While I don't disagree with you, if you are going to say something like you should really at least give the right number. Or at very least include a disclaimer that 12 hours is not the right number.
2022 Meta revenue was 116 billion USD [1]. So the fine was 1.1% of yearly or revenue, or pretty close to 4 days of revenue.
In terms of yearly net income, it is 5.6% or 20 days of income. Don't think this is a trivial fine.
Also to add, this fine is concerned with the EU. I'm not sure why we care how much money Meta makes in other regions. EU accounts for about 25% of their revenue [1]. So in terms of yearly net income it then gets closer to about 15%. Again, the job of EU is to regulate businesses in the EU and not the rest of the world.
They broke a law that violates basic human rights. Privacy is important to EU citizens, and unlike the US they largely enjoy that right thanks to laws which are enforced.
Facebook is not the government so even if what you say is true, it's really off-topic. Being protected from businesses violating your privacy is a good thing.
The reason why Facebook transferring data to the US is illegal in the EU is because its spy agencies and law enforcement can force them to turn over data.
And the United States can't? Facebook is part of PRISM, and they are incorporated in America. They are arguably in a more compromised state when operating domestically than abroad.
That's not the argument I would go with, but you could. I would argue that the EU has more oversight into its spy agencies and can reign them in if wrongdoing comes to light, whereas they have little to no control over those in the US.
This isn't about protecting users from spying. This is about managing user data and privacy in accordance with the laws that privately-owned businesses must abide by. You can claim that it's a double-standard, but it's still wrongdoing and needed to be sorted out either way.
The data that Facebook collects about people goes far beyond what is explicitly shared and visible in their profile. E.g. which sites they visit (and when) with Facebook widgets on them, on-site browsing habits, private conversations, their phone contacts, location data, etc.
I imagine that a number of features are built on top of these. I remember that you could easily see what friends where nearby you when you were traveling (I ran into a friend who was visiting Milan at the same time as me a few years back!) but the feature doesn't exist anymore. I'm wondering if it's because of regulations that they had to cut down on these features.
You're moving the goal posts. Your claim was that all posts are globally public. That's wrong.
But to play along, what happens to the data depends on where it is stored. If the data center is in the US then the government can get a court order to seize that data. Which is not the same as in some other countries, is it?
That's entirely untrue. Countries in the EU had strong privacy laws before the EU existed. And before the internet existed. Mostly around phone companies, but not only. Having lived in a few countries in the EU I can also anecdotely say that privacy laws are generally liked.
GDPR laws are so popular that 17 countries outside the EU already have similar laws.
For example now random security camera operator can't just take some scenes and post it on youtube, as that would violate GDPR in several ways and few companies paid tens to hundreds of thousands in fines for that.
It also cut sooo much bullshit when it comes to PII management. Because there is actual teeth behind it very little companies will try the old trick of "oh you wrote email to us ? Let's just send marketing stuff on that", as that would require separate consent.
They got 5 months to fix the issues. So after 5 months they can collect a bigger fine ... and then 5 months later again, with three increasing charges within 12 months it's more notable.
Ok, realistically it's unlikely to happen exactly that way, ...
Sometimes I wonder why there are so many people advocating three strike and out laws, but never against corporations. Would be interesting if the third fine would be so large that shareholders are wiped out and debt holders are left with scraps.
Bit off topic, but how on earth did Meta gross 116 billion USD ? lol
Of course we all find tech valuable, but that is absolutely stupid money for what I get out of their services, which is almost nothing hence I've not opened FB for weeks and I open Instagram for 2-3 minutes every day and turn it off, lately maybe every other day.
Even with more engaged users it's hard to believe it's worth that much money. Is the advertising really this effective ? Insane.
> that is absolutely stupid money for what I get out of their services, which is almost nothing
That's why it's a free product! Revenue is from the value they deliver to advertisers. Meta's average revenue per user is significantly higher than other ad platforms (except Google).
For someone selling to a particular group of people, getting ads to that specific group, and ONLY that group, is really valuable.
Your guess is wildly mistaken. They did not intend to sell data to CA; and the CA events happened in 2014-2015 and the program CA abused was subsequently shut down.
To my mind that could be explained as CA exploiting Facebook users' data and Facebook shut down that program so that it could instead explicitly sell similar datasets.
Selling data erodes Facebook's ability to make money selling ads (because then other people will be able to target users just as well). It's never been something they did intentionally.
Seems likely to me. I can't recall Facebook acting in good faith at any point in time. If there's a bunch of money to be made assisting well-funded politicians, then I'd fully expect Facebook to be wanting a piece of that pie when their business model is generally to act against the users of the site by selling their data to manipulators.
Given that you are on HN, you are likely salaried employee. This means you are also generating income 24/7. If you were fined for 20 days of your income, would you still argue that this is "the definition of a trivial fine" for you? I certainly wouldn't.
I mean given the context we’re talking about? That’s absolutely trivial. A 20-operating-days fine wouldn’t touch my day-to-day life, I wouldn’t have to alter my behavior going forward at all, there would be almost 0 repercussions.
Would I enjoy it? Certainly not.
Would I change my behavior if it was generating billions in revenue? Certainly not.
1.1% seems like slap on the wrist or cost of doing shady business. 20% would be more appropriate, then again this seems like political discussion between US and EU.
Reminder that this is revenue, not profit AND it is a fine from the EU so really only EU revenue should be counted when discussing how hard this hits Meta.
Even if the calculations for how to attribute income from different places would be difficult to decide upon precisely, and doubly so if the calculations are used to determine a penalty fine thanks to the possibility of being gamed, it can probably be guessed at without too much error in cases where Goodhart's Law doesn't bite.
> a fine from the EU so really only EU revenue should be counted
You can't really fully seperaten EU revenue. I as a European write very intelligent and relevant posts on Facebook, thus people from other regions go there to read them. (well, I don't post anything on Facebook these days, but the point stands)
Meta revenue is from showing an ad. "Is the ad shown in the EU?" seems like a pretty clear line. IFRS rules already require tracking the action that recognizes revenue so seems hard to play games with it.
Yes the fine should be based on global revenue, but when discussing if this fine actually hurts Meta, you should try to estimate the EU revenue, because it is about if it Meta cares about the fine. If it is a significant part of EU revenue then Meta should want to comply or leave the EU. If it is not then Meta doesn't care.
The fines can be up to 4% of global yearly turnover. I think they don't go for the full amount immediately, because you always want to have room to increase the penalty if the don't comply after this fine.
Not really. The EU isn't trying to kill Meta, it's trying to get it to follow GDPR where it applies. For most people, fining them an equivalent of their monthly salary, is a blow painful enough the person won't forget it soon, and will try to avoid getting fined again.
Yeah agreed. They will simply continue to violate the GDPR. If the last years global revenue was 116 Billion USD, the fine should be at least 200 Billion. Otherwise companies just will see the fine as cost of doing business.
I am getting tired of always reading this same old tune. It's damned if you, damned if you don't.
- EU fines a company a small percentage of its annual revenue. "Laughably small", "cost of doing business", EU has no fangs, blablabla.
- EU fines a company a large percentage of its annual revenue. Damn EU bureaucrats, trying to make money on the back of hardworking US multinationals, zero innovation over there so they steal from America, blablabla.
What do you want? For the EU to impose such large fines that they put every tech company out of business? No one wins at that game.
"Fundamental human right" is a pretty high bar and it's lazy to just throw it out there without any evidence. The UDHR (https://www.un.org/en/about-us/universal-declaration-of-huma...) has it stated as "[n]o one shall be subjected to arbitrary interference with his privacy". Is signing up for an American company's service and being surprised they send information to the US really arbitrary?
Maybe it is (or maybe folks disagree with the UN on privacy) but people should actually make that case instead of treating it as self-evident.
There are two aspect to this, the message to the company and the message to the users:
Yes, the fines are small enough that they are normalized by the violating corporate as just as small additional cost of doing business. A dramatic negative externality gets trivialized. The signal to other corporates is: go ahead feasting on the corpse of user privacy, just do a proper cost-benefit analysis.
But, these fines are legal events, in jurisdictions that are relevant to large numbers of people.
The common argument "people don't care about privacy" is more truthfully "people assume that widely popular online businesses are legal and ok, since services that are not ok are generally not allowed to operate". In fact, when all sort of public institutions are actually on facebook (and other adtech platforms) and even encourage people to join and interact there, they actually endorse that implied legal status. This has been a fiasco that has cut to size any "proud" democracy out there.
News headlines of legal fines help puncture that implied institutional endorsement. The average user doesn't know that the fine is just 12 hours of revenue. They actually have no clue what sort of lucrative business is running behind their backs and against their interests. Using these legal events, provided they get some press, does help the argument of those pushing to use (where available) privacy-respecting alternatives.
Of course such is the ability of the public to get desensitized to any uncomfortable truths that eventually that effect will wear out too.
> Yes, the fines are small enough that they are normalized by the violating corporate as just as small additional cost of doing business. A dramatic negative externality gets trivialized. The signal to other corporates is: go ahead feasting on the corpse of user privacy, just do a proper cost-benefit analysis.
Non-compliance just causes another fine. So they could be up to 8% of turnover (not income) a year
Not sure net income would tell you that much either. Many companies deliberately keep net income low by reinvesting in further growth. Think of Amazon's model. At least revenue gives you a sense of the upper limit.
But revenue has even more issues. You’ll end up hurting low margin companies the most.
If my company transacted $1T in some boring business model that netted a few million to the company coffers and employee pay then fining me on the $1T would simply wipe the company out many times over
Agreed, fine on net income is meaningless it just mean it won't hurt. Should be at least 10% of revenue like antitrust tend to do, this would make anyone think twice.
I don’t think GP is suggesting that the fines should be calculated based on net income. Just that you should evaluate the _impact_ by comparing to net income.
So in Amazons case you absolutely see a fine greater than their net income, but still only 1% of their revenue, and obviously such a fine would have a greater impact on Amazon than the equivalent 1% fine applied to Facebook.
Well, one could say that that is a problem about how Amazon is allowed to use some shady accounting tricks to declare low net income, and therefore that problem is the one that should be addressed directly.
So when you're having a bad year because you over-hired, or because some upstream service you depend on too much is abusing their power to squeeze you you should be entitled to break any law?
What if your company is set up with the usual tax tweaks where all net income is zeroed out by some licencing agreement about hand-wavy IP from a sibling company in the corporate family?
Taking it a step further, will you get a fine-back as a reward for breaking the law if your accountants manage to declare negative income?
Taking it a step further, will you get a fine-back as a reward for breaking the law if your accountants manage to declare negative income?
I think the GP meant that you should see the fine in relation to the net income, rather than that the fine should be computed in terms of the net income.
E.g. if a company has 100b revenue and a net income of 4b, then a 1.3b fine has a large impact. If a company has a net income of 50b, then 1.3b is peanuts.
(I don't necessarily agree, but just elaborating what they probably meant.)
An interesting way to look at it, the impact of a given percentage of revenue will certainly differ a lot between some tight margin reseller and a business that is basically market printing once established. But I can't parse the wording of the last sentence in GP post as "should be seen", it's to "should be". If there is ambiguity I fail to see it.
Neither revenue or net income will really represent the value of a company. Company evaluation would be more fitting, especially if the company is publicly traded.
It's amazing to me how many otherwise intelligent people on HN inevitably make this same comment, when in fact, this is a substantial fine even to a company the size of Meta. Much higher would be borderline extortion, and Meta would seriously start to consider whether doing business in the EU is worth it.
Sure, but let's also add a reminder that the point of the fine isn't to torture or kill the company - it's to incentivize it to comply with the law.
Whatever ills people may ascribe to Meta, EU DPAs aren't in the business of social activism, or taking their annoyance out on multinational corporations. The job is to get Meta to comply with GDPR. If that fine will do the trick, mission accomplished. If it won't, the next one will be bigger, and then fining will continue until compliance improves.
(There's a sub-story here about Irish DPC, but that's orthogonal to the size of GDPR fines issued.)
You realize how silly this would be right? If you got a parking ticket, how would you feel about being fined some % of your monthly paycheck instead of a flat $50?
Like it is more fair. Why should a poor person pay nearly a day's wages for a violation when other people don't have to have such a harsh punishment?
Does it seem ridiculous at the edges? Sure, but it also makes the fine an actual punishment for all rather than a rule that the better off can afford to ignore. This is true even in the case of driving laws. Sure, you might lose your license regardless of finances - but only one of them can fairly easily afford the reinstatement fees and the extra costs of not driving.
Moving the datacenter to the EU makes it a crime; we can at least impose diplomatic sanctions as and when we catch foreign spies doing crimes in the EU. If the datacenter is in the US then there's no recourse.
The EU member states are responsible for protecting various rights of their citizens and they can't do that if the private data is placed in a uncooperating jurisdiction.
Given the creativity in accounting possible for multinationals and the difficulty in capturing value added to other areas from activities in an area that's a number with very little actual value.
The accounting is not what matters. What matters is using your brain to to figure out if a fine is actually meaningful.
Comparing to revenue is a stupid way to think about things. Profit is the incentive to conduct business. Not revenue. And not global profit, but in this case Ireland/EU profits only, because that is the location fining them.
People are so eager. Every. Single. Time. To say that a fine does not matter even if it clearly outpaces multiple years of profits for the area given.
> Comparing to revenue is a stupid way to think about things. Profit is the incentive to conduct business
Because it is and it isn't. Companies can make people filthy rich while not making a single dollar of profit thanks to the stock market where the price does grow, broadly, in terms of revenue.
You’re right in that it ought to be compared to the scale of profits, not a percentage, as many run on a loss during growth. But profit is still what matters. Including the promise of future profits.
Talking of the future doesn’t help much because both numbers will change. And punishing a company based on its future state is… not possible
Then people would notice how laughably small those fines are.
> Meta was fined 12 hours of revenue for violating your fundamental human rights for years of profit.