According to the French regulators, the transfer of data to the US is the biggest rub and violates sections of the law that cover data transfers to third party companies or countries. The US history of failure when it comes to protecting personal data is coming back to haunt them. Laws and regulations here have led to increased access to personal data by law enforcement and intelligence agencies instead of the other way around. Most of these sharing bills have come as parts of compromise so that businesses can sell and trade your data like commodities. This has left most US data collection efforts suspect at best and highlights the vast amount of data collected by groups like Meta and Google.
Both Google and Meta claim they need this data to properly provide end users targeted ads. The claim from them (also from Amazon) sounds hollow in the context they use it. The ad service is not for the person viewing the ad at all, but for the companies that are looking to catch the eye of people who are increasingly connected. The EU sees the collection of personal data as unnecessary for the business model, at least in its current form and verbosity (and of course the revolving door with US intelligence agencies). They feel that the anonymous collection of analytical data is ok, but the detailed histories that Google, Meta, Amazon, and others want is not.
Meta has become so frustrated that they have stared threatening to pull their services from areas in the EU. They feel that the laws protecting individual privacy and their ownership of their own data should not apply to them. This push back should tell you something about these companies when they want to rely on “contract clauses” instead of following the actual laws in the countries and regions they want to operate in. Meta is already in a bit of a fix as mobile device companies are looking to focus on user privacy and data collection as well. Apple’s recent changes to how they notify users about application data collection put a massive dent in Meta’s earnings. Having to cave to EU regulations and restrict how and what they collect as well as how they transfer, store and who they can share with is a big financial issue for them.
We feel that more and more countries will follow France and Austria as the EU tightens their personal data protection policies. Website owners in the US and elsewhere might want to start looking for alternatives to Google that either collect less data or can ensure anonymized information around connections and traffic is all that is collected. The creations of user IDs to track movement around the internet is not going to fly for much longer if recent cases are any indication. It would also be a good idea to ensure that other functions of your site do not collect, transfer, or store data that would fall under GDPR without user consent.