What the Industry Can Learn from Meta's Latest GDPR Fine

It’s been a few weeks of milestones for GDPR, with the legislation turning five years old just days after we saw the largest fine ever levied under the law. Meta’s record $1.3 billion penalty stems from issues of sending data from Facebook users in Europe to the U.S. and the digital media world waits to see what comes from this precedent. 

While Meta vows to appeal the decision and may even win in the end, many other players are likely looking at the mechanics that led to the Data Protection Commission’s decision and assessing their own systems to make sure they avoid similar issues.

Fortunately, there are encryption practices that can handle this task and remain GDPR compliant. In fact, Meta could have even avoided such a heavy fine altogether had it branched out in its protection measures.

Solving the problem abroad

There are five technical supplementary protection measures recognized by the EU Data Protection Board (“EDPB”) to safeguard personal data after the transfer of such data to a non-adequate jurisdiction such as the US. Companies involved in international transfers have a notoriously difficult time finding recognized, compliant encryption measures. We can deduce that Meta wasn’t making use of any of these measures, and if a company that large has trouble navigating the inner workings, it’s easy to understand how other companies may stumble. 

One of the five measures explicitly approved for this transfer is multi-party computation (“MPC”). Traditional encryption mechanisms can protect data at-rest (when it’s stored) and in transit (when it’s been moved to another computer). However, questions have remained about data in-use. Can companies have data encrypted and protected while processing it? The answer used to be a firm “no,” as far as the EDPB was concerned. However, recent cryptographic breakthroughs have led to secure multiparty computation (SMPC), which can protect data at all three stages: at-rest, in-transit, and in-use.

SMPC and Homomorphic Encryption (HE) are the only two cryptographic approaches that can preserve the confidentiality of data in-use and when collaborating with other partners and companies. HE, however, has much higher computational overhead which makes it less practical at larger scales. For a company operating at Meta's scale, it's hard to imagine that HE can be the solution.

Other Privacy Enhancing Technologies (PETs) – including differential privacy, federated learning, synthetic data, and anonymization – can only partially solve this same problem. These technologies usually introduce a trade-off between data confidentiality and data privacy. They are not provably-secure solutions with formal security guarantees. 

Preparing at home

In the absence of any federal privacy legislation, the U.S. is much less stringent about privacy and data sharing than the EU. That being said, it’s a huge benefit for U.S. organizations, including advertisers and massive platforms like Meta, to adopt SMPC now in order to ensure compliance no matter which way the privacy winds blow. The issue of linking encrypted data (or any data that uses a deterministic, perpetual ID) has remained a hot topic in ad tech circles for years, surfacing in trade publications and across the event circuit. 

Advertisers are in the early days of exploring clean rooms and new identifiers. While these are going to be critical parts of the future of digital media, we’re very much still in an ideation stage. Many of the technologies brands are experimenting with right now are bound to evolve in the months ahead, and some are just plain not compliant in areas of the world with more stringent privacy laws. 

Brands on both sides of the pond can look at Meta’s misstep and take the initiative to make sure they don’t follow suit. By digging deeply into their encryption practices and adopting GDPR-compliant mechanisms like SMPC, they can take advantage of the consumer matching and data moving that they need to operate in today’s market while also maintaining the flexibility to evolve, should we see national privacy legislation here in the US any time soon.