Nick Clegg, the UK’s former deputy prime minister and current vice-president of global affairs for Facebook, has spent the past week trying to dispel the rumour that Facebook would soon be forced to stop offering its services in the EU.
Facebook had attempted to persuade a Dublin judge that a ruling by the Irish Data Protection Commissioner would make it difficult for the company to keep operating anywhere in Europe. This was reported more widely as a threat to leave Europe.
Although a lot of it can be overlooked as posturing in court documents, it is still a dramatic situation to find ourselves in, with a service used daily by the majority of adults in the country at risk from a court decision.
If the US is not a safe place for European data, and internet companies cannot move data seamlessly between the US and EU, it will reshape the global internet
Understanding how we got here gives a great insight into the shifting sands of global data regulation, the future of the internet and how Ireland has found itself at the centre of it all.
This affair escalated dramatically in July when, after a string of court cases, international frameworks and EU directives, the Court of Justice of the European Union ruled that the United States was not a safe place for companies to send the private data of EU citizens.
There are some really big implications from that ruling. If the US is not a safe place for European data, and internet companies cannot move data seamlessly between the US and EU, it will reshape the global internet as we know it. It poses big questions for US tech companies such as Google, Amazon and Facebook that offer their services in Europe: how do they operate if they cannot transfer user data back to headquarters for processing?
As most of their European operations are in Ireland, the responsibility fell to the Irish Data Protection Commissioner to enforce this ruling, which she did against Facebook in early September. Facebook has since challenged the action and the Irish High Court has paused it until November.
To think about the GDPR with terms such as "individual privacy" and "data rights" is quite an American way to look at it
Ireland is playing host to this dramatic battle over the future of the internet, which could see the emergence of a global set of rules for the treatment of data at best, or at worst, a breakdown in how the modern internet works.
The first three decades of the internet have been shaped by US norms and values. Every government is now trying to mould the global internet in its own image. The trick here is to push hard to apply your own world view, to shape the internet to your own cultural norms and legal frameworks, but not so hard that you effectively splinter the internet in your part of the world, as China has done with its “Great Firewall”.
The European Union has two landmark pieces of legislation aimed at making the internet distinctly more European – the General Data Protection Regulation, which came into effect in 2018, and the ePrivacy Regulation, which is still in the works.
To fully understand the EU’s vision for a more European internet, we first have to make sure we are viewing it through a European lens, not an American one.
To think about the GDPR with terms such as “individual privacy” and “data rights” is quite an American way to look at it. The European framing of this issue is instead to think in terms of “corporate responsibility” and the “environment within which my data is handled”.
We want people informed and empowered, but when was the last time you read 20 pages of 'terms and conditions' before downloading an app?
To illustrate this with an analogy, let’s look at how you could apply those two frames to a different area: food production.
The American approach would ask questions such as “How do we empower individuals to make smart choices about the foods they eat?” When we ask questions such as this about foods, we end up with solutions such as nutrition labels on food packaging – standardised, clear, concise ways that citizens can engage with food providers from an informed and empowered position.
I’m a big fan of nutrition labels, but there are limitations to this approach. I’m not a food expert.
So smart regulation also sets standards. The European Union cares about the processes by which our food is produced. We make rules about the hormone levels in our beef and the chemicals on our crops. This is a good thing and does much more of the heavy lifting to improve the quality of our foods than information alone could accomplish.
The same analogy applies to data. We want people informed and empowered, but when was the last time you read 20 pages of “terms and conditions” before downloading an app?
That’s where legislation such as GDPR comes in. The “nutritional information” is a part of it, but the much bigger and more substantial changes are on the corporate responsibility side.
The EU cares that farms and food-processing plants operate responsibly, and likewise they care about how companies behave with our data. Huge amounts of GDPR is focused on processes and procedures to make companies less sloppy when they handle our private data.
Problem with US
As the Brexit negotiations remind us, the EU also cares about the high-level agricultural policies and practices in the countries we import food from, and likewise it cares about the data protection and security policies of the countries our data is sent to.
The EU has always had problems with the way that the US does beef, and now it has beef with the way the US manages data.
Edward Snowden, a CIA contractor turned whistleblower, brought to light the fact that the US government regularly monitors the private data passing through the servers of US companies. Since GDPR came into effect, many companies have put agreements in place saying, in effect, “we will transfer your data to the US, but we will ensure the same level of safeguards required under GDPR”.
Max Schrems, an Austrian citizen and privacy advocate, challenged one of these companies, Facebook Ireland, saying it can’t make such a promise because once it sends his private data to Facebook US, it can’t stop the US government from snooping on it. Keeping that promise is outside of Facebook’s control.
The European courts agreed, and so here we are, with the Irish Data Protection Commissioner trying to enforce this with Facebook Ireland, with wider implications for every other tech company to follow.
GDPR has been a success in making the internet more European, with most large global tech companies changing the way they handle private data inside and outside the EU. The next big test, which we will see play out here, is if GDPR can change the way the US government treats the private data of non-US citizens, or maybe just EU citizens.
Peter Tanham is a digital strategist who writes a weekly newsletter about tech policy in Ireland