Despite EU court rulings, Facebook says US is safe to receive Europeans’ data
Internal documents say EU judges’ ruling ‘should not be relied on’ in data transfer assessments.
Europe's top court says Washington plays fast and loose with European data. Facebook disagrees.
Despite the European Union's highest court twice declaring that the United States does not offer sufficient protection for Europeans' data from American national security agencies, the social media giant's lawyers continue to disagree, according to internal documents seen by POLITICO.
Their conclusion that the U.S. is safe for EU data is part of Facebook's legal argument for it to be able to continue shipping data across the Atlantic.
"The conclusion of the Equivalence Assessment is, in summary, that relevant U.S. law and practice provides protection of personal data that is essentially equivalent to the level of protection required by EU law," says one of the Facebook internal documents, dated 2021. Equivalence Assessments are made by companies to judge how privacy protections in non-EU countries compare to Europe's.
In July 2020, the Court of Justice of the European Union (CJEU) struck down a U.S.-EU data transfer instrument called Privacy Shield. The court concluded Washington did not offer adequate protection for EU data shipped overseas because U.S. surveillance law was too intrusive for European standards.
In the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the U.S.
The CJEU reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe's top judges categorically stated Washington did not have sufficiently high privacy standards.
Still, Facebook — the company at the heart of both cases — thinks it shouldn't follow the court's reasoning.
The company's lawyers argue in the documents that the EU court ruling "should not be relied on" for the social media company's own assessment of data transfers to the U.S., because the judges' findings relate to Privacy Shield data pact, and not the Standard Contractual Clauses which Facebook uses to transfer data to the U.S.
"The assessment of U.S. law (and practice) under Article 45 GDPR is materially different to the assessment of law and practice required under Article 46 GDPR," the document reads. That refers to the two different types of legal data transfer instruments under the EU's General Data Protection Regulation and indicates that assessment under SCCs is different to assessment under Privacy Shield.
The company also says that changes to U.S. law and practices since the July 2020 ruling should be taken into account. As an example, it cites the U.S. Federal Trade Commission, a watchdog, "carrying out its role as a data protection agency with unprecedented force and vigour." Those arguments have been central to Washington's pitch during ongoing transatlantic negotiations over a new EU-U.S. data agreement.
Though companies have to take the EU court ruling into account when making their own assessments of third party country regimes, they can, in theory, diverge from the court's findings if they believe it is justified in a particular situation. This means that companies like Facebook can, in theory, continue to ship data out of Europe if they can prove its sufficiently protected.
"A transfer impact assessment conducted under EU law should take [the court's findings] into account for transfers to the U.S., but it is still an assessment that each company makes for their specific transfers under SCCs, which they are responsible for if the legality of that transfer is or will be challenged," said Gabriela Zanfir-Fortuna of the Future of Privacy Forum think tank.
Even so, several legal experts contacted by POLITICO said they could not see how Facebook would be able to conclude the U.S. protections are essentially equivalent to the EU's in light of the court ruling. One said that this was especially true for Facebook, since the company's own data transfers were at the heart of the case.
The revelations heap fresh pressure on the Irish Data Protection Commission (DPC), which first received a complaint against Facebook's data transfers in 2013 from Austrian campaigner Max Schrems. That complaint led to the CJEU's so-called Schrems I and Schrems II rulings that concluded that U.S. protections fall short of EU standards.
In a preliminary decision in September 2020, the Irish DPC suggested Facebook would have to stop transferring data to the U.S. following last July's ruling, but has yet to finalize the decision despite overturning Facebook's challenge to the agency's investigation in May. Dublin now holds the power to stop Facebook from moving EU data to the U.S.
If the Irish watchdog follows through with that decision, it would mark a serious blow to Facebook's efforts to keep the data taps flowing amid the ongoing EU-U.S. discussions on a new data-transfer pact.
The Irish DPC said it could not comment since it has an open inquiry into the matter.
A Facebook spokesperson said: “Like other companies, we have followed the rules and relied on international transfer mechanisms to transfer data in a safe and secure way. Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.”
The company's internal document also points to the EU's data flows deal with the United Kingdom, which Brussels approved in June, to back up its favorable assessment of the U.S.
"It is clear that in some important respects, the U.K. regime, which the Commission has assessed to be adequate under Article 45 GDPR, takes a similar approach to the U.S. in relation to limitations on data protection rights in the context of interception of communications," the document reads.
In a separate document listing factors relevant to its data transfers, Facebook seeks to downplay the risk that data is accessed by U.S. authorities.
It notes the 234,998 data requests it received from U.S. authorities in 2020 "represents a tiny fraction" of the total number of users, which Facebook estimates at around 3.30 billion.
Despite the European Union's highest court twice declaring that the United States does not offer sufficient protection for Europeans' data from American national security agencies, the social media giant's lawyers continue to disagree, according to internal documents seen by POLITICO.
Their conclusion that the U.S. is safe for EU data is part of Facebook's legal argument for it to be able to continue shipping data across the Atlantic.
"The conclusion of the Equivalence Assessment is, in summary, that relevant U.S. law and practice provides protection of personal data that is essentially equivalent to the level of protection required by EU law," says one of the Facebook internal documents, dated 2021. Equivalence Assessments are made by companies to judge how privacy protections in non-EU countries compare to Europe's.
In July 2020, the Court of Justice of the European Union (CJEU) struck down a U.S.-EU data transfer instrument called Privacy Shield. The court concluded Washington did not offer adequate protection for EU data shipped overseas because U.S. surveillance law was too intrusive for European standards.
In the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the U.S.
The CJEU reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe's top judges categorically stated Washington did not have sufficiently high privacy standards.
Still, Facebook — the company at the heart of both cases — thinks it shouldn't follow the court's reasoning.
The company's lawyers argue in the documents that the EU court ruling "should not be relied on" for the social media company's own assessment of data transfers to the U.S., because the judges' findings relate to Privacy Shield data pact, and not the Standard Contractual Clauses which Facebook uses to transfer data to the U.S.
"The assessment of U.S. law (and practice) under Article 45 GDPR is materially different to the assessment of law and practice required under Article 46 GDPR," the document reads. That refers to the two different types of legal data transfer instruments under the EU's General Data Protection Regulation and indicates that assessment under SCCs is different to assessment under Privacy Shield.
The company also says that changes to U.S. law and practices since the July 2020 ruling should be taken into account. As an example, it cites the U.S. Federal Trade Commission, a watchdog, "carrying out its role as a data protection agency with unprecedented force and vigour." Those arguments have been central to Washington's pitch during ongoing transatlantic negotiations over a new EU-U.S. data agreement.
Though companies have to take the EU court ruling into account when making their own assessments of third party country regimes, they can, in theory, diverge from the court's findings if they believe it is justified in a particular situation. This means that companies like Facebook can, in theory, continue to ship data out of Europe if they can prove its sufficiently protected.
"A transfer impact assessment conducted under EU law should take [the court's findings] into account for transfers to the U.S., but it is still an assessment that each company makes for their specific transfers under SCCs, which they are responsible for if the legality of that transfer is or will be challenged," said Gabriela Zanfir-Fortuna of the Future of Privacy Forum think tank.
Even so, several legal experts contacted by POLITICO said they could not see how Facebook would be able to conclude the U.S. protections are essentially equivalent to the EU's in light of the court ruling. One said that this was especially true for Facebook, since the company's own data transfers were at the heart of the case.
The revelations heap fresh pressure on the Irish Data Protection Commission (DPC), which first received a complaint against Facebook's data transfers in 2013 from Austrian campaigner Max Schrems. That complaint led to the CJEU's so-called Schrems I and Schrems II rulings that concluded that U.S. protections fall short of EU standards.
In a preliminary decision in September 2020, the Irish DPC suggested Facebook would have to stop transferring data to the U.S. following last July's ruling, but has yet to finalize the decision despite overturning Facebook's challenge to the agency's investigation in May. Dublin now holds the power to stop Facebook from moving EU data to the U.S.
If the Irish watchdog follows through with that decision, it would mark a serious blow to Facebook's efforts to keep the data taps flowing amid the ongoing EU-U.S. discussions on a new data-transfer pact.
The Irish DPC said it could not comment since it has an open inquiry into the matter.
A Facebook spokesperson said: “Like other companies, we have followed the rules and relied on international transfer mechanisms to transfer data in a safe and secure way. Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.”
The company's internal document also points to the EU's data flows deal with the United Kingdom, which Brussels approved in June, to back up its favorable assessment of the U.S.
"It is clear that in some important respects, the U.K. regime, which the Commission has assessed to be adequate under Article 45 GDPR, takes a similar approach to the U.S. in relation to limitations on data protection rights in the context of interception of communications," the document reads.
In a separate document listing factors relevant to its data transfers, Facebook seeks to downplay the risk that data is accessed by U.S. authorities.
It notes the 234,998 data requests it received from U.S. authorities in 2020 "represents a tiny fraction" of the total number of users, which Facebook estimates at around 3.30 billion.