In a recent court case related to Facebook’s Cambridge Analytica scandal(1), parent company Meta was unable to comply with a request from a court-appointed special auditor to release information about 149 of its internal data systems. In particular, the special master wanted details about the functions of these systems and how they were used by other business units in the company. Meta effectively responded that it could not provide the court with that information. In other words, its own engineers seemed unaware of the full volume of user data they held in what appeared to be a Byzantine network of different systems.
If that’s still the case in two years, Meta could find itself in serious trouble with European regulators. With the upcoming Digital Markets Act (DMA), the EU will ban big internet platforms like Facebook from combining and reusing data, or using data from one part of their business to power another. The goal is to lower the barriers to entry for other companies that are struggling to compete with firms that have amassed mountains of user data to create dominant advertising companies.
The DMA, which came into force on November 1st and whose rules will apply from May 2nd, 2023(2), could significantly amplify the EU’s relatively unsuccessful privacy efforts against big tech.
Meta spokesman Andy Stone said the company is making “significant investments to meet our privacy commitments and commitments, including extensive data controls.” He added that Meta will work with European regulators to comply with the new rules.
Johnny Ryan, a senior official at the Irish Council for Civil Liberties, conducted the original research on the court documents, which he says offer a rare glimpse into what Facebook knows about its own data processing. The documents are now the basis of a warning letter he is sending to EU cartel boss Margrethe Vestager, whose office is responsible for enforcing the forthcoming DMA. “Metas Data Free-for-All makes compliance with the [DMA] impossible for the tech giant,” said Ryan.
Of course, the company still has time to put its house in order. Businesses that fail to comply with the DMA’s 22 Codes of Conduct(3) face significant fines, including fines of up to 10% of their global revenue for a single violation. Fines of up to 20% are imposed for repeat offenders.
Perhaps unsurprisingly, a company of Meta’s size might not be aware of the full extent of user information it holds. The documents released during the court case listed a jumble of words of various data systems that Meta presides over, with names like Hive, TAO (which stands for The Associated Objects), FBLearner, and F3 (which stands for Facebook Feature Framework). According to the documents and Ryan’s analysis, they appear to have a complex set of roles, not only as databases but also as so-called “layers of abstraction.” Their interaction is so complex that an engineer cited in the court documents said the data may not be understandable to humans.(4)
Meta spokesman Stone said that “no single engineer at the company can answer every question about where each user’s information is stored.”
But Anne Witt, an antitrust scholar at EDHEC Business School, said Ryan’s complaint carries weight when Meta fails to improve visibility of its own myriad data systems. She pointed out that his approach was similar to that of German antitrust authorities, which used competition law in 2019 to stop Facebook from imposing excessive data collection requirements on consumers. It was a controversial case but novel in its approach and has been successful so far, having been upheld by the German Federal Court of Justice following an appeal by Facebook. The European Court of Justice will probably also confirm this.
There is one major caveat, however: major online platforms like Facebook and Google are widely expected to push back on the EU’s designation as a “gatekeeper” in appeals that could further delay the launch of the DMA. If Facebook loses a significant share of the advertising market to TikTok and others over the next two years, and its sales are further eroded by Apple’s iPhone privacy update, that could help argue that it’s not as dominant as the EU claims is. This creates a (small) chance that it can later avoid having to deal with these stricter regulations.
Avoiding all of these new regulatory scrutiny would be a silver lining. Given how long Meta has been in the EU’s crosshairs so far, it probably won’t get off that easy.
More from the Bloomberg Opinion:
• FTX puts more nails in Crypto’s coffin: Lionel Laurent
• Musk’s latest move at Twitter can only hurt ad revenue: Parmy Olson
• Apple’s US chip move is about both marketing and technology: Tim Culpan
(1) The original complaint alleges that Facebook broke the law by allowing third parties, such as consulting firm Cambridge Analytica, to access users’ personal content and information without their consent.
(2) Although the DMA rules will technically apply from May 2023, they will probably not have their full impact on tech giants until around 2024 or even 2025. This is because they are likely to argue in court against EU labeling as “gatekeepers” and thus subject to the Digital Markets Act. They will almost certainly lose these cases, but it will give them the advantage of kicking the can on the street.
(3) The 22 Codes of Conduct are contained in Articles 5-7 of the DMA.
(4) Page 575 of one of the court records.
This column does not necessarily represent the opinion of the editors or of Bloomberg LP and its owners.
Parmy Olson is a Bloomberg Opinion columnist covering technology. A former reporter for The Wall Street Journal and Forbes, she is the author of We Are Anonymous.
For more stories like this, visit bloomberg.com/opinion