Facebook says it has to move UK user data to California (and away from GDPR) because...er, Brexit

While Brexit negotiations lurch on and questions of post 1 January data adequacy provisions are still up in the air, Facebook has seized the chance to shake off a bit of regulatory rigor by confirming that it will move oversight of data belonging to UK users to the US.

That means that the firm will take advantage of the UK no longer falling under the European Union’s data protection regime to shift millions of members data from its current location in Ireland, where it comes under GDPR coverage, to California and, theoretically at least, out of the reach of EU regulators.

Although the UK has committed essentially to mirror GDPR in post-Brexit Britain, Facebook has seemingly had a fit of the vapors and said that there’s just too much uncertainty about what the Brits’ data protection regime will be. Therefore it’s much safer for everyone if everything moves to the US. The fact that this ‘liberates’ a ton of data from being subject to the toughest privacy regime in the world is, of course, a total coincidence. The firm insists:

Like other companies, Facebook has had to make changes to respond to Brexit and will be transferring legal responsibilities and obligations for UK users from Facebook Ireland to Facebook Inc [in California].

To be fair to Facebook, it’s not the only tech firm that’s cottoned on to this jolly wheeze. Google beat it to the post back in February when it announced the same policy shift. To its credit, Twitter says - so far - that its UK user data will still be handled by its operation in Ireland and as such will remain under the auspices of GDPR.

Facebook will let UK users know about the changes over the next six months, pointing out that anyone can stop using the company’s offerings if they’re not comfortable with the new arrangement, but insisting that the firm will not lower its privacy controls beneath GDPR standards. At which point all UK users need to do is ask themselves if they trust Facebook to keep its word.

The reality here is quite simple - US courts have upheld constitutional protections against unreasonable searches of data by the authorities, but afford no such safeguards for non-US citizens. Jim Killock, Executive Director of privacy lobbyist organization  Open Rights Group, said: 

Moving data out of the EU makes it harder to enforce your privacy rights. It means European actions to limit the power of the tech giants will not apply to UK citizens. It means the UK ICO [Information Commissioner’s Office] will need to be pushed to make the same decisions when companies break the law. And it means those tech giants can lobby for weaker UK rules to ensure they can get away with things in the UK that they cannot in the EU.

In the US, the Federal Trade Commission (FTC) last week teamed up with 48 US State Attorneys General to file lawsuits against Facebook alleging illegal monopolistic behavior  in the biggest domestic action against the firm to date. Meanwhile Down Under, the Australian Competition and Consumer Commission (ACCC) is accusing the company of misusing consumer data relating to a VPN app, Onavo Protect, for marketing purposes.

The ACCC alleges personal activity and app usage data was collected, aggregated and used to support Facebook’s market research activities between 1 February 2016 and 1 October 2017. ACCC Chair Rod Sims said:

We believe this is completely contrary to the promise of protection, secrecy and privacy that was central to Facebook’s promotion of this app. Consumers often use VPN services because they care about their online privacy, and that is what this Facebook product claimed to offer. In fact, Onavo Protect channelled significant volumes of their personal activity data straight back to Facebook.

Onavo was later bought by Facebook.

My take

I for one am completely sure my data will be perfectly safe in Facebook’s US arms…ahem.

Mind you, fair’s fair - while Twitter’s insisting that UK data will stay under the auspices of its Irish operation, that same operation has just been fined a paltry €450,000 ($547,000) by the Irish data regulator for breaching GDPR in 2018, so the price of being caught out even under the EU regime isn’t exactly the end of the world.

Maybe it’s just easier to decide that the safest bet is not to trust any of them?