Facebook to move UK users out of EU’s privacy jurisdiction next year, post-brexit
Facebook is to follow Google’s lead and move millions of UK users out of the jurisdiction of EU privacy laws to the US (which has no such comprehensive data protection framework) next year under a looming Brexit-related change to its T&Cs, Reuters reported yesterday.
Confirming the switch, Facebook told the news agency: “Like other companies, Facebook has had to make changes to respond to Brexit and will be transferring legal responsibilities and obligations for UK users from Facebook Ireland to Facebook Inc.”
“There will be no change to the privacy controls or the services Facebook offers to people in the UK,” Facebook added, using phrasing that elides the fact that the switch from the EU to the US inevitably involves a radical downgrading in legal protection for data and privacy.
Per Reuters, Facebook will inform users of the switch within the next six months — giving them the ‘option’ to stop using Facebook’s services (Facebook, Instagram, WhatsApp) if they’re unhappy with the legal switch.
As we reported in February when Google announced a similar legal migration for UK users, shifting them from its EU subsidiary to the US, the move is a consequence of the UK’s vote to leave the European Union — which moves it away from EU standards, including its long-standing data protection framework.
Now, with just days before the end of the brexit transition period, it’s still not clear whether the UK will get a trade deal with the EU or leave with no deal — the latter ramping up the possibility the UK will also not get a data adequacy agreement from the EU, arguably making future divergence on data protection standards more likely (since there will be no ‘carrot’ of continued friction-free EU-UK data flows to encourage continued alignment).
The UK has also signalled it wants a data-fuelled levelling up of the economic, publishing a National Data Strategy in September that talks about making pandemic levels of data-sharing the new normal.
The document threw shade at the entire concept of data protection — saying the government plans to “promote domestic best practice and work with international partners to ensure data is not inappropriately constrained by national borders and fragmented regulatory regimes so that it can be used to its full potential”.
Since then privacy experts have expressed concern that clauses in a UK-Japan (post-brexit) trade deal are weakening the UK’s existing data protection regime (which is, for now, based on transposed EU standards) — and could allow for flows of citizens’ data to nations with “weak or voluntary data protection arrangements”, as the Open Rights Group warned last month.
The US is one such nation that lacks a comprehensive framework for data protection. Though California has passed its own consumer privacy law and residents voted in November to strengthen the regime. But at the federal level there’s no GDPR equivalent — yet.
With so much uncertainty on where exactly the UK is headed on standards post-brexit, it’s little wonder tech giants like Google and Facebook are taking the opportunity to shrink their liability under EU privacy rules — by removing the 45M+ UK users from its Dublin subsidiary’s jurisdiction, in Facebook’s case.
The recent Schrems II judgement by Europe’s top court has also ramped up legal risk and uncertainty over EU to US transfers of personal data, giving Facebook another potential reason to rework its UK T&Cs.
Of course it’s not so great for UK users, given the privacy protections they’re losing.
But this time that’s more on brexit than big tech. And in this case brexit means that from next year UK users are going to have to hope their own government doesn’t decide to junk national privacy standards in its bid to ink trade deals with countries like the US, while trusting that Facebook (er!) will look out for their privacy interests.
Yes UK data protection law will continue to apply. (Though good luck getting the ICO to stand up for your rights.)
But the overarching guarantee of standards provided for by EU law is going in 2021.
The US Cloud Act, which was passed in 2018, already makes it easier for data on Internet services users to be passed between UK and US agencies for investigative purposes, for example.
While the UK government has a worrying record on mass surveillance and attacks on encryption.
Its new ‘child-safety-focused‘ plan to regulate Internet services also looks set to apply pressure on digital services not to use strong encryption to allow for mandatory content monitoring and other types of identity checks.
So, tl;dr, brexit is shaping up to mean the opposite of taking back control in the data sphere — with less privacy and reduce online freedom speeding down the pipe for Brits.