Four Unanswered Questions Since the Last Data Protection Day

1. What Will Happen to Meta?

Meta has taken a beating since the last Data Protection Day. The Irish Data Protection Commission (DPC) has sanctioned the company three times. The regulator also—somewhat reluctantly—issued Meta with nearly a billion euros in fines.

But a billion is pocket change for a company as big as Meta—even if TikTok is eating continues to eat the social media giant’s lunch. The real impact of GDPR enforcement is on Meta’s business model.

The latest Meta decision, issued earlier this month regarding Facebook and Instagram, could be catastrophic for the company.

After much cajoling from its fellow regulators, the DPC ordered Meta to stop forcing ad-targeting on its users via its platforms’ terms of service agreements.

Meta’s next move is unclear (besides appealing). 

The only clear legal option appears to be asking its European users to consent to targeted ads. But with the refusal rate likely to be high, it’s hard to see how the company’s EU operations could survive such a change.

And that’s not to mention Meta’s ongoing “Schrems II” issues. Which brings us to our next unanswered question…

2. Can We Ever Relax On Data Transfers?

International data transfers remain one of data protection’s biggest challenges. But since 26 January 2022, there’s been considerable progress in this area.

In October, the Biden administration issued Executive Order 14086, paving the way for a new adequacy decision from the EU. And two months later, the European Commission adopted a draft adequacy decision to approve the EU-US Data Privacy Framework (EU-US DPF).

But there’s a long way to go before you can tear up those questionable standard contractual clauses (SCCs) with your US-based processors.

Before the adequacy decision even becomes law, the European Data Protection Board (EDPB) will provide its (non-binding) opinion. A committee of member state representatives will also get a say on whether the deal goes through.

And that’s the easy part.

Max Schrems and his colleagues at noyb are already gearing up for “round three” at the Court of Justice once the decision is approved. The campaigners take issue with many aspects of the proposal, including whether the “Data Protection Review Court” is really a “court” by EU standards.

EU-US DPF defenders argue that the framework offers substantial improvements over its predecessors. But given Schrems’ track record in court, you might not want to rely on the new adequacy decision in the long run.

3. Does the GDPR Really Have Extraterritorial Effect?

There have been four enforcement decisions against New York-based surveillance firm Clearview AI in the past 12 months, with fines totalling nearly €70 million issued by France, Greece, Italy and the UK.

All four regulators are adamant that this plucky facial-image-scraping data harvester falls within the GDPR’s extraterritorial scope. But Clearview vehemently disagrees.

Sometime before the next Data Protection Day, UK privacy watchers should be treated to the outcome of an appeal against the Information Commissioner’s Office (ICO)’s £7.5 million Clearview sanction.

This case will consider whether the company is “monitoring” UK data subjects for the purposes of Art 3(2)(b) GDPR. 

If Clearview wins, this will demonstrate that the UK GDPR is unable to protect people from a company that monetises the creation and sharing of their biometric data.

But even if Clearview loses—will it actually pay the fine? And, more importantly, will the company stop processing UK data subjects’ personal data?

This year, GDPR fans may have to grapple with the important question of whether the law’s extraterritorial scope exists only on paper.

4. Does Cross-Border Enforcement Actually Work?

The year began on a dramatic note with the publication of the “binding decision” on Ireland’s Meta penalty, which confirmed the extent of the division between the DPC and the rest of the European Data Protection Board (EDPB).

The Irish Commissioner and her colleagues not only disagree over the meaning of the law—they also disagree on how the EDPB should actually operate.

In a strongly-worded paragraph at the bottom of a press release, the DPC said it had been directed by the EDPB to conduct an “open-ended and speculative” investigation into how Meta processes special category data.

The DPC claimed that the EDPB’s direction was “problematic in jurisdictional terms” and that it would be taking its fellow regulators to the Court of Justice.

So what about the “cooperation and consistency” promised by the GDPR?

In the GDPR’s earlier years, many observers reasonably viewed the DPC’s inaction against “big tech” as evidence that cross-border enforcement did not work.

Now the DPC has a handful of multi-million euro fines against US tech firms under its belt.

But tensions between the Irish regulator and its peers have never been clearer—making criticisms of the “one-stop-shop” process seem even more justified.