Thread
The largest data protection fine in EU history stems from the transfer of data across borders--to the US--with no showing of any ongoing access by impermissible third parties (such as the NSA) beyond that in Snowden disclosures or any deceptive use of information by Meta. 1/
This situation is why @paulmschwartz and I wrote Privacy and/or Trade, just published in the @UChiLRev. lawreview.uchicago.edu/print-archive/privacy-andor-trade Privacy law, as it is currently constructed, can make trade nearly impossible. 2/
The U.S. has been seeking to revive a EU adequacy ruling following the CJEU's decision in Schrems II, and it seems that this seems likely sometime reasonably soon (but not soon enough for Facebook, clearly). 3/
But almost all of the Global South has been unable to obtain an adequacy ruling. Only Argentina (an upper middle-income country), and Uruguay (an upper income country), as well as recently Japan and South Korea, have been recognized as adequate. 4/
Reporters should understand that the billion dollar fine against Facebook results from the fact that it has to run a global software company, and it is very difficult to do so without transferring personal data. (Witness the pains that TikTok is going through.) 5/
After Schrems II, I wrote a paper for @JIEL_OUP, asking, "Is Data Localization a Solution for Schrems II?" 6/ academic.oup.com/jiel/article-abstract/23/3/771/5909035?redirectedFrom=fulltext
I suggested that the CJEU's approach was creating a kind of soft data localization mandate--making it so risky to transfer data abroad that most would desist, when practicable. 7/
This decision is about the NSA and U.S. law, not about Facebook's practices. In the decision, Snowden is mentioned 10 times; the NSA, 10 times; PRISM, 32 times; FISA 58 times; 702, 75 times. 8/
There are two main solutions for Meta: end-to-end encryption for all of personal data, or ending personal data transfer to the U.S. 9/
End-to-end encryption for all of FB data carries its own public policy issues--including for Meta's enforcement of its community guidelines and its cooperation with law enforcement. 10/
Ending personal data transfer to the U.S. requires a radical restructuring of its operations--one that cost TikTok billions of dollars to operationalize, and that creates enormous ongoing burdens. 11/
In fact, such data localization practices can in fact undermine cybersecurity--thereby undermining privacy. 12/ scholarlycommons.law.emory.edu/elj/vol64/iss3/2/
In any case, another reminder that we need a better global solution for permitting cross-border data flows, what Japanese Prime Minister Shinzo Abe called "data free flow with trust." 13/
Again, this is not a case about Meta--any organization, large or small, that transfers data outside the EU to almost any country faces the risk that an EU data protection authority will conclude that national security law of that third country is inadequately protective. 13/
This is not just large American companies--but NGOs, academic institutions, researchers, etc. Right now, medical research is being stopped because of these concerns. www.ropesgray.com/en/newsroom/podcasts/2023/january/decoding-digital-health-trans-atlantic-transfers-... 14/
Reminder that the UK was at significant risk of not receiving adequacy after Brexit--not because its surveillance laws had worsened upon departure, but because it would be the first time they were tested by the EU. 15/ iapp.org/news/a/what-does-the-schrems-ii-judgement-mean-for-the-uk-and-eu-uk-data-flows/
Let me make this clear: Every company--every news organization, and every NGO as well-- that operates across borders within Europe and beyond--including European companies that rely on companies outside Europe--are implicated by this decision. 16/
Keep in mind that the Irish Data Protection Commissioner herself did not initially believe that a billion dollar fine should follow from such tricky and unresolved legal questions. 17/

The best explanation of the Meta fine is, unsurprisingly, by IAPP's @cdfen and @JoeGTJones: iapp.org/news/a/ireland-dpcs-data-transfers-decision-pragmatic-punch-or-knockout-blow/
Mentions
See All