New filtering of documents with Facebook (or Meta) as the protagonist. In this case it does not come from the hand of Frances Haugen, the former employee of the company who has brought to light dozens of internal reports, but from the NOYB association, an acronym for None Of Your Business. The papers released by the Austrian activist Max Schrems’ organization reveal that Facebook does not consider itself obliged to keep the private data of its EU users on European servers. And this despite the fact that two judgments of the Court of Justice of the European Union (CJEU), the last of them in July 2020, expressly prohibit the sending of this type of information to the United States.
Ironically, the judgments in question are known as Schrems I and Schrems II (they are the response to lawsuits filed by the young lawyer) and, although they affect all technology companies, they were the response to specific lawsuits against Facebook.
In the United States, there is no federal law that regulates the management of private data. In the EU there has always been, the last one is the General Data Protection Regulation (RGPD), of 2018. Since the beginning of the century, when the internet became important, the North American country and the EU were based on the agreement Safe Harbor (Safe Harbor) to articulate the suitable treatment in American soil of the data of European citizens. Schrems succeeded in 2015 (Schrems I) for the CJEU to freeze that agreement, considering that if the US security agencies could access user data, they did not have the same guarantees as in Europe.
In response, the European Commission approved the Privacy Shield agreement, which sought to allow the transatlantic exchange of data with new safeguards. After being appealed again, the CJEU declared him invalid in 2020 (Shcrems II). The data of Europeans should remain on European soil for EU data protection regulations to be applied to it.
In an 86-page document disclosed by NOYB and advanced by Politico, Facebook’s lawyers defend that the sentence is not applicable to the company (despite the fact that the Privacy Shield veto is the result of the lawsuits filed against Facebook Ireland). “Relevant US law and practice provides protection of personal data that is essentially equivalent to the level of protection required by EU law,” the letter states, contrary to the provisions of the CJEU.
In another internal report, Facebook relativizes the number of inquiries the company has had from US security forces about the personal data of users of the social network. Specifically, it says that 224,998 data requests “represents a small fraction” of the total number of users, which Facebook itself estimates at 3,300 million (the figure includes users of products such as Instagram or WhatsApp).
“Facebook has been ignoring European laws for eight and a half years,” says Schrems in a statement. “The documents that we released show that they simply consider that the position of the CJEU is wrong and theirs is right. This is an incredible act of ignorance of the rule of law, supported by the inaction of the Irish data protection authority ”, adds the lawyer. This last institution has a lawsuit on its table since 2013 on which it has not yet ruled.
“Like other companies, we have followed the rules and we have followed the international data transfer mechanisms prudently and safely,” a Meta spokesperson told EL PAÍS. “Businesses need clear and comprehensive rules, supported by law enforcement firms to protect long-term transatlantic data flows,” he adds.
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.