On May 22, the Irish Data Protection Commission (DPC) issued a final decision on Meta’s violations of Europe’s General Data Protection Regulation (GDPR). The result was far harsher than the Irish DPC had intended, as their final decision was co-opted by the European Data Protection Board (EDPB) when the DPC failed to reach a consensus on punishment. This incident is not the first time a regulatory body has gone overboard with its penalties. Meta has a history of being singled out for “violations” that are not unique to them and then branded with excised corrections.
Earlier in May, the Federal Trade Commission (FTC) released a proposal to prohibit Facebook and other Meta services from being able to monetize the data of users under 18 years old. This proposal follows up on a 2019 fine and legal settlement Facebook received for violating a 2012 privacy order. The fine resulted in the company paying a then-record $5 billion and the 2012 privacy order being updated to include the settlement in 2020. What is unique about all these cases is how Meta was singled out and then issued fines that are disproportional to the offense in question.
The Irish DPC said other U.S. companies could face similar actions in its statement announcing the decision to fine Ireland Meta (a foreign subsidiary of Meta) and issue a deadline for remedy. Their issue mostly pertained to moving European citizen data to American cloud servers, which under U.S. law, could be searched without a warrant. According to EU law, the Irish DPC had to open the issue of Meta’s violation to the Concerned Supervisory Authorities (CSA) following their original complaint. The CSA reached a near-unanimous decision that Meta had broken the law and must rectify the problem for all future user data. Only four of the 47 CSA members dissented, as outlined in the final decision.
The crux of the dissent was that Facebook should receive additional penalties, including a record-breaking fine and a mandate to retroactively move user data they had already transferred. Because the vast majority of the CSA members believed this measure went beyond what could be considered a “reasonable” punishment, an impasse occurred. With no consensus, the EDPB took over and made the final decision, siding with the CSA minority opinion that Facebook must be fined and forced to retroactively move the data.
Yet, as Nick Clegg, Meta’s President for Global Affairs, and Jennifer Newstead, Meta’s Chief Legal Officer, correctly pointed out, the issue at stake here was not something Facebook alone was at fault for, as there is an unavoidable conflict between U.S. and EU law. Under current laws, the U.S. and EU have irreconcilable positions that make cross-Atlantic data transfers fraught with liability, damaging the lucrative cloud computing industry. Cloud computing services often cross international boundaries, as economies of scale are one of their great benefits. However, only Facebook received a penalty and a large one at that.
Similar to the FTC’s recent proposal, only Facebook and other Meta services are prohibited from monetizing data from users under 18. For consumers who don’t know, user data allows companies to create tailored ads and provide free services to consumers. Without this source of revenue, Meta will need to make up for the losses in other ways, possibly resulting in higher fees or more exclusive paid features.
As Facebook points out in its statement on these events, they are not the only violators of the FTC’s 2012 privacy order. Despite breaking privacy laws on using minor users’ data, TikTok has not received fines and other penalties to the amounts that Meta has. Furthermore, these discrepancies cannot simply be explained by company size, as TikTok has a total market capitalization of $66 billion and a total user base of 1.6 billion people.
If governments want to create a free and fair business environment where the best company wins, singling out firms with over-the-top fines must stop. Regulators in both the EU and the U.S. have shown themselves willing to use consumer protection as a bludgeon against companies they don’t like, which ultimately hurts the consumer. If Meta violates the law, then it must receive an equivalent penalty, equal to that which any other violator would face and proportional to the scale of the violation.
Isaac Schick is a policy analyst at the American Consumer Institute, a nonprofit education and research organization. For more information about the Institute, visit www.TheAmericanConsumer.Org or follow us on Twitter @ConsumerPal.