May 2023 Global Tech Policy Bulletin: From a Gargantuan GDPR Fine to More Hot Water for Meta

Hello and welcome back to Citizen Tech, InformationWeek’s global policy update. Every month we look at the biggest political stories about technology and cybersecurity, in the United States and abroad, to keep you in the loop. Here’s your wrap-up for May:

The Biggest Ever GDPR Fine

Yes, they finally did it: A European regulatory body fined a Big Tech firm for over a billion euro. Cue the “Ode to Joy”. On May 22, Ireland’s Data Protection Commission announced that it would be fining Meta, the parent company of (among others) Facebook and Instagram, 1.2 billion euro for abusive transfers of European user data to the United States. The DPC’s specific concern was that the user data was subject to American surveillance practices that are illegal in the EU.

The case hinged on legal language known as standard contractual clauses, preset formulas approved in advance by the European Commission that determine how a company from a non-GDPR-signee country can handle European data. These clauses are non-obligatory, according to a European Commission fact sheet  -- but beware of violating them.

The biggest GDPR fine before this had been Luxembourg’s 746-million-euro penalty against Amazon. Breaking the billion-euro threshold could usher in a new era of serious data protection penalties -- the four-minute mile of data regulation -- and Meta is almost tangibly nervous. Nick Clegg, the former Lib Dem parliamentarian turned Meta spokesman, told POLITICO that the “decision is flawed, unjustified, and sets a dangerous precedent for the countless other companies transferring data between the EU and US.”

Happy Birthday, GDPR!

It was a fitting birthday present for the framework, which turned five last month. In honor of the mammoth data regulation law’s toddlerhood, POLITICO compiled a list of its penalties by country. It’s an enlightening survey. Who would have guessed, for instance, that the country that handed down the most GDPR violation fines would be Spain? And at a tremendous margin -- 646 so far, with Italy a distant second at 265. On the other end of the spectrum, the UK has given 13 fines in five years. Lithuania, home to a thriving tech sector, gave exactly nine. For all of Emmanuel Macron’s recent big talk about asserting the European economy at the price of 2000s-style free trade, France has only handed down 32 fines, worth about 298.7 million euro.

Little Luxembourg has made a fortune with its 31 fines -- some 746.3 million euro. With its recent coup against Meta, Ireland tops the charts at 2,510.3 million euro collected in fines.

Not surprisingly, the hardest hit sector in monetary terms has been media and broadcasting, which includes social media. The industrial sector has accrued the most penalties. The median fine is 2,000 euro.

In Washington: More Hot Water for Meta

Meta has been the protagonist of the month of May, much against its will. The Federal Trade Commission has taken the tech giant to task over the monetization of personal data from users under 18. This, according to the FTC’s statement, violates the 2020 agreement wherein Facebook (as Meta was then known) agreed to limit third-party app developer’s access to children’s data. FTC wants a blanket ban on the monetization of the personal data of minors; it also wants a moratorium on all new Meta products and services until regulators have proven the company’s compliance to their satisfaction. There’s no talk of fines at the moment, but the aforementioned 2020 agreement involved a $5 million penalty, and there’s no particular reason that the FTC shouldn’t levy another fine in the near future.

Meta, again, was furious. “Despite three years of continual engagement with the FTC around our agreement,” their spokesman told the New York Times, “they provided no opportunity to discuss this new, totally unprecedented theory.” It’s true that Lina Khan’s command at FTC has been aggressive, but it also indicates a new scope of consumer protection regulation: Beyond mere matters of challenging illegal actions, Khan is extending the commission’s purview to challenge potentially harmful, but not necessarily illegal, practices. One of her latest targets, for example, is AI facial recognition and its abuses.

Facial Recognition: The World Stirs Uneasy

And here we arrive at one of the broadest, slowest-moving, and most disquieting tech problems of the year: what to do with software that can recognize human faces. In Strasbourg, the European Parliament voted to adjust the wording of the 2021 Artificial Intelligence Act to ban biometric identification in public spaces, as POLITICO reports. The center-left led this fight; MEPS from the Christian Democratic European Peoples’ Party bloc took longer to convince, citing law enforcement and antiterrorism concerns.

In Jerusalem, Amnesty International has condemned the Israeli government for exactly the kinds of abuses that European lawmakers have suggested as a nightmarish possibility. According to their report, Palestinians entering Israel from the West Bank since 2022 must submit to a software called Red Wolf, which registers their faces in a database. Only Palestinians are required to undergo this processing. The Israeli military has access to this data, but their use is opaque, and Amnesty has accused them of worsening the West Bank’s atmosphere of arbitrary arrests and degraded living conditions.

In Russia, conditions are worse still. The Associated Press called Russia’s police reliance on facial recognition a “cyber gulag” this month, publishing the story of an anti-government activist who feels unable even to ride the metro -- cameras in the metro cars regularly recognize her, and she’s been detained without charge five times this year. Facial recognition is only the most lurid of the Russian state apparatus’ digital enforcement portfolio, which includes more banal kinds of cyberespionage and mandated submissions of data from internet and mobile providers. In 2022, 779 Russians found themselves in court for posts they’d made online.

War Dispatch: The Digital Antigone

The facial recognition software controversy has been particularly poignant in Ukraine, where, as Wiredreported earlier this year, the Ministry of Defense uses Clearview AI to identify the bodies of the dead. Clearview provided the software for free, as a gesture of solidarity, at the beginning of the war. Soon, however, the Ukrainian MoD began using Clearview to identify the bodies of enemy soldiers; they would then inform the dead person’s family, in Russia.

A former Red Cross forensics expert told Wired that this was irresponsible, as the technology simply can’t reliably identify human faces like DNA analysis can. But there’s something more disturbing in this story. Mistreatment of the dead is one of our oldest and most universal taboos, codified by the Geneva Convention. Sophocles’ heroine Antigone preferred to die than to see her slain brother defiled; and if the Ukrainian military is willing to press the dead into an army of misinformation and propaganda, against their own country, it must also be willing to accept the role of Creon, who punished Antigone with death. The conversations this month about facial recognition and AI touch us more deeply than normal tech matters. No one is immune and no one is excused.

Chips Update: R&D

In Washington, the Biden administration’s push to develop a semiconductor manufacturing sector continue apace. One of the obstacles, explained by the Timesthis month, is cost. As chips get smaller -- the official term is “chiplet” and we promise that’s true -- the cost of production rises dramatically. It takes millions, sometimes hundreds of millions of dollars to produce these at a viable scale, impossible for startups and small manufacturers and a forbiddingly long shot for venture capitalists.

Turning chiplet production into a healthy sector will take more than funding, though: it will take an intellectual investment, which is why the Department of Commerce inaugurated the National Semiconductor Technology Center, a forum for industry leaders, researchers, academics, financiers, suppliers, and other public and private actors to build “a semiconductor workforce development ecosystem.”

Chips Update: NAFTA Is dead. Long Live NAFTA

On May 18 and 19, Biden invited Canada’s Justin Trudeau and Mexico’s López Obrador -- the heads of government of the former NAFTA countries -- to Washington for the first North America Semiconductor Conference, along with industry groups and researchers from the University of Arizona. The conference called for increased knowledge sharing and inter-investment between the three countries and fill gaps in supply chains, not just in chips but “clean energy, critical minerals, biomanufacturing, and information and communications technology.” This is an interesting development in Biden’s trade posture, especially given the general retreat, on the left and right alike, from the legacy of 1990s or 2000s-era free trade optimism.

The critical minerals that the White House press release mentions are interesting: Mexico is an important but overlooked exporter of gold, bismuth, strontium, and other important raw materials, according to S&P Global, and its lithium sector can yield much more than is currently mined. Most of these minerals come to the West from or through China, so Mexico’s inclusion is an important geopolitical consideration for Washington.

In Brussels: Overtures to India

A number of high-ranking European Commission ministers invited their counterparts from India to a meeting this month to discuss a number of tech issues, including quantum computing, AI, semiconductor production, 5G, and Internet of Things standardization. The meeting was the first in a yearly series, the ministers announced.

India is an important trading partner for Europe, and supply chain security seems to have been a key concern throughout the meeting. But geopolitical anxieties animated the meeting as well: India has never really rebuffed Russia’s economic and diplomatic overtures and refused to condemn the invasion of Ukraine in a UN vote. The EU cannot afford to let India slide completely into Russia’s embrace.

“India is an indispensable strategic partner for the EU,” said Josep Borrell, the EU’s chief diplomat. Valdis Dombrovskis, commissioner for trade, voiced these anxieties more directly: “As two of the world’s largest democracies and economies, the EU and India have a clear interest in working together at a time when democratic values and the global economy are under pressure.”

Recommended Reading: ‘I Want to Show Up Like a rabbit’

This month in the Spectator, Simon Hunt describes a visit to Meta’s London offices with rather exasperated humor. He is received with a virtual reality helmet and a long, entertaining demonstration of what a VR office could look like; at the end, however, the longtime tech reporter is less than impressed: “It was all great fun. But as I made my way home, I wondered what the point of it had been. Could this meeting not just have been done over email?”

Hunt’s conclusion -- that the Metaverse was a terrific blunder and will never take off -- isn’t easy to refute. Meta’s share prices have plummeted 30% over the past two years, and this year 20,000 of its employees have lost their jobs. As far as the Metaverse goes, no one seems particularly interested. The Horizon Worlds network, sold as a virtual workplace for companies, lost a third of its users in 2022.

Why the hemorrhage? Hunt blames COVID-era Zoom fatigue, in part. It seems no one actually likes being forced into a VR office. But another reason, which he implies but never says outright, is that the idea was silly from the start. At one point a Meta executive explains to him that the advantage of the Metaverse is “optionality.” “If tomorrow, I want to show up like a rabbit, then I can show up like a rabbit.” Ah, quite.

What to Read Next:

From Bank Nightmares to a Spyware Scandal in Greece

From Terrorists on YouTube to the Chips Act and Its Discontents

From ChatGPT Musings to Tech Diplomacy in India