British users’ data will be processed in the US instead of in Ireland, something which is likely to be challenged in court.
Facebook will be moving users in the UK into new agreements with its Californian HQ following Brexit, in a move which may have significant implications for Britons’ privacy.
Although the UK’s privacy laws remain matched with the European Union’s at the point of Brexit – and Facebook being required to comply with those laws – the move could leave room for divergence in the future.
It is not yet clear whether British users’ data would now be processed in the US as part of the user agreement change, something which could prompt a legal challenge due to the differences in US and UK privacy laws.
The move was first reported by Reuters and follows a similar announcement from Google in February. Both companies, as with many other American firms, have their EU head offices in Dublin.
Facebook will be informing users of the shift in the next six months, offering them the option to stop using the company’s services, including the Facebook platform, Instagram and WhatsApp.
“Like other companies, Facebook has had to make changes to respond to Brexit and will be transferring legal responsibilities and obligations for UK users from Facebook Ireland to Facebook Inc [in California],” a company spokesperson said.
“There will be no change to the privacy controls or the services Facebook offers to people in the UK, and the protections of UK GDPR will also apply,” they added.
Despite this assertion, Reuters cited people familiar with the company who claimed that Facebook was making the change partly because the EU’s privacy regime was so stringent.
“The bigger the company, the more personal data they hold, the more they are likely to be subject to surveillance duties or requirements to hand over data to the US government,” Jim Killock, executive director of the Open Rights Group, told Reuters.
What does this mean for you?
There are significant differences between the US and the EU when it comes to privacy legislation, and although the UK has stated its intention to uphold EU standards this situation is likely to become more complicated as part of trade negotiations.
Crucially, Facebook hasn’t clarified whether the change in user agreement location also means a change in where British users’ data is going.
A major European Court of Justice ruling this July struck down a procedure Facebook was using to transfer EU citizens’ data to centres in the US because, it said, there were not enough controls in the US on how law enforcement and intelligence agencies accessed that data.
While American citizens’ data is protected by constitutional safeguards against unreasonable searches, American courts have held that these protections don’t apply for foreign citizens overseas, as would be the case for all UK users.
The ECJ ruling remains British law and will become British case law when the country leaves the European Union, but the basis for the judgment – the fundamental right to data privacy, as enshrined in the EU’s Charter of Fundamental Rights – will not be adopted following Brexit. This leaves room for divergence.
“Moving data out of the EU makes it harder to enforce your privacy rights. It means European actions to limit the power of the tech giants will not apply to UK citizens,” Mr Killock told Sky News.
“It means the UK ICO will need to be pushed to make the same decisions when companies break the law,” he added.
“And it means those tech giants can lobby for weaker UK rules to ensure they can get away with things in the UK that they cannot in the EU,” he warned.