20

The fine: https://www.theguardian.com/technology/2023/may/22/facebook-fined-mishandling-user-information-ireland-eu-meta

Like any website, we have an account system where people log in to access their orders and activate their software. So we have usernames, passwords, real names, recent IP addresses (for abuse protection), as well as the data of people's orders.

This is stored in the AWS East-1 datacenter in N. Virginia. Our users are mainly EU and US, and being in N. Virginia gives users the best overall latency.

We're about to incorporate in Europe, and I seem unable to interpret the recent rulings in any other way than that having a single account system is illegal, unless the account system in its entirety is hosted in the EU.

The engineering challenge is unfathomable, and it seems it would be for any business from a WordPress blog to a Google account system. If an EU user has a Google login, and the account system contains their first name, and Google's account system is global, how is this not just as illegal? Aren't all account systems illegal now?

Ian Kemp
  • 137
  • 7
Per
  • 303
  • 2
  • 4

2 Answers2

22

I assume this refers to the case covered here: https://www.theguardian.com/technology/2023/may/22/facebook-fined-mishandling-user-information-ireland-eu-meta

The gist is: Under GDPR you can only transfer personal data from inside the European Union to the outside if you have procedures in place that ensures it is still protected to European standards. Facebook was found to have failed in that regards, specifically when it came to access by US spy agencies. It seems indeed quite plausible that it is not possible to transfer personal data from the EU to the US in a way that is compatible with both EU and US law. The EU and the US are in negotiations to find a way to make this legally possible.

But until then, it seems that if you do have a European subsidary and want to keep all of your account data in the same place, it needs to be a place with robust privacy protections. That doesn't require it to be in the EU, but something like US, Russia or China would be illegal.

Arno
  • 2,206
  • 7
  • 17
19

Basically yes, but

  1. It is not really since the fine, but since the ruling in 2020 that the EU-U.S. Privacy Shield fails to protect Europeans' rights to data privacy when companies are transferring those data to the U.S.
  2. You can still do it, but you have to be really careful.

What this fine does is demonstrate that Meta has failed in doing this. One could take that as evidence that it is a hard problem to solve and it would be easier to move your data to the EU. The best summary I have come across is this from the International Association of Privacy Professionals which says:

The CJEU reaffirmed the validity of SCCs but stated that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, that companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection can not be ensured.

This is where it gets tricky, particularly in the U.S. context.

The CJEU itself assessed the sufficiency of protections with regard to U.S. government access to data and found them lacking. The question regulators and companies now face is whether the concerns raised by the court are applicable in the context of particular transfers and can be remedied through additional protections — again, not only in the U.S., but also in all countries without an adequacy determination.

Privacy professionals may need to consider whether relevant surveillance programs and authorities apply in particular contexts. If they do, they could then assess whether those authorities include proportional limitations in the given context, as well as whether effective judicial remedies exist. Alternatively, they might consider ways to limit the context itself through additional safeguards. Encryption, for instance, might be a consideration.

User65535
  • 10,342
  • 5
  • 40
  • 88