London Daily

Focus on the big picture.
Monday, Jul 07, 2025

Despite EU court rulings, Facebook says US is safe to receive Europeans’ data

Despite EU court rulings, Facebook says US is safe to receive Europeans’ data

Internal documents say EU judges’ ruling ‘should not be relied on’ in data transfer assessments.
Europe's top court says Washington plays fast and loose with European data. Facebook disagrees.

Despite the European Union's highest court twice declaring that the United States does not offer sufficient protection for Europeans' data from American national security agencies, the social media giant's lawyers continue to disagree, according to internal documents seen by POLITICO.

Their conclusion that the U.S. is safe for EU data is part of Facebook's legal argument for it to be able to continue shipping data across the Atlantic.

"The conclusion of the Equivalence Assessment is, in summary, that relevant U.S. law and practice provides protection of personal data that is essentially equivalent to the level of protection required by EU law," says one of the Facebook internal documents, dated 2021. Equivalence Assessments are made by companies to judge how privacy protections in non-EU countries compare to Europe's.

In July 2020, the Court of Justice of the European Union (CJEU) struck down a U.S.-EU data transfer instrument called Privacy Shield. The court concluded Washington did not offer adequate protection for EU data shipped overseas because U.S. surveillance law was too intrusive for European standards.

In the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the U.S.

The CJEU reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe's top judges categorically stated Washington did not have sufficiently high privacy standards.

Still, Facebook — the company at the heart of both cases — thinks it shouldn't follow the court's reasoning.

The company's lawyers argue in the documents that the EU court ruling "should not be relied on" for the social media company's own assessment of data transfers to the U.S., because the judges' findings relate to Privacy Shield data pact, and not the Standard Contractual Clauses which Facebook uses to transfer data to the U.S.

"The assessment of U.S. law (and practice) under Article 45 GDPR is materially different to the assessment of law and practice required under Article 46 GDPR," the document reads. That refers to the two different types of legal data transfer instruments under the EU's General Data Protection Regulation and indicates that assessment under SCCs is different to assessment under Privacy Shield.

The company also says that changes to U.S. law and practices since the July 2020 ruling should be taken into account. As an example, it cites the U.S. Federal Trade Commission, a watchdog, "carrying out its role as a data protection agency with unprecedented force and vigour." Those arguments have been central to Washington's pitch during ongoing transatlantic negotiations over a new EU-U.S. data agreement.

Though companies have to take the EU court ruling into account when making their own assessments of third party country regimes, they can, in theory, diverge from the court's findings if they believe it is justified in a particular situation. This means that companies like Facebook can, in theory, continue to ship data out of Europe if they can prove its sufficiently protected.

"A transfer impact assessment conducted under EU law should take [the court's findings] into account for transfers to the U.S., but it is still an assessment that each company makes for their specific transfers under SCCs, which they are responsible for if the legality of that transfer is or will be challenged," said Gabriela Zanfir-Fortuna of the Future of Privacy Forum think tank.

Even so, several legal experts contacted by POLITICO said they could not see how Facebook would be able to conclude the U.S. protections are essentially equivalent to the EU's in light of the court ruling. One said that this was especially true for Facebook, since the company's own data transfers were at the heart of the case.

The revelations heap fresh pressure on the Irish Data Protection Commission (DPC), which first received a complaint against Facebook's data transfers in 2013 from Austrian campaigner Max Schrems. That complaint led to the CJEU's so-called Schrems I and Schrems II rulings that concluded that U.S. protections fall short of EU standards.

In a preliminary decision in September 2020, the Irish DPC suggested Facebook would have to stop transferring data to the U.S. following last July's ruling, but has yet to finalize the decision despite overturning Facebook's challenge to the agency's investigation in May. Dublin now holds the power to stop Facebook from moving EU data to the U.S.

If the Irish watchdog follows through with that decision, it would mark a serious blow to Facebook's efforts to keep the data taps flowing amid the ongoing EU-U.S. discussions on a new data-transfer pact.

The Irish DPC said it could not comment since it has an open inquiry into the matter.

A Facebook spokesperson said: “Like other companies, we have followed the rules and relied on international transfer mechanisms to transfer data in a safe and secure way. Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.”

The company's internal document also points to the EU's data flows deal with the United Kingdom, which Brussels approved in June, to back up its favorable assessment of the U.S.

"It is clear that in some important respects, the U.K. regime, which the Commission has assessed to be adequate under Article 45 GDPR, takes a similar approach to the U.S. in relation to limitations on data protection rights in the context of interception of communications," the document reads.

In a separate document listing factors relevant to its data transfers, Facebook seeks to downplay the risk that data is accessed by U.S. authorities.

It notes the 234,998 data requests it received from U.S. authorities in 2020 "represents a tiny fraction" of the total number of users, which Facebook estimates at around 3.30 billion.
Newsletter

Related Articles

0:00
0:00
Close
U.S. Enacts Sweeping Tax and Spending Legislation Amid Trade Policy Shifts
Football Mourns as Diogo Jota and Brother André Silva Laid to Rest in Portugal
Elon Musk Founds a Party Following a Poll on X: "You Wanted It – You Got It!"
London Stock Exchange Faces Historic Low in Initial Public Offerings
A new online platform has emerged in the United Kingdom, specifically targeting Muslim men seeking virgin brides
Trump Celebrates Independence Day with B-2 Flyover and Signs Controversial Legislation
Boris Johnson Urges Conservatives to Ignore Farage
SNP Ordered to Update Single-Sex Space Guidance Within Days
Starmer Set to Reject Calls for Wealth Taxes
Stolen Century-Old Rolls-Royce Recovered After Hotel Theft
Macron Presses Starmer to Recognise Palestinian State
Labour Delayed Palestine Action Ban Over Riot Concerns
Swinney’s Tax Comments ‘Offensive to Scots’, Say Tories
High Street Retailers to Enforce Bans on Serial Shoplifters
Music Banned by Henry VIII to Be Performed After 500 Years
Steve Coogan Says Working Class Is Being ‘Ethnically Cleansed’
Home Office Admits Uncertainty Over Visa Overstayer Numbers
JD Vance Questions Mandelson Over Reform Party’s Rising Popularity
Macron to Receive Windsor Carriage Ride in Royal Gesture
Labour Accused of ‘Hammering’ Scots During First Year in Power
BBC Head of Music Stood Down Amid Bob Vylan Controversy
Corbyn Eyes Hard-Left Challenge to Starmer’s Leadership
London Tube Trains Suspended After Major Fire Erupts Nearby
Richard Kemp: I Felt Safer in Israel Under Attack Than in the UK
Cyclist Says Police Cited Human Rights Act for Riding No-Handed
China’s Central Bank Consults European Peers on Low-Rate Strategies
AI Raises Alarms Over Long-Term Job Security
Saudi Arabia Maintains Ties with Iran Despite Israel Conflict
Musk Battles to Protect Tesla Amid Trump Policy Threats
Air France-KLM Acquires Majority Stake in Scandinavian Airlines
UK Educators Sound Alarm on Declining Child Literacy
Shein Fined €40 Million in France Over Misleading Discounts
Brazil’s Lula Visits Kirchner During Argentina House Arrest
Trump Scores Legislative Win as House Passes Tax Reform Bill
Keir Starmer Faces Criticism After Rocky First Year in Power
DJI Launches Heavy-Duty Coaxial Quadcopter with 80 kg Lift Capacity
U.S. Senate Approves Major Legislation Dubbed the 'Big Beautiful Bill'
Largest Healthcare Fraud Takedown in U.S. History Announced by DOJ
Poland Implements Border Checks Amid Growing Migration Tensions
Political Dispute Escalates Between Trump and Musk
Emirates Airline Expands Market Share with New $20 Million Campaign
Amazon Reaches Milestone with Deployment of One Millionth Robot
US Senate Votes to Remove AI Regulation Moratorium from Domestic Policy Bill
Yulia Putintseva Calls for Spectator Ejection at Wimbledon Over Safety Concerns
Jury Deliberations in Diddy Trial Yield Partial Verdict in Serious Criminal Charges
House Oversight Committee Subpoenas Former Jill Biden Aide Amid Investigation into Alleged Concealment of President Biden's Cognitive Health
King Charles Plans Significant Role for Prince Harry in Coronation
Two Chinese Nationals Arrested for Espionage Activities Against U.S. Navy
Amazon Reaches Major Automation Milestone with Over One Million Robots
Extreme Heat Wave Sweeps Across Europe, Hitting Record Temperatures
×