Facebook was desperate to save cash by shipping European personal data to its data centres in the US. It was so certain that US spooks would not use the data to spy on European citizens, that it has made a legal argument to require the EU to allow the US a safe harbour under its data protection laws.
This view has been consistently denied by the Court of Justice of the European Union (CJEU) which struck down a U.S.-EU data transfer instrument called Privacy Shield. The court concluded Washington did not offer adequate protection for EU data shipped overseas because US surveillance law was too intrusive for European standards.
In the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the US.
The CJEU reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe's top judges categorically stated Washington did not have sufficiently high privacy standards. Still, Facebook -- the company at the heart of both cases -- thinks it shouldn't follow the court's reasoning. Because America is the land of the free and it should be allowed to do what it likes.
The company's lawyers argue in the documents that the EU court ruling "should not be relied on" for the social media company's own assessment of data transfers to the US, because the judges' findings relate to Privacy Shield data pact, and not the Standard Contractual Clauses which Facebook uses to transfer data to the US.
"The assessment of U.S. law (and practice) under Article 45 GDPR is materially different to the assessment of law and practice required under Article 46 GDPR," the document reads.
That refers to the two different types of legal data transfer instruments under the EU's General Data Protection Regulation and indicates that assessment under SCCs is different to assessment under Privacy Shield. The company also says that changes to US law and practices since the July 2020 ruling should be considered.
As an example, it cites the US Federal Trade Commission "carrying out its role as a data protection agency with unprecedented force and vigour."
Those arguments have been central to Washington's pitch during ongoing transatlantic negotiations over a new EU-U.S. data agreement.
Though companies have to take the EU court ruling into account when making their own assessments of third-party country regimes, they can, in theory, diverge from the court's findings if they believe it is justified.
"This means that companies like Facebook can, in theory, continue to ship data out of Europe if they can prove it's sufficiently protected."