Facebook's lawyers are urging the tech giant to ignore EU court rulings that oblige the company to address data protection concerns.
Despite the fact that the European Court of Justice ruled twice that Facebook's data management, and especially the American data protection regulations, are worrisome from the point of view of EU law, the tech giant's lawyers continue to prepare professional materials that aim to ensure the flow of data between Europe and the American headquarters - POLITICO learned .
One such document, produced in 2021, states:
"Overall, the conformity assessment led to the conclusion that the relevant laws and jurisprudence of the United States in relation to data protection are basically the same as the level of legal protection required by the law of the European Union."
Two EU court rulings are also about the conflict between Facebook's practices and EU data protection regulations
Despite this, as the Precedent also wrote , the European Court of Luxembourg declared invalid the decision that had so far established the flow of data on EU citizens to the United States . It was about the adequacy of the protection provided by the so-called EU-US data protection shield, which essentially created an appropriate legal basis for data management for companies outside Europe, such as Facebook.
The data protection shield is actually a type of regulation (framework) in which the company commits itself through legal instruments to act with increased care during data management. In simpler terms, it can also be seen as a kind of lasso, with which non-European - third-country - companies can be brought under the scope of the GDPR.
The 2020 European court ruling confirmed the board's practice established in 2015. At that time, the Court of Justice of the European Union declared in relation to the predecessor of the EU-US data protection shield that it was contrary to EU law.
The essence of both EU court judgments is that
Washington's privacy standards prove insufficient.
Nothing of the two
And from Facebook's materials that have just been made public, it appears that Facebook ignores these judgments. That's exactly what POLITICO has learned, according to the documents
EU court rulings 'shouldn't be relied upon' when tech giant transfers data to US
because the court judgments refer to the already mentioned EU-US data protection shield, and not to the so-called Model Clauses, which Facebook actually applies during the data transfer process. The internal documents also reveal that, in the meantime, the US authority responsible for data protection, the Federal Trade Commission, "performs its task in its capacity as a data protection agency with strength and rigor never before seen."
Ireland, the Trojan horse?
Facebook Incorporation is an American company. From a legal point of view, the logical connection between the European Union and the United States is created by Facebook Ireland Limited, which has its headquarters in Ireland, a member of the EU, and which is also a taxpayer in Ireland. At the level of practice, all of this is achieved by the fact that European Facebook users sign a contract with a company called Facebook Ireland during registration, which states that the company will transfer and manage all or part of their personal data to Facebook Inc.'s American servers. It means that
In Europe, the Irish authorities are most likely to find a catch on Facebook.
The reason for using the conditional method is that Ireland seems reluctant to prosecute one of the biggest tech companies in the world. The Irish Data Protection Commission has long been suspected of taking too soft an approach towards US tech companies. According to the signs, the DPC does not only deal with Facebook with a gloved hand: Google and Apple also slip through its net.
One sign of Ireland's reluctance is that in September 2020, the DPC ordered Facebook to stop transferring the data of EU citizens to the United States based on the judgment of the European Court of Justice a few months earlier in July.
However, the instruction only reached the draft level;
the world is still waiting for the authority to finalize the text of the decision.
It cannot be emphasized enough that if the DPC ultimately obliges Facebook to do what everyone in Europe is waiting for, the tech giant could be in a really difficult situation, especially when it comes to overseas data transmission.
Ireland's current practice trumps the GDPR, and Brussels thinks that's fine
The main data protection law of the European Union is the General Data Protection Regulation (GDPR). This protects the data of persons residing in the European Union in the broad sense, and also regulates the flow of data between member states. It entered into force in May 2016 and will be applied from May 2018.
It would be more precisely applied if, for example, Ireland were willing to do so. At the same time, not only Ireland is responsible for not exploiting the GDPR. Euractiv wrote about how, according to a study by the Irish Council for Civil Liberties (ICCL), Brussels is quite calm about Ireland's lax handling of the strictest data protection rules in the world .
"The Commission has a duty to make sure that EU law is applied correctly. This also applies to GDPR. However, the report we are publishing today indicates that this is not the case. All of us and in order to ensure that Google, Facebook and the big tech companies are held accountable,
Commissioner Reynders must intervene"
- said Johnny Ryan, the senior researcher of the organization that produced the report.
In this regard, the study also reveals that the European Commission does not have sufficient information to find out to what extent the data protection authorities of which Member States exercise their powers, and in which cases they initiate proceedings at all.
Gergely Dobozi / mandiner.hu