The news of the ‘meta-mega-fine’ of over one billion euros imposed on the social networking platform by the Irish Data Protection Authority highlights once again the fundamental flaw in the political use of personal data protection rules and the inconsistency of the authorities responsible for enforcing them by Andrea Monti – Initially published in Italian on Strategikon – an Italian Tech Blog
The sanction was not imposed for a ‘privacy infringemnt’, i.e. some inappropriate practices in user profiling or data collection based on invalid legal grounds, but for a structural reason: European citizens’ data ends up in the US, where it is managed under rules that do not guarantee a level of protection comparable to that in the EU, because it is more easily accessible to the state security apparatus.
But if this is the reason for the sanction, then we are trying to drive a nail with a screwdriver.
Even in Western democracies, national security is a boundary that limits individual rights and intergovernmental agreements. This is demonstrated by the fact that, on the one hand, state secrecy in domestic law blocks even judicial investigations and, on the other hand, even the founding treaty of the EU does not apply to this area, which remains under the exclusive jurisdiction of individual members.
The issue is extremely complex, as this not-so-recent but still relevant study by Susan Rose-Ackerman and Benjamin Billa, published in 2008 in the New York University Journal of International Law and Politics, shows. However, in the conflict between politics and law, nothing embodies the aspiration for absolute autonomy of the state more than national security. At the same time, it must be acknowledged without hypocrisy that the national security exception is a convenient shortcut for adopting measures without subjecting them to public debate.
In a democratic system, there is at least the possibility of parliamentary oversight. However, in the international context, when faced with regimes that are deemed to be insufficiently protective, the only options are to do nothing or, depending on power dynamics and necessity, to put on a brave face while playing a bad game, as in the case of Giulio Regeni.
To return to the issue of personal data exported to the US, it is conceptually wrong to ask a sovereign state to guarantee the rights of foreigners at the expense of its own internal security and to expect to achieve this through judicial pressure in the absence of a treaty or other ‘contractual’ instrument.
Continuing to penalise US companies for collecting personal data in the EU and ‘exporting’ it to America, where authorities can analyse it in the hope of gaining sovereignty over US national security, is a legally flawed and politically unrealistic solution. Fines and lawsuits have an impact on individual cases and are not the tool to change US security policy decisions.
Moreover, in broader terms, such a decision means bending the law to (legitimate) political needs, in blatant violation of the principle of the rule of law and the separation of powers (in addition to triggering a dangerous reciprocity mechanism under which other states will have grounds to legally “attack” the EU and its members).
Therefore, if it is really not possible to export personal data to the US, regulators should simply ban this practice indiscriminately, rather than selectively sanctioning specific companies (for example, why sanction Facebook and not companies subject to the Cloud Act?).
It is clear that such a solution, if adopted by the data protection commissioners, would have incalculable consequences, which precludes even consideration of it. Formally, however, the law cannot (or should not) be conditioned by additional aspects and should be applied in a binary manner: if the rule applies, it applies “no matter what”. The facts, however, show that this is not the case, and therefore one must ask what sense it makes to use a legal norm to solve a political problem in international relations, except to transform independent authorities from guardians of citizens’ rights into instruments for achieving strategic objectives that are not decided by individual member states.
Let’s be clear: there is no question of rolling back the protection of European citizens’ rights in the name of the needs of other countries, whoever they may be, including the US. The point is that the diffusion of American products and services related to information technologies is so extensive and profound in every aspect of public, private and personal activity that the simple implementation of some form of “technological autarky” is impractical, at least in the short term, regardless of whether it is politically desirable or pragmatically achievable in the long term.
In such a context, the sanction imposed on Meta (or any other company accused of exporting data to “less secure” locations) seems contradictory in all its aspects. It conveys the uncomfortable impression that standards are applied as a matter of convenience, it reaffirms the institutional choice to put a price on rights, allowing those who can afford it to do as they please. Above all, it does not explain why it is only now that someone has discovered that there is a law to protect fundamental rights, when for years terabytes of data have been secretly migrating overseas and falling into the hands of “bad actors” without the “good guys” lifting a finger.