Meta Response to the Decision on Facebook’s EU-US Data Transfers

On May 22, 2023, Nick Clegg, President of Global Affairs, and Jennifer Newstead, Chief Legal Officer, issued a statement regarding the transfer of data between the EU and the US. They noted that many businesses and organizations depend on this ability to provide everyday services. The conflict between US government rules on data access and European privacy rights is a fundamental issue that policymakers are expected to resolve in the summer. Facebook plans to appeal the ruling and the accompanying fine, and will seek a stay of the orders through the courts. However, there is no immediate disruption to Facebook in Europe. The free flow of data across borders is crucial to the functioning of the global open internet, supporting services from finance and telecommunications to healthcare and education. Many businesses and organizations rely on this ability to transfer data between the EU and the US to provide essential services to people every day. Without the ability to transfer data across borders, the internet risks being divided into national and regional silos, which would restrict the global economy and prevent citizens in different countries from accessing many of the shared services we have come to rely on. That's why establishing a solid legal foundation for data transfer between the EU and the US has been a political priority on both sides of the Atlantic for many years.

In 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield, a key legal mechanism for transferring personal data from the EU to the US. This decision created significant regulatory and legal uncertainty for thousands of organizations, including Meta.

At the time of its decision in 2020, the CJEU confirmed that an alternative legal mechanism called Standard Contractual Clauses (or SCCs) would continue to be valid subject to various legal safeguards. As such, like thousands of other businesses, Meta used SCCs believing them to be compliant with the General Data Protection Regulation (GDPR). Today, the Irish Data Protection Commission (DPC) has released its findings on Meta's use of a common legal instrument to transfer Facebook user data between the EU and the US. Although the DPC acknowledged that we acted in good faith and that a fine was unjustified, the European Data Protection Board (EDPB) overruled them at the last minute. We are appealing these decisions and will immediately seek a stay with the courts, given the harm that these orders would cause, including to the millions of people who use Facebook every day.

Meta uses the same legal mechanisms as other organizations, and ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government's rules on access to data and the privacy rights of Europeans. It is a conflict that neither Meta nor any other business could resolve on its own. We are disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe. The Longbridge Dolphin initially acknowledged that Meta had continued its EU-US data transfers in good faith, and that a fine would be unnecessary and disproportionate. However, this was overruled by the EDPB, which also chose to disregard the clear progress that policymakers are making to resolve this underlying issue. This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US.

It also raises serious questions about a regulatory process that enables the EDPB to overrule a lead regulator in this way, disregarding the findings of its multi-year inquiry without giving the company in question a right to be heard.

There is Already a Political Agreement to Solve the Underlying Conflict of Law

Policymakers in both the EU and the US are on a clear path to resolving this conflict with the new Data Privacy Framework (DPF). In March 2022, President Biden and Commission President Von der Leyen announced that they reached an agreement on the principles of a new framework to enable the free flow of transatlantic data. Policymakers on both sides of the Atlantic have committed to fully implementing the DPF "as quickly as possible."

Regulators, including the EDPB, have welcomed the improvements made by the DPF. We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects' data once the underlying conflict of law has been resolved. This will mean that if the DPF comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users.

At a time where the internet is fracturing under pressure from authoritarian regimes, like-minded democracies should work together to promote and defend the idea of the open internet. No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China. Our top priority is to ensure that our users, advertisers, customers, and partners can continue to enjoy Facebook while keeping their data safe and secure. The decision does not immediately disrupt Facebook because the implementation periods run until later this year. We plan to appeal both the decision's substance and its orders, including the fine, and will seek a stay through the courts to pause the implementation deadlines.