Europe has delivered a definitive rebuke of U.S. surveillance powers. Now comes the hard part: deciding how far the bloc will go to protect Europeans’ data:
Breaking: In decisions just out, Meta is not only on the hook for privacy fines totaling nearly €400 million, but it must also — quickly — find a new legal basis for its sprawling targeted advertising empire. 🧵
The decisions rebuke Meta’s claim that it could hoover up users’ data as part of a contract to provide them with personalized adverts, and leave the tech giant scratching around for another legal route to target people with advertising.
As well as potentially putting a bomb under the internet giant's business model, the cases revealed deep fissures between Europe’s data protection authorities, with the Irish initially endorsing Meta's argument before being overruled by the EU data protection body the EDPB.
Docs unearthed by @NOYBeu show that the Irish data regulator lobbied to get EU guidelines to allow social networks to bypass GDPR consent requirements to use people's data to target advertising.🧵
The documents show that the Irish regulator argued that companies could use data to fulfil a contract with users to provide a personalized ad-funded platform, rather than relying on consent.
The Irish view was roundly rejected by other EU data protection regulators, with one saying that it "undermines the system and spirit of the GDPR," according to the documents.
I'm at @EUCourtPress following Facebook v Belgian DPA. At stake: the scope of the one-stop-shop (GDPR mechanism by which regulator where company has EU's base takes the lead on investigation). Stay tuned.
First up, Facebook. it argues that single point of contact is a "vital aspect" of the regulation, and that in GDPR do not apply. "The distinction that the Belgian DPA makes between administrative and legal proceeding is artificial."
Facebook counsel says any legal action brought by the regulator would have to be preceded by administrative proceedings. Says Belgian DPA's argument risk causing a "huge rise" in number of court proceedings a "judicial fragmentation" — which GDPR was supposed to end
Jim Sullivan from US dep. of commerce: "In months since [Schrems II] decision, a lack of clear guidance from EDPB, inconsistent approaches of data protection authorities, and calls for data localisation and sovereignty from within Commission have added to the uncertainty." Ouch.
Says "premature" to give timeline for new Privacy Shield, but much more limited set of issues (gov. surveillance, not commercial aspects) to negotiate than when Safe Harbor struck down
EDPB chair Andrea Jelinek hopes that extra guidance on Schrems II ready within 2 months.
.@VeraJourova invokes threat of Russia and 5G disinformation, calls for "likeminded" partners to work together and underlines importance of the transatlantic relationship
.@mikepompeo instead focuses more on threat of China, and importance of keeping sensitive data safe. Warns against "untrusted vendors and the authoritarian governments behind them." Praises EU 5G toolbox.