Facebook's internal messages reveal plans to ignore European privacy laws
Internal exchanges between Facebook lawyers seen by Politico show that the company intends to ignore judgements by the European Court of Justice of the European Union (CJEU) that US privacy laws offer insufficient protection to allow free transfer of personal data between the EU and the US.
The Facebook (now Meta) lawyers argue that because the company uses standard contractual clauses (SCCs) as the legal mechanism for transferring data, the court's judgement about the inadequacy of US data protection measures does not apply.
However, in the Schrems II case, which invalidated the EU-US data sharing agreement Privacy Shield, the EU authorities said that SCCs were still valid as a transfer mechanism, but only if "additional safeguards" were (where necessary) implemented to prevent excessive access to the transferred personal data by the recipient third country.
The social media company also mentioned the fact that the UK was granted data adequacy by the EU in June, even though the CJEU had found mass surveillance activities by the UK government to be illegal. In the exchanges, Facebook's lawyers argue that the US data protection watchdog the Federal Trade Commission was "carrying out its role as a data protection agency with unprecedented force and vigour," and that the US is now effectively not so different from the UK in terms of data protection.
"It is clear that in some important respects, the UK regime, which the Commission has assessed to be adequate under Article 45 GDPR, takes a similar approach to the US in relation to limitations on data protection rights in the context of interception of communications," the communications say, according to Politico.
The appointment by the Biden administration of Lina Khan, a fierce critic of monopolistic behaviour by big tech, as FTC Chair may be part of that argument, and indeed this line has been taken by the US administration in its negotiations with the EU.
However, the adequacy granted to the UK, which allow data transfers between the UK and EU countries can continue as before Brexit, is limited to four years and was made in the face of opposition from a majority of MEPs, regulators and privacy groups, and those negotiations are ongoing.
Facebook has been fighting the European regulators ever since 2013 when Austrian lawyer Max Schrems filed a case against it with the Irish Data Protection Commissioner (DPC) aimed at preventing Facebook from transferring data from Europe to the US in the wake of the Snowden revelations. That case, which eventually led to the demise of the Safe Harbour data transfer agreement, has still yet to be fully resolved.
In May, Ireland's High Court dismissed Facebook's attempt to block the DPC from ruling on the social media company's data transfers.
The DPC could now rule that EU users' data must be stored locally. However, it has long been accused of being reluctant to act against the tech giants, many of which are headquartered in Ireland for tax reasons.
Schrems has accused the DPC of actively helping Facebook "bypass the GDPR". He also accused the DPC of pressuring his company, nyob, to sign a non-disclosure agreement to prevent it publishing documents relating to its investigations into Facebook.
On the leaked internal documents, Schrems said: "Facebook has been ignoring EU law for 8.5 years now. The newly released documents show that they simply take the view that the Court of Justice is wrong - and Facebook is right. It is an unbelievable ignorance of the rule of law, supported by the lack of enforcement action by the Irish DPC. No wonder that Facebook wants to keep this document confidential. However, it also shows that Facebook has no serious legal defence when continuing to ship Europeans' data to the US."