how Ireland raised their GDP, they took all US companies and offered them low tax deals, making the rest of EU upset. Now they probably burned through all that money and are trying to outsmart those corps to get more money from them. Tax offices always project the same or higher income for the next year and when they get hit, they need to squeeze it out from somewhere.
The "G" in "GDPR" is the same as the one in "AGI": "General".
As I understand it (not a lawyer), every country in the EU unified their data protection regulations to match it, and the penalties for non-compliance are the same in all cases.
So, even maximal enforcement shouldn't cause any company to relocate. So long as the companies accept this as reality.
Actually, the GDPR only defines a minimal baseline for all the EU countries to meet. And countries didn't need to update their own laws to match it: since it is a Regulation rather than a Directive, the GDPR is enforcable in the entire EU even without a local law supporting it. Countries are still free to enact stricter policies if they want to, but those obviously wouldn't apply outside their own national borders.
That's in theory; in practice countries often look the other way or delay actions when they see fit. I guess Ireland is running out of money they planned to get and are now trigger happy on Meta.
Readit News
> The DPC, which oversees the EU operations of most Silicon Valley firms...
Ireland has found itself the de facto privacy regulator for these companies in the EU...
https://en.wikipedia.org/wiki/Apple%27s_EU_tax_dispute
Ireland doesn't want to scare away tax revenue from US tech companies, so they strategically under-fund the DPC, effectively making them a bottleneck for GDPR enforcement across the EU as a whole. This has been a point of contention with other regulators.
I'm not quite sure what conclusions to draw.
That money could really have been put to good use in the EU. The EU should present a more united front here IMO instead of allowing companies to cherry pick countries and make them compete against each other for the lowest tax rates.
Cory Doctorow had a good article about it a few days ago: https://pluralistic.net/2023/05/15/finnegans-snooze/#dirty-o...
Deleted Comment
If you took the top, single fine for one American company (Amazon). It is alone more than the sum of all domestic fines in all EU member states put together.
A bit rich.
That is an insane precedent. Most legal systems understand that applying laws retroactively is a really big no no, as it can create a massive overreach of power in the future, and also creates a hugely unpredictable present, if any time in the future you can be liable.
The EU's obsession with getting money from US tech companies is leading it down really dangerous paths.
Gotta love the menacing language.
If Meta is not happy with the fines they have multiple options:
1) Actually respect regulations. It's not that hard for a company with so many resources.
2) Stop operating in EU
There is no dangerous path for the EU here. The block has the right to define it's regulations, and companies have to comply or be justly punished. That's all there is to it.
Do you have any source for that, or are you just making up things on the spot here? (I can help you, it's the latter)
Yeah shame on EU for issuing fines for the anti-consumer, privacy abusive and illegal practices of the saint ad-ware empires of US big-tech companies. How dare they protect their citizens? Don't they know big-tech should be left unregulated to abuse people so billionaires can become trillionares?
Speaking of double standards it's funny how the US keeps wanting to ban Chinese TikTok for doing the same abusive data collection Meta and Google was doing without issues.
US shouldn't lecture anyone on tech regulations.
"On April 13, 2023, the European Data Protection Board (EDPB) issued a decision and we expect the IDPC to issue a final decision in this inquiry in May 2023. It is expected that in addition to the transfer suspension order, the IDPC will make an order requiring Meta Platforms Ireland to bring its relevant processing operations into compliance with the GDPR and imposing a fine. We continue to examine the decision and its potential impact on our operations. We expect that the deadlines to comply with the IDPC decision will be no earlier than the fourth quarter of 2023."
[1] https://www.sec.gov/ix?doc=/Archives/edgar/data/1326801/0001...
Keep US data of US citizen on US servers, and same for EU side. It's not like Meta can't afford servers on both sides of the ocean.
Keeping the data solely in Europe only seems relevant for people who have no American friends who read their posts. As soon as there’s one American in the conversation, or even just someone visiting the US, it’s going to be delivered to the US.
Also consider that posts are often reshared.
To make this effective, it seems like there would need to be region restrictions in the UI? If there were a “Europe only” checkbox, how many would use it?
It's wholesale bulk transfers.
>fears citizens’ data wasn’t safe once shipped to the US
Bit like all the UK user data getting shipped over to the US previously:
https://www.freevacy.com/news/independent/meta-to-relocate-u...
And Meta is so determined to do this that they're threatening to leave the EU. So again...what exactly is being done with this data that is impossible on EU turf but possible on US turf? I personally can't think of anything Kosher
The way these systems typically work is that a US company builds its infra in the US, and gets economy of scale from shared infra, especially true for companies that run their own data centers. (Look at the map of Meta DCs).
The alternative is that you need to stand up a full copy of your infra (per what? In the limit, per country?) and that’s substantially more expensive, not to mention technically challenging. So the answer is simply that it was built the easy way, based on the assumption that the Privacy Shield treaty was sound.
Also, what does that even mean for an app like Meta? They are a graph. Where do the edges that span jurisdictions live? If a US user likes an EU user, is the “like” edge stored in the EU? There are reasonable answers to this sort of question, and the reasonable answers may overlap with how the regulators wrote the laws, or they may be mutually inconsistent with how other regulators wrote the laws.
It seems quite likely that the end state is as you describe, but I think around here of all places there should be a deep understanding of how hard it is to split your system like this.
Maybe it was just for show.
GDPR comes into effect if you are dealing with personal information of EU residents, and you have legal exposure to the EU. (Not a lawyer)
Article 3(1) of GDPR "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
Recital 14 of GDPR "The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
It applies to EU citizens globally. If you store data on EU citizens -- you're expected to comply with GDPR. This will be ineffective for small companies in the US or China but nearly all large companies will have a presence in the EU.
Dead Comment
As I understand it (not a lawyer), every country in the EU unified their data protection regulations to match it, and the penalties for non-compliance are the same in all cases.
So, even maximal enforcement shouldn't cause any company to relocate. So long as the companies accept this as reality.