The United Kingdom is expected to complete its “Brexit” withdrawal from the European Union as 2021 starts. The situation may be of some benefit to Facebook, as the UK is slated to immediately adopt its own version of the General Data Protection Regulation (GDPR) in a bid to maintain “adequate” status as an EU data transfer partner. Facebook has come up with a clever workaround that takes advantage of the UK’s newly independent status; it’s simply going to move local users to California to evade EU privacy rules.
Facebook users in the UK will now be governed by agreements with Facebook’s corporate headquarters in California, with all of their personal data presumably stored and processed in the state. The change is slated to be rolled out over the next six months, and UK users will be notified and given the option to close their Facebook, WhatsApp and Instagram accounts if they are not comfortable with their data being handled overseas.
Brexit complicates Europe’s data transfer partnerships
The UK has opted to remain subject to the EU privacy rules until the end of 2020, but will end this agreement as Brexit finalizes in 2021. Last-minute negotiations are in process to determine a trade deal between the two entities and whether or not the UK will be regarded as an “adequate” data transfer partner.
Assuming that Brexit stays on course, the new “UK GDPR” will be adopted as 2021 begins and keep very similar data protection requirements in place in the country. Though the UK GDPR is very close in structure to the original EU version, it remains to be seen if the country will be given “adequate” status. However, Facebook’s European headquarters are located in Dublin and the Republic of Ireland has opted to not be a part of Brexit.
A further layer of complication has been added by the recent Schrems II ruling, which essentially states that EU citizen data can no longer be legally transferred to the US due to the likelihood of government interception of it. Facebook was at the center of this case and was given a preliminary order to cease sending EU user personal data to the US, which it is appealing. If the UK is not given adequate partner status with the EU, it may have no incentive to forbid data transfers with the US.
Under the apparent assumption that the UK will ultimately go its own way on data protection policies and not be concerned with parity with the EU privacy rules, Facebook is using the situation to move some 45 million UK users of its platform out of reach of regulation by the Irish data protection authorities. Google, which also has its EU headquarters in Dublin, made a similar move in February.
The UK Facebook users will still be protected by a rough equivalent of the EU privacy rules after Brexit, at least initially. This includes the present Facebook privacy controls and settings. However, legal responsibilities and obligations will be directed to and handled by Facebook’s US headquarters. While UK users will still be able to bring complaints locally under the UK GDPR terms, this move entirely cuts the EU regulators out of the process.
Moving away from EU privacy rules
While Facebook will still be subject to regulation in California, which has the strongest data privacy laws in the US, shifting an entire nation’s userbase out from under EU privacy rules takes a considerable compliance burden off of the company. The California Consumer Privacy Act, which is active until 2023 (when a recently-passed upgrade to the law takes over), differs from the GDPR in several key areas. For example, the CCPA does not have firm and direct data security requirements and makes it more difficult for end users to successfully request deletion or change of personal information stored by businesses.
The US is not expected to be considered on adequate footing with EU privacy rules until a comprehensive GDPR-alike federal data privacy bill is passed. There was some serious talk about the issue with several different bills drafted going into early 2020, but the topic was essentially tabled for due to the outbreak of the coronavirus pandemic and the presidential election. Though there is substantial bipartisan interest in getting such a bill done, there is currently no clear frontrunner and no real timetable.
Industry analysts are generally expecting people in the UK to lose privacy rights in the wake of Brexit, as the strong EU privacy rules currently in place provide added protections for international data transfers. Facebook transferring legal responsibilities to California also subjects UK user data to the terms of the US CLOUD Act, which allows US law enforcement and intelligence agencies essentially unfettered access to the data of non-citizens that is stored within the country.