Facebook's internal assessment of EU-US data transfers shows it has no legal leg to stand on, says noyb

·10 min read

In its latest (and last) pre-Christmas document reveal, European privacy advocacy group noyb has published details of an 86-page internal assessment by Facebook of its (continued) transfers of European's personal data to the U.S. -- and the resulting conclusion can be best summed up as "The Emperor, Mark Zuckerberg, Has No Clothes".

The convoluted backstory here is that Facebook's transfers of EU users' data to the U.S. remain ongoing -- in spite of two rulings by the bloc's top court finding the U.S. is a risky jurisdiction for such data (aka Schrems I and Schrems II); and a preliminary order by Facebook's lead EU DPA, over a year ago, saying it must suspend EU-U.S. transfers in the wake of the aforementioned Schrems II ruling.

And if that wasn't enough, it's also almost a year since Facebook's lead EU DPA, the Irish Data Protection Commission (DPC), settled a legal challenge from noyb -- agreeing last January to "swiftly" finalize the complaint in question.

Yet there's still no final decision from Ireland on the legality of Facebook's EU-U.S. data transfers -- some 8.5 years after the complaint was first filed by noyb founder and chair, Max Schrems (noyb didn't even exist when he filed this complaint!).

Asked whether a decision on Facebook's data transfers will -- at long, long last -- be issued this year, the DPC's deputy commissioner, Graham Doyle, told us the inquiry is "fairly well progressed at this stage" but he admitted it will not be finalized in the next few weeks.

Asked if a decision will be issued in January, Doyle ducked specifying a time frame -- saying that the DPC is unsure "exactly when" the decision will be made.

So perhaps 2022 will -- finally -- be the year of reckoning for Facebook.

But, if not, 2022 may well be a year of substantial reckoning for the Irish DPC, which is now facing intense scrutiny over the sedate pace and convoluted form of its enforcements in major cases against tech giants like Facebook.

The European Commission warned earlier this month that unless "effective" enforcement arrives soon it will step in and move the bloc toward a system of centralized oversight.

So the message from EU lawmakers to DPAs such as Ireland (and, really, especially to Ireland) is simple: Use your enforcement powers soon -- or you'll lose them.

Returning to Facebook, if an EU data transfer suspension order does ever actually get enforced, the tech giant faces having to make drastic changes to its infrastructure and/or its business model.

Or it could even shut down service in Europe -- a possibility Facebook has floated in an earlier legal submission -- although its chief spin doctor, Nick Clegg, quickly denied it would ever actually do that.

Facebook and Clegg have preferred to resort to economic scare tactics to lobby the bloc's lawmakers against enforcing the rule of law against the national-state-sized data-mining empire -- suggesting that any suspension order against Facebook's data flows would wreak economic damage against European SMEs that use its ad tools to target consumers.

It's a classic Big Tech tactic to lobby against tighter regulation of its own market power by claiming that limits on its operations will be far more damaging for the smaller businesses that rely on powerful platforms to reach potential buyers.

The adtech industry also likes to imply that you can either have privacy or competition, not both.

However, on that front, regional competition authorities are becoming increasingly sophisticated in their assessment of adtech platform power -- including understanding how data abuse by tech giants can itself be a lever to lock in market power. (See, for example Germany's Federal Cartel Office's antitrust case against Facebook's consentless superprofiling of users.)

So how much runway such self-serving framing has left, as the bloc hastens to pass ex ante rules to boss tech giants, is up for debate.

Facebook has managed to use the courts to defer a final countdown on its data transfers issues for years. But its business model is now under attack on multiple fronts -- with the European Parliament, for example, pushing for tighter restrictions on behavioral ads and an outright ban on dark patterns in the Digital Markets Act.

In recent weeks, noyb has also been shining more disinfecting sunlight onto the EU's enforcement failures -- where Facebook is concerned -- by protesting at being removed from an ongoing procedure against it by the Irish DPC, after the regulator tried to get it to sign a gag order in exchange for remaining a party to the proceeding.

The DPC has been accused of acting in Facebook's interests in trying to keep procedural documents confidential without a valid legal basis for ordering third parties not to publish information related to ongoing procedures.

(And other pre-Christmas document-reveals by noyb have made especially awkward reading for the DPC -- which can be seen apparently trying to insert a notorious Facebook GDPR consent bypass tactic into European Data Protection Board (EDPB) guidance -- by arguing for allowing T&Cs to be laundered via contract clause -- and getting roundly slapped back by other EU DPAs.)

Last month, the not-for-profit also took the further step of filing a complaint of criminal corruption against the DPC -- in another sign of how frustrated European privacy campaigners have gotten at inaction against rights-trampling tech giants.

As noted above, despite a complaint that dates back to the Snowden disclosures, two landmark CJEU rulings and countless court challenges, Facebook continues to pass Europeans' data to the U.S. -- as if the rule of law can't touch it.

Yet, back in May, the company lost in the Irish High Court after trying (and failing) to challenge the DPC's procedure; including by arguing the DPC was being too hasty and did not properly investigate before it sent the preliminary suspension order. (NB: The original complaint dates back to June 2013 so it's fast approaching a decade old at this point.)

Details of Facebook's Transfer Impact Assessment (TIA) revealed by noyb yesterday are long on claimed justifications for Facebook to ignore the CJEU -- and short on substantive arguments to stand up Facebook's claim that it's totally not a problem for it to continue to take European's data to the U.S. for processing despite the CJEU ruling that there are huge legal implications if you do that.

The CJEU has -- not once, but twice -- struck down flagship transfer agreements between the EU and the U.S. on the grounds that U.S. surveillance law is in fatal conflict with European privacy rights.

And while, back in July 2020, the court did allow the possibility that data can be legally moved out of the EU to third countries, it made it clear that DPAs must step in and suspend data flows where they suspect people's information is going somewhere where it's at risk.

Given the court simultaneously struck down the EU-U.S. Privacy Shield, the U.S. was clearly identified as a problem third country.

Add to that, Facebook has the additional problem of its data processing being subject to U.S. surveillance law (via NSA programs like PRISM). So there's no easy fix for Facebook's EU data transfers, as we've said before.

However, having a friendly regulator that doesn't rush to do anything about really obvious problems is sure to help, though...

In a statement accompanying its publication of details of Facebook's TIA, Schrems said: "Facebook has been ignoring EU law for 8.5 years now. The newly released documents show that they simply take the view that the Court of Justice is wrong -- and Facebook is right. It is an unbelievable ignorance of the rule of law, supported by the lack of enforcement action by the Irish DPC. No wonder that Facebook wants to keep this document confidential. However, it also shows that Facebook has no serious legal defence when continuing to ship European's data to the US."

Noyb details the contents of the TIA via a number of videos -- including several where Schrems summarizes the contents of the document in detail. (In some locations in Europe it also provides data from the TIA itself but notes that it is withholding this content from the U.K. and Ireland on account of the legal risk of Facebook and/or the DPC bringing baseless SLAPP suits against it to try to exhaust its limited resources.)

Per its analysis, one of Facebook's tactics to try to deny/evade legal reality is to seize on newer developments, such as the Commission's updated Standard Contractual Clauses (SCCs) or the adequacy decision recently granted to the U.K. (despite that country's own surveillance practices) -- to claim as new evidence that the earlier CJEU ruling no longer applies.

That means Facebook has variously sought to argue that the DPC was too quick to come to a conclusion vis-à-vis the legality of its data flows; and that circumstances on the ground have changed in a way that means its flows are now totally fine anyway.

All of which serves to underline how delaying enforcement is itself a key strategy for Facebook to evade the application of EU law.

That, in turn, directly implicates its lead EU regulator -- because, by taking such a painstakingly long time over investigations the regulator generates ample time and space for Facebook to come up with fresh lines to cynically reboot its arguments against any enforcement taking place.

In short, it allows for a perpetual game of regulatory whack-a-mole that gives Facebook a thumbs up to carry on with data-mining business as usual in the meanwhile. While EU people's fundamental rights exist only on paper.

The DPC declined to comment on noyb's fourth Advent Reading when we reached out.

But here's Schrems' assessment again: "The Irish DPC is extremely slow and is not in control of this procedures. Facebook constantly moves to another argument, while the DPC has not even decided on the decision from 2013. Facebook is dominating this procedure -- instead of the DPC."

Per noyb, Facebook's TIA also details what it claims as "supplementary measures" to boost protection for the data -- something the EDPB has said may be possible for data controllers to apply to transfers to risky third countries to make such flows achieve compliance with EU standards.

For example, robust, end-to-end encryption may, in theory, be applied to prevent access to data in a readable form when it's in the U.S.

However, Facebook's business model is based on profiling users via its big data analysis of their information so it's certainly not in a position to lock its own business out of people's data. Not without a radical change of business model.

Unsurprisingly, then, noyb found the TIA's section on claimed "supplementary measures" contained nothing more than a (long) list of industry standard policies and procedures. So no extra steps at all, then.

"According to the documents we received, absolutely no new or relevant measures were taken by Facebook on foot of the CJEU judgment of 16.6.2020," noyb notes.

We reached out to the EDPB for a view on the sorts of policies and procedures Facebook's TIA lists as "supplementary measures" -- and will update this post with any response. Update: The EDPB secretariat said:

"[T]he GDPR introduces the new cross-functional principle of accountability. This means that each organisation must analyze its own situation and implement the organizational and technical measures necessary in its specific case. This is a case by case analysis, depending on the risk presented by the processing of personal data by the organisation.

The same principle applies to the Recommendations on measures that supplement transfer tools, which can be found here."

Asked for its response to noyb's assessment of its TIA, Facebook sent this statement -- attributed to a Meta spokesperson:

Like other companies, we have followed the rules and relied on international transfer mechanisms to transfer data in a safe and secure way. Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.