After five years of the E.U.’s massive data privacy law in effect, few are happy with the results.
The E.U.’s General Data Protection Regulation (GDPR) touts itself as the toughest data privacy regulation in the world. It governs how internet companies can use data from E.U. citizens and is purposefully vague so it can be applied broadly. But many point to enforcement failures that penalize some industries over others and leave companies in the dark about how to follow its rules.
Meta (META)—the Facebook (META), Instagram and WhatsApp parent run by Mark Zuckerberg—has been one of the biggest recipients of GDPR-related fines. It owes 1.37 billion euros ($1.5 billion) from nine cases, or half of the total value of penalties given by all 27 E.U. countries combined.
“I don’t think Meta has behaved as well as it could have,” Ray Friel, law professor at the University of Limerick in Ireland, told Observer. “Leaving that aside, I think it is the case that the Europeans have singled out American tech companies, and Meta is one of the more egregious examples.”
Because Meta’s European headquarters is located in Ireland, the Irish regulator takes the primary responsibility of fining the social media company on behalf of all countries in the E.U., as laid out by the GDPR. While only seven of 24 of the Irish regulator’s fines are against Meta, the charges against Zuckerberg’s company amount to 99.8 percent of the monetary value Ireland has fined. France’s and Germany’s regulators have also issued penalties against the company.
Ireland’s regulator, the Data Protection Commission (DPC), has no intention of slowing down, with 12 more open investigations against the social media giant, according to Cian O’Brien, deputy commissioner of the DPC who oversees large-scale investigations.
The company has been charged for its data collection practices, for mishandling children’s data and for a series of leaks, among other issues. For most of these claims, Meta has brought the issues to court and defended its practices. None of the court cases have concluded. While the company has a history of privacy issues, the frequency and value of the fines against Meta—when compared to the claims against similar companies—does raise questions about how enforcement agencies are assigning penalties.
TikTok, by comparison, has been charged 15.3 million euros ($16.7 million), or 1 percent of Meta’s total, though two large-scale investigations by the DPC are near completion. Amazon and Google have received fines of 748 million euros and 216 million euros respectively, but the combined sum still doesn’t reach Meta’s total. Other Big Tech companies like Microsoft and Apple, as well as social media companies like Snap, Pinterest and LinkedIn, have never been fined under the GDPR.
The DPC’s cases against Meta illustrate a larger data privacy crackdown happening in Europe and the U.S. The GDPR carries fines at heights that haven’t previously been reached in the E.U., and despite its criticisms, many still consider it the most comprehensive and progressive data protection law globally. In the U.S., legislators have pushed for regulation or a ban on TikTok, fearing the company is sharing user data with the Chinese government. The threat of fines and regulation makes it increasingly difficult for Big Tech companies to operate in some of the most lucrative markets.
Enforcing the GDPR is an uphill battle
While the Irish DPC submits the official decisions against Meta, drafts are circulated among all data protection authorities in the E.U. for approval. The GDPR calls this system a “one-stop-shop,” intending to simplify the process of assigning and appealing penalties. In addition to fines, the DPC mandates the companies make corrections to their practices. When the regulator fined Facebook and Instagram in January for lacking the proper legal grounds to collect and process user data, it also required that the company update its operations to follow the law. A change in Meta’s data-driven advertising model could significantly hurt its revenue. It appealed the decision.
Appeals and challenges are expected, said Graham Doyle, head of corporate affairs at the DPC. But the real change happens for consumers when companies make these corrections, he told Observer.
An ambiguous GDPR is necessary to some extent. The world of tech moves so quickly that if the legislation was too specific, companies would innovate past what the law regulates, said Friel. By staying general, authorities can morph the GDPR’s meaning to apply to new technologies as they develop.
“It’s like driving a car,” he said. “You’re just meant to drive it safely. It doesn’t mean there’s legislation to cover everything.”
But this is also a big weakness of the GDPR, according to Townsend Feehan, the CEO of Interactive Advertising Bureau’s Europe branch, an advertising and digital marketing trade association of which Meta is a member.
Because the GDPR uses subjective terms and doesn’t outline what exactly companies should be doing to comply, “there is an uncomfortable guessing game going on,” she said. While the tech industry successfully lobbied for loose rules rather than outright bans, clear and actionable interpretation of the law is missing, she said.
It is difficult to engage with data protection authorities because they don’t have the resources to fully understand digital advertising technologies, she said. And the one-stop-shop system is failing because the regulators assigned to fine companies don’t necessarily have expertise in that sector, she said. For example, each county’s regulator could focus on a different industry like healthcare, advertising or financial data, rather than regulating companies with different specialties because they have headquarters in certain geographical locations.
“Our industry has been particularly penalized by the failure of the enforcement process,” she said. “Had there been more enforcement across markets, with infringing behavior called out and sanctioned, there would have been much less scope for industry critics to say, ‘the whole barrel is rotten.’”
Members of the Irish regulator disagree with Feehan. The DPC has extensive expertise in both digital advertising and other sectors, said O’Brien.
While the GDPR doesn’t provide a model for how internet companies should comply, the cases brought against businesses offer some precedent, he told Observer. For example, the DPC fined Meta for mishandling children’s data by publicly disclosing their phone numbers and emails when they signed up for business profiles rather than personal ones. While the case itself was specific to the company, it also clearly laid out what is expected of all companies operating under the GDPR regarding children’s data.
“The GDPR has been a massive success in my view,” said O’Brien. “At the DPC, we’ve brought a lot of certainty to the application of the GDPR.”
There will likely be fewer claims brought against companies for rules that have already been violated because existing cases provide clarity on what regulators view as compliance, said Doyle, who runs the DPC’s corporate affairs.
Meta declined to comment.
Meta against a regulatory superpower
It is difficult for Europe’s technology sector to compete with American and Chinese behemoths, including Apple, Google, Alibaba and Huawei. Because of this, “there is a degree of unfairness, long before the Meta fines,” said Friel. There’s an “underlying objective to create that space that would allow for a European champion to emerge,” he said.
A series of recently approved E.U. laws could allow for “future Googles or Alibabas to emerge on European soil,” Meta’s Nick Clegg wrote in a blog post. Clegg formerly held a 12-year career in the U.K. Parliament and now works as president of global affairs at Meta.
The DPC’s O’Brien denied any bias on behalf of the regulator, but the dialogue does point out what could be happening on a higher level. While Europe can’t necessarily compete in the tech space, it has built itself up as a regulatory superpower that can still have a hand in the future of these companies, Friel said.
In the past, the E.U. has set global standards in social and environmental policy. “Data protection—data being the new oil—was something Europe could control,” he said.
The E.U. has 450 million people—more than the U.S.—and selling to that population means following its rules. While Meta could cease operations in the E.U. to avoid continued fines, it could be too big of a market to lose. Europe made the company $27.8 billion in 2022, a quarter of its total revenue.
As a result of continuing operations under the strict GDPR, the way in which the company operates in the U.S. could change as well, Friel said.
For global companies like Meta, having different sets of national rules can be difficult. In the U.S. alone, 23 states have introduced privacy legislation and eight states have passed laws, including California, which gives consumers the right to know what information businesses collect about them and the right to delete it.
Big Tech wants to follow one set of global rules, he said. Following the strictest legislation can cover the legal bases of many other countries. It could also mean giving up a significant portion of Meta’s advertising revenue.
Is Meta actually in trouble?
In the coming days, the DPC is expected to conclude another high-profile investigation against Meta for its transfer of data to the U.S., according to O’Brien. He could not disclose the fine amount or corrective measures the regulator plans to impose.
While fines can disrupt companies, they only hurt to the extent that the money can’t be recouped. Regulators have fined Meta $1.5 billion since 2018, but the company earned $443 billion in revenue during that time—$132 billion in net income—according to company financial documents. “The fines are laughable for Meta,” said Romain Robert, program director at NOYB, a European privacy-focused nonprofit that submits complaints against companies to regulators.
But fines are the tip of the iceberg, said Aurélie Pols, a Spain-based data protection officer who advises companies with regards to the GDPR. The real cost is the measures Meta might have to take, including deleting its data or following a ban on data collection, she said. While the DPC has the power to impose a temporary or total ban on data processing for Meta, it has not yet.
“The strategy (for Meta) is to lawyer up, buy time and try to continue with the business model while they potentially figure out how to do it differently,” she said. The company is fighting six of nine cases in court.
Meta’s business model is in jeopardy, and not just in Europe, she told Observer.
The U.S. doesn’t have any national equivalent to the GDPR, but conversations around TikTok suggest U.S. legislators, both Democrats and Republicans, are fed up with the power Big Tech yields. The core issue is that “major social media companies are allowed to collect troves of deeply personal data about you without any significant regulation whatsoever,” Representative Alexandria Ocasio-Cortez, a Democrat from New York, said on TikTok. The U.S. is one of the only developed nations with no significant data or privacy protection laws, she said, citing the GDPR as an example.
It is unclear if a federal law in the U.S. will pass, Pols said. “The U.S. is very business-focused and will continue to be.”
The main threat in the U.S. isn’t legislation, but class action lawsuits, said Pols. The fines related to lawsuits can sometimes exceed the amount the DPC charges. In 2021, Meta paid $650 million, more than any individual GDPR-related fine against the company, resulting from a U.S. class action lawsuit regarding the company’s facial recognition feature. In December, Meta agreed to pay $725 million to settle a lawsuit that claimed it shared data with Cambridge Analytica without user consent. The U.S. Federal Trade Commission fined Meta a record $5 billion in 2019 regarding the same issue.
Robert, the NOYB director, is preparing class actions in the E.U. because he doesn’t think the GDPR’s enforcement system is working, he said.
“It’s really tiring to enforce the GDPR,” he said. “As exhausting as it is for companies to comply, it’s that exhausting to enforce it. We are all exhausted.”
