{"id":8034,"date":"2020-09-26T09:06:22","date_gmt":"2020-09-26T09:06:22","guid":{"rendered":"http:\/\/ncjolt.org\/?p=8034"},"modified":"2020-09-26T03:07:35","modified_gmt":"2020-09-26T03:07:35","slug":"facebooks-unlucky-strike-with-the-irish-illuminates-us-data-security-shortcomings","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/facebooks-unlucky-strike-with-the-irish-illuminates-us-data-security-shortcomings\/","title":{"rendered":"Facebook’s unlucky strike with the Irish illuminates US data security shortcomings"},"content":{"rendered":"\n

We all know that social media platforms like Facebook gather data (and metadata) about us while we absent-mindedly scroll-click-scroll, but do we really know how <\/em>much data those companies collect and the significance of that stockpile? A quick look at Facebook\u2019s data policy<\/a> will show you that Facebook collects virtually everything about you, from the data you physically input into the system, to the type of device you\u2019re using to browse and<\/em> that device\u2019s battery level. Facebook says that it uses this data for various purposes, including \u201cinnovat[ing] for the social good,\u201d but it also makes a whopping 98% of its quarterly revenue<\/a> ($18.3 billion) from using personal data to sell targeted advertising space to various marketing firms eager for its scoop on consumers.<\/p>\n\n\n\n

Unlike Europe, the US lacks<\/a> a uniform law regulating digital corporate intrusions, and instead leaves it up to the individual fifty states to parse out personal data protection. The European Union (EU), on the other hand, is much more protective of Europeans\u2019 data, boasting the General Data Protection Regulation (GDPR) as the \u201ctoughest privacy and security law in the world.\u201d<\/a> This law came into effect in 2018 and applies to any person or company (even outside of Europe) that collects or processes data from EU citizens or residents. The GDPR enforces a number of privacy protections, including the \u201cright to be forgotten,\u201d<\/a> and reserves the right to fine noncompliant companies up to 4% of their global revenue.<\/p>\n\n\n\n

Prior to this summer, companies in the US, including Facebook, used to comply with the terms of the GDPR via the Privacy Shield<\/a>, a mechanism that rated companies\u2019 data transfer practices for \u201cadequacy\u201d with respect to the strict European standard. However, this summer the EU\u2019s top court struck down<\/a> the Privacy Shield, effectively removing the only mechanism companies like Facebook, Apple, Google, and Amazon had to comply with the GDPR. Now, a recent Irish preliminary order<\/a> wedges an even deeper digital divide between the US and Europe, during a pandemic where really the only contact between Europe and the US is <\/em>digital.<\/p>\n\n\n\n

The preliminary order<\/a> recently issued by Ireland\u2019s Data Protection Commission, a privacy and digital watchdog, calls for stopping Facebook\u2019s data transfers from its European users to the US. This order would likely require Facebook to stop serving the European market altogether unless it can adapt its platform to conform to EU privacy standards. If Facebook fails to comply, it could face up to $2.8 billion in fines, corresponding to 4% of its annual revenue. Facebook appealed<\/a> the preliminary order a few days after it issued, seeking an injunction and requesting review of the agency\u2019s procedure in determining data security risks.<\/p>\n\n\n\n

If Facebook\u2019s appeal in stopping the order is unsuccessful, it could be the first of many orders blocking data transfers between the US and Europe, jeopardizing billions<\/a> of dollars in data-related trade.<\/p><\/blockquote>\n\n\n\n

If Facebook\u2019s appeal in stopping the order is unsuccessful, it could be the first of many orders blocking data transfers between the US and Europe, jeopardizing billions<\/a> of dollars in data-related trade. While the sheer size of the disruption to the economy that a block of transatlantic data-flow will cause is terrifying, it\u2019s worth remembering that the economic trade-offs go both ways, and it begs the question as to why the EU values privacy as a fundamental right over corporate gains more than current US policymakers. <\/p>\n\n\n\n

While it could be easy to lament the enormous cost of potential measures necessary to comply with the GDPR, this recent EU order against Facebook provides an opportunity to reflect on whether US lawmakers should take a tougher stance on Big Tech and data privacy. This year has already featured some of the biggest<\/a> data leaks to date, including the infamous Twitter<\/a> breach. Data concerns are especially salient with the upcoming presidential election<\/a>, wherein Russian hackers have already allegedly targeted 200 organizations to tamper with the democratic process. If the EU is unwilling to do business with the US and risk billions of dollars in trade because of potential data breaches, we should probably be advocating for stronger data protection in the US akin to the GDPR. The GDPR grants<\/a> individuals the right to know who\u2019s using their data, stop third parties from disseminating their data, and be swiftly notified of data breaches, among other rights. California has already passed a more rigorous privacy act<\/a>, and it\u2019s time for other states (or the federal government) to follow suit: our economy, our nation\u2019s security, and our own personhood depends on it.<\/p>\n\n\n\n

September 26, 2020 | Alexandra Farquhar<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

We all know that social media platforms like Facebook gather data (and metadata) about us while we absent-mindedly scroll-click-scroll, but do we really know how much data those companies collect and the significance of that stockpile? A quick look at Facebook\u2019s data policy will show you that Facebook collects virtually everything about you, from the …<\/a><\/p>\n","protected":false},"author":4,"featured_media":8035,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[131,132,130,133,135,134],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8034"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=8034"}],"version-history":[{"count":2,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8034\/revisions"}],"predecessor-version":[{"id":8037,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/8034\/revisions\/8037"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/8035"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=8034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=8034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=8034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}