The European Union is divided over how to enforce its infamous privacy rulebook, the General Data Protection Regulation (GDPR).

Social media giant Meta was the latest to face a big penalty Monday when Ireland's privacy watchdog fined it a record €1.2 billion euros for privacy violations under the European Union’s General Data Protection Regulation (GDPR).

The blockbuster levy hits at the heart of the technology sector's ability to transfer data across the Atlantic and orders the company to stop moving Europeans' data to the United States until Washington provides sufficient checks to keep such personal information safe.

For GDPR's supporters, the fine from Ireland's Data Protection Commission (DPC) serves as a vindication that the EU's most feared tech law has bite, not just bark. 

The law, which came into force on May 25, 2018, has prompted businesses — from Big Tech giants to hotel chains, cellphone companies and mom-and-pop businesses — to tighten privacy policies.

Many have cleaned house on how they handled people's personal data, aided by the prospect of being fined up to 4 percent of annual turnover.

"I think the DPC really has hit its stride now," said Helen Dixon, the Irish Data Protection Commissioner, whose agency oversees many of Silicon Valley's biggest names because these firms are headquartered in Ireland.

Yet the decision also lays bare what almost everyone now admits: Europe's efforts to set the West's de facto privacy standard have major shortcomings, with watchdogs continuously fighting over who has the final say over how Meta, Google, TikTok and other tech firms access Europeans' data.

In a statement following the decision, the Irish regulator said it disagreed with the fine and measure but it had been forced by its European peers to impose them after Dublin's initial decision was challenged by four other privacy regulators.

Enforcement hinges on regulators' ability to impose such fines & that's where the privacy regime has sputtered.

Under Europe's privacy regime, companies are supervised by national regulators where they have their EU legal headquarters.

That means Ireland and Luxembourg — whose low tax rates have attracted many Big Tech firms' European headquarters — hold the lion’s share of enforcement powers.

Ireland, in particular, relies heavily on corporate tax revenue from a small number of tech giants.

“The GDPR gave the authorities these vast powers for very serious enforcement but then in practice, we do not see that the powers are actually used by the authorities,” said Max Schrems, the Austrian privacy activist whose decade-old case against Facebook led to Monday's record privacy fine. 

If other European privacy watchdogs disagree with how these agencies enforce GDPR, there is a complex and opaque mechanism to reach a European consensus.

After five years of infighting, some of the EU's privacy authorities are now at open war with each other.

In internal discussions published Monday, other European enforcers rebuked Dublin for failing to go hard enough against Meta’s privacy violations, forcing Ireland to impose a fine.

French, German, Spanish and Austrian agencies also called out their Irish counterparts for not demanding that the social networking giant delete all Europeans’ data shipped to the U.S. via so-called standard contractual clauses. 

Ireland, Big Tech island:

The Irish decision relates to 2013 revelations from Edward Snowden, the U.S. National Security Agency contractor, that American spooks were unlawfully accessing people’s personal information via the country’s tech giants.

Schrems filed claims against Facebook for infringing his privacy rights, setting off a decade-long legal challenge.

On Monday, Dublin officially ruled that Meta could no longer use so-called standard contractual clauses, or complex legal instruments that allow companies to move EU data to the U.S. until Washington improves legal checks to protect Europeans' data.

The social media giant is appealing that ruling and has until October to comply with the order.

Brussels and Washington are in final negotiations over a new, separate transatlantic data pact that will provide an alternative legal structure for such EU-U.S. transfers to continue.

Dublin’s hefty fines against the tech giant only came after other EU regulators forced the Irish to impose a massive levy because these agencies believed the Irish had not gone far enough to hold Meta to account.

Ireland believed its proposed remedies — stopping Meta from using standard contractual clauses to ship EU data to the U.S. — was sufficient.

Rewriting the rules:

Faced with mounting frustration that the GDPR has failed to rein in the worst data protection abuses from Big Tech companies, the European Commission is preparing a new law for this summer to improve cooperation in cross-border rows over enforcement.

Privacy campaigners hope the reforms could strengthen the GDPR and reduce years of waiting for action on complaints.

Yet the most ardent critics say it still won’t change a model in which some countries like Ireland and, to a lesser extent, Luxembourg, oversee the bulk of Big Tech companies.

Industry watchers also argue that Europe’s privacy regime has become a mere tick-in-the-box exercise that has not boosted privacy protection as a focus on arcane legal procedure took over.

Source | Politico