Monday Morning Moan - Meta might take its ball home if Europe's regulators don't make the 'right' decisions

It's safe to say that the past few days won’t be coming up as fond memories to look back on on Mark Zuckerberg’s personal Facebook timeline. On the back of falling user numbers - apparently the one sin that Wall Street isn’t prepared to turn a commercially expedient blind eye to when it comes to The Company Formerly Known As Facebook - the firm’s share price went into freewill, clocking up the largest ever one day collapse. Meanwhile poor old Zuck himself woke up to find his personal fortune down $30 billion.

But before we all start weeping crocodile tears - no? Me neither! - something else emerged from the embers of last week that’s worth keeping front of mind in the months to come. Remember all those protestations from Zuckerberg about how he wanted government to come up with regulations for the social media sector, such as when he told members of the US Congress:

Every day we make decisions about what speech is harmful, what constitutes political advertising, and how to prevent sophisticated cyber-attacks. These are important for keeping our community safe. But if we were starting from scratch, we wouldn’t ask companies to make these judgments alone. I believe we need a more active role for governments and regulators.

It’s a theme that he’s returned to on many occasions since, always pitching the party line that Facebook wants to be a good global citizen, but can’t be expected to do this on its own and needs to co-operate with legislators around the world to come up with a regulatory regime that will work today - and out into the metaverse now, I assume.

In their own words

From a purely personal point of view, this ‘mea culpa, help me!’ mantra has never sat comfortably with me I’m afraid. That’s what makes Meta Platforms latest annual report filing with the US Securities & Exchange Commission (SEC) so interesting. In it, the company talks a lot about the types of regulatory regimes it encounters around the world and basically has a right old moan about them:

We are subject to a variety of laws and regulations in the United States and abroad that involve matters central to our business, many of which are still evolving and being tested in courts, and could be interpreted in ways that could harm our business…Foreign data protection, privacy, content, competition, consumer protection, and other laws and regulations can impose different obligations, or penalties or fines for non-compliance, or be more restrictive than those in the United States.

It’s those foreign regulations that come in for particularly opprobrium, most notably the existing and planned restrictions on cross-border processing of personal data by the European Commission. Meta processes data on servers both in the European Union and in the US and pitches the claim that it needs to be able to be free to choose where it does so. This used to be enabled by the old Safe Harbor rules, which were trashed by the Court of Justice of the European Union (CJEU), and their replacement, the notoriously thrown-together-at-the-last-minute Privacy Shield, which was itself shot down in flames by the same court.

To date, no replacement regulatory framework has been put in place and this is annoying Meta. In its filing, the firm notes:

If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results. For example, the Privacy Shield, a transfer framework we relied upon for data transferred from the European Union to the United States, was invalidated in July 2020 by the Court of Justice of the European Union (CJEU). In addition, the other bases upon which Meta relies to transfer such data, such as Standard Contractual Clauses (SCCs), have been subjected to regulatory and judicial scrutiny.

In August 2020, we received a preliminary draft decision from the Irish Data Protection Commission (IDPC) that preliminarily concluded that Meta Platforms Ireland's reliance on SCCs in respect of European user data does not achieve compliance with the General Data Protection Regulation (GDPR) and preliminarily proposed that such transfers of user data from the European Union to the United States should therefore be suspended.

A final decision in this inquiry is on the cards for the first half of this year and Meta is clearly keen for it to come down firmly on one side or there will be, shall we say, unfortunate possible consequences:

If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.

In other words, if things don’t go Meta’s way, Zuck and Co will pick up their ball and not play with the European bullies anymore. Europe’s already caused Meta enough pain, it seems, what with its damn privacy obsessions. Take GDPR (General Data Protection Regulation) as a case in point:

We have been subject to other significant legislative and regulatory developments in the past, and proposed or new legislation and regulations could significantly affect our business. For example, the GDPR includes operational requirements for companies that receive or process personal data of residents of the European Union that are different from those previously in place in the European Union, requires submission of personal data breach notifications to our lead European Union privacy regulator, the IDPC, and includes significant penalties for non-compliance with the notification obligation as well as other requirements of the regulation.

The GDPR is still a relatively new law, its interpretation is still evolving, and draft decisions in investigations by the IDPC are subject to review by other European privacy regulators as part of the GDPR's consistency mechanism, which may lead to significant changes in the final outcome of such investigations. As a result, the interpretation and enforcement of the GDPR, as well as the imposition and amount of penalties for non-compliance, are subject to significant uncertainty.

All that and there’s still the proposed Digital Markets Act coming from the EU as well as its ePrivacy Directive.

You can’t even trust Brexit Britain, usually well-up for all that lovely tech inward investment that various Digital Ministers have prostrated themselves, to do the right thing, even if it is open to breaking away from GDPR and being less sort of European-y in its data privacy approach and not so fussy about stopping Facebook from sending data overseas.

(Mind you, just wait until Meta comes across Nadine Dorries, the current Secretary of State for Digital, Culture, Media and Sport, a woman who in the past few days put her tech credentials on show as she boldly declared on national television that the internet is ten years old! If tech market savvy ever ran in Ms Dorries household, I suspect it ran too fast for her to catch it, which is unfortunate given that she’s now in charge of digital policy in the UK…but that’s another sorry saga for another day.)

There may be trouble ahead

Mind you even if Meta does take its Euro-ball home to the US, there’s trouble ahead there as well:

The California Consumer Privacy Act, which took effect in January 2020, and its successor, the California Privacy Rights Act, which will take effect in January 2023, also establish certain transparency rules and create new data privacy rights for users…The proposals to modify competition laws in the United States and other jurisdictions could cause us to incur significant compliance costs and could potentially impose new restrictions and requirements on companies like ours, including in areas such as the combination of data across services, mergers and acquisitions, and product design.

What is it with all this!?!?! Can’t Meta just be left to get on with things? It’ll be different in the metaverse, you wait and see!

On a more serious note, the cautionary statements of risk are, of course, a standard part of every publicly-quoted company’s regulatory filings. But it’s a measure of how Facebook’s brand has evolved in recent years that you don’t need to be dyed-in-the-wool cynic to suspect that the threat to pull Facebook and Instagram out of Europe is a shot across the bows of regulators in the EU. Fat chance of it having much impact on the Commission in Brussels, where Competition Commissioner Margrethe Vestager has already aired her intent to start looking at how to regulate the metaverse.

But anyway, the next time Zuck starts on about how he wants to see more regulatory action by governments and legislators, let’s bear in mind that what he means is he wants to see the right kind of regulatory action. And that’s not the same thing at all, is it?