Despite EU Court Rulings, Facebook Says US Is Safe To Receive Europeans’ Data

Despite the European Union's highest court twice declaring that the United States does not offer sufficient protection for Europeans' data from American national security agencies, the social media giant's lawyers continue to disagree, according to internal documents seen by POLITICO. Their conclusion that the U.S. is safe for EU data is part of Facebook's legal argument for it to be able to continue shipping data across the Atlantic. From the report: In July 2020, the Court of Justice of the European Union (CJEU) struck down a U.S.-EU data transfer instrument called Privacy Shield. The court concluded Washington did not offer adequate protection for EU data shipped overseas because U.S. surveillance law was too intrusive for European standards. In the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the U.S. The CJEU reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe's top judges categorically stated Washington did not have sufficiently high privacy standards. Still, Facebook -- the company at the heart of both cases -- thinks it shouldn't follow the court's reasoning. The company's lawyers argue in the documents that the EU court ruling "should not be relied on" for the social media company's own assessment of data transfers to the U.S., because the judges' findings relate to Privacy Shield data pact, and not the Standard Contractual Clauses which Facebook uses to transfer data to the U.S. "The assessment of U.S. law (and practice) under Article 45 GDPR is materially different to the assessment of law and practice required under Article 46 GDPR," the document reads. That refers to the two different types of legal data transfer instruments under the EU's General Data Protection Regulation and indicates that assessment under SCCs is different to assessment under Privacy Shield. The company also says that changes to U.S. law and practices since the July 2020 ruling should be taken into account. As an example, it cites the U.S. Federal Trade Commission, a watchdog, "carrying out its role as a data protection agency with unprecedented force and vigour." Those arguments have been central to Washington's pitch during ongoing transatlantic negotiations over a new EU-U.S. data agreement. "Though companies have to take the EU court ruling into account when making their own assessments of third party country regimes, they can, in theory, diverge from the court's findings if they believe it is justified in a particular situation," notes Politico. "This means that companies like Facebook can, in theory, continue to ship data out of Europe if they can prove its sufficiently protected."

Read more of this story at Slashdot.