The landmark data collection ruling shows that the US is the primary cyber security threat to the world
Meta, the parent company of Facebook, was fined a record-shattering €1.2 billion ($1.3 billion) on Monday by Ireland's Data Protection Commission and subsequently ordered to stop transferring data collected from Facebook users in Europe to the United States in breach of European data protection laws.
According to the body's decision, the company failed to adhere to a 2020 decision by the European Union's highest court that Facebook data sent to the US from the EU, as the New York Times (NYT) reports, "was not sufficiently protected from American spy agencies." Meta is now set to begin a lengthy appeal process.
It should be noted that this EU decision is on top of an ongoing $725 million class-action lawsuit impacting hundreds of millions of users who were active in the United States from May 2007 to December 2022. Facebook stands accused of making users' data available to third parties without their permission.
Austrian privacy activist Max Schrems, whose investigations launched previous cases against Meta, was reported by the NYT as saying that "Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems." According to Schrems, the solution will likely be a "federated social network" where most user data would stay in the EU except for "necessary" transfers, for example, when someone in the EU messages someone in the US.
For its part, however, Meta said that it was being singled out unfairly. Sir Nicholas Clegg, Meta's president of global affairs and former UK deputy prime minister, and Jennifer G. Newstead, the company's chief legal officer, said in a statement that "the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on" if such decisions are put into force.
However, the question on most people's minds is, are these data transfers a genuine security risk? The answer is a resounding yes. That's because in the US, the fourth amendment to the Constitution which should prevent unlawful searches and seizures by the government has effectively been suspended.
In the landmark Carpenter v. United States case, the US Supreme Court held that the state needs to issue a search warrant to compel companies to hand over sensitive data, in this case, location data. But, this does not apply if the companies provide such data voluntarily - for example, by selling it through data brokers for a hefty fee. This means that government agencies can essentially write a massive check and purchase data on the free market, whether relevant to an ongoing case or not.
For its part, SCOTUS has not heard another case that alters this interpretation of Carpenter, and since legislation from Congress is so extraordinarily antiquated and far behind other blocs or countries, such as the EU or China, there are no laws on the books to keep the government from purchasing this data. This leads to a serious legal and ethical dilemma.
For one, the state does have a legitimate interest in collecting new data points for ongoing cases. Consider the latest data that indicates about half of US murder cases go unsolved. It is foreseeable that data from Big Tech companies could help crack these cases - and, indeed, I know this to be true because my own uncle was charged in a string of rapes in Kentucky and Ohio spanning back thirty years after DNA provided from a private ancestry firm used by my grandfather was picked up by law enforcement.
In this case, justice clearly prevailed. Without this evidence, which was obtained through a voluntary exchange between the state and a private firm, this monster would still be out menacing the community and destroying lives. This instance of data collection helped a just cause, and I am actually quite thankful.
But, at the same time, it is clear that this could lead to nefarious activity by the state down the road. And, given that the people who commit such wanton crimes in the US are not people living abroad, it makes no sense for the US government to use this argument in collecting global data. Even though the state might have some interest in some data, and certainly there needs to be new laws on the books governing this, the status quo clearly has no legitimate purpose.
Given the ten years since the Edward Snowden leaks, we already know that US intelligence collects all sorts of bulk data about people all around the world. We know, according to The Guardian's reporting, that the US has programs like PRISM, which allows for the direct monitoring of Americans' Google and Yahoo accounts, or XKeyscore, which is an analytical tool that collects "almost anything done on the internet." And the US is able to do this - maintain its global information hegemony - because companies are compelled to provide data via search warrants, and there are lucrative financial incentives to voluntarily turn over data to the state.
Perhaps this landmark case against Meta will be a sort of newsflash for folks about US tech, which is to say that it's extremely dangerous and not to be trusted. Many countries around the world, especially those in Europe, are taking cues from US intelligence to ban Chinese or Russian technology while completely ignoring the elephant in the room: the US government and its partners in the private sector are the chief threats to global cyber security.