The $1.2 billion fine that the European Union imposed this week on Meta, Facebook’s owner, for user-privacy breaches, was more than a punishment.
It was a sign of Europe’s determination to set enforceable rules in cyberspace that would prevent 21st-century technology tools from violating users’ privacy, safety, and other individual rights; or from being used to undermine elections, democratic institutions, or social trust.
Why We Wrote This
A story focused on
Europe is seeking a joint approach with Washington to regulate cyberspace, but the U.S. prefers voluntary action by businesses over Brussels’ legal prescriptions.
Cyber businesses are global, which means rules and regulations should be too. But China is clearly not interested in joining such an international effort, which leaves the EU and United States.
Lawmakers on both sides of the aisle in Washington share many of Europe’s concerns about an uncontrolled, artificial intelligence-powered internet. But there is little sign of a common transatlantic approach to the issue.
That is largely because while the U.S. prefers to leave businesses to regulate themselves, the EU has less trust in them. Europe’s new Digital Services Act obliges two-dozen very large players to provide an annual account on how they are combating disinformation, threats to safety, and election manipulation, among other ills.
One lesson that governments have learned from their current efforts to regulate the Internet could yet encourage greater transatlantic cooperation.
It is that cyberspace should have been regulated earlier.
It was, undeniably, eye-catching: a $1.2 billion fine levied in Europe this week against the giant American technology company Meta, the owner of Facebook.
Yet the money, little more than petty cash for Meta, matters less than the message.
That message is about setting enforceable rules in cyberspace: on the internet, on social media platforms like Facebook, on messaging apps, as well as to govern the latest policy challenge, artificial intelligence.
Why We Wrote This
A story focused on
Europe is seeking a joint approach with Washington to regulate cyberspace, but the U.S. prefers voluntary action by businesses over Brussels’ legal prescriptions.
This week’s case was about privacy: the European Data Protection Board ruled that when it moved European users’ content to the United States, Facebook was failing to ensure it wouldn’t be shared with U.S. intelligence agencies.
But this was just the latest signal from the 27-nation European Union of its growing determination to take the lead in broader regulation of cyberspace. The aim? To keep 21st-century technology tools from violating users’ privacy, safety, and other individual rights; or from being used to undermine elections, democratic institutions, or communal and social trust.
The EU is concentrating first on cleaning its own house: collectively it constitutes the world’s second-largest economy.
But EU policymakers know that the reach and complexity of cyber businesses, especially the richest and most powerful among them, mean that successful regulation, and indeed the very future of the Internet, will likely hinge on the two other leading economic powers, China and America.
China is vanishingly unlikely to join any effort to set international rules. For Xi Jinping, technology is less about individual empowerment than control. Far from embracing the initial ethos of the internet – as a truly global medium – China has erected a “great firewall” to block foreign sites to which it objects, and is advocating a model in which individual states control their own cyber networks.
So the key to retaining the internet’s global benefits, while also reining in excesses, could well lie in Europe’s efforts to find common cause with the United States.
U.S. lawmakers of both parties share many of the EU’s cyberspace concerns. But at least so far, there’s been little sign of a common Western approach.
And the Facebook fine provided a window into the reasons why.
This is partly a question of different political cultures. The European Union’s bill of rights explicitly protects citizens’ privacy. The U.S. has no constitutional equivalent, and places a First Amendment emphasis on the free-speech prerogatives of online platforms and their users.
At least in the Facebook case, that’s probably resolvable. Other U.S.-based tech giants also hold huge amounts of European content, and EU and American negotiators are finalizing a long-pending data agreement with a view to meeting Europeans’ intelligence-sharing concerns.
Yet the more fundamental difference is over how the tech companies should be regulated.
There are some areas of consensus. Both the EU and U.S. authorities have imposed penalties on their companies for misusing, or failing to secure, personal data.
But a yawning gap has emerged over online content.
Washington seeks to ensure that the tech companies properly regulate this content themselves. The European Union, on the other hand, last year introduced the Digital Services Act (DSA), which obliges two-dozen very large players such as Facebook, Twitter, Alibaba, and TikTok to provide an annual account on how they are combating disinformation, threats to children’s or women’s safety, and election manipulation, among other ills.
They will also have to give European regulators a look at the algorithms that decide what kind of content is sent to which users.
And the maximum penalty, 6% of a company’s global turnover, would dwarf the Facebook privacy fine.
While it is going to take some time to gauge the effect of the new rules – this week’s Facebook fine resulted from a complaint initially filed a decade ago – the EU is emphasizing its seriousness in applying them.
Shortly after the legislation was introduced late last year, the values and transparency chief on the European Commission, the EU’s executive body, upbraided Twitter owner Elon Musk for reportedly suspending a number of U.S. technology journalists from the platform. Calling the move “worrying,” Vera Jourová tweeted out a warning. “EU’s Digital Services Act requires media freedom and fundamental rights. There are red lines. And sanctions, soon.”
For now at least, a similar response from U.S. authorities is unthinkable.
But if the U.S. and Europe do move toward a common approach, the catalyst could be a newer technological worry shared on both sides of the Atlantic: artificial intelligence.
Washington and the EU have voiced their concerns in strikingly similar terms, but a familiar policy difference is on display.
The Biden Administration’s AI Bill of Rights last year took the form of voluntary policy guidance.
The EU’s planned AI Act would impose a raft of explicit requirements on tech companies offering AI applications such as chatbots, facial recognition, and biometric surveillance. And it would ban applications that employ “subliminal or purposefully manipulative techniques, exploit people’s vulnerabilities, or are used for social scoring.”
Still, one lesson that governments have learned from their efforts to regulate the internet could yet encourage greater transatlantic cooperation.
It is not that the tech giants, like banks during the 2008 financial crisis, may have become too big to fail, or even too big to regulate.
It is that it was left too late to regulate them.