Deep Dive: How to ignore the decisions of the CJEU in three steps. Facebook's Transfer Impact Assessment explained.
For the privacy geeks, that want to know more than what we have summarized in our 4th Advent Reading, we provide a deeper dive on this page on the four elements of Facebook's "Transfer Impact Assessment" (TIA).
Our approach to these disclosures. To avoid expensive "SLAPP" suits some elements are not available in some jurisdictions and we have decided to summarize the documents in a video instead of publishing them directly. Where the substance of the document is more relevant, we explain it in more detail and quote elements of it. There is one video per document. You can read the details about why we can use this document legally at the bottom of the page.
Document 1: Outline Document
The Outline Document basically refers to the other three documents, discussed below. It has 7 pages and is somewhat interesting, as it seems to be the "summary" of the other documents and gives an overview. The key part of the TIA is clearly the "Equivalence Assessment", where Facebook fully ignores the CJEU's judgments and comes to the conclusion that EU and US law are "equivalent". The other two documents are only presented as being additional resources. The "Factors Assessment" is mainly describes that data is sent to the US and what data it is, as well as the fact that there is access by the US government under FISA 702. The "Record of Safeguards" also contains the alleged "supplementary measures", even when no measure is clearly addressing US surveillance laws or the CJEU judgment. Ultimately, it is just a list of standard industry practices.
In summary, the argument that EU and US law are "equivalent" is the backbone and sole pillar of Facebook's approach.
Document 2: Equivalence Assessment of US Laws
The "Equivalence Assessement" ("EA") is a 58 pages document explicitly endorsed by Facebook's law firms Mason Hayes & Curran LLP and Perkins Coie LLP (para 1.4 of the EA). The document is best summarized in Facebook's own words (page 7 of the Outline document):
To get to this result, Facebook argues that the CJEU did not have all relevant facts to reach its conclusion, despite Facebook submitting about 45.000 pages in the procedure. Facebook further argues that the CJEU only rejected the European Commission's assessment in the "Privacy Shield", but did not in detail deal with Facebook's assessment. Therefore, in Facebook's view, the CJEU would have never decided on Facebook's transfers under the SCCs. This is actually incorrect, as the CJEU has outlined in paragraph 168 of the judgment, that it relied on the concerns of the Irish High Court and the Commission's Privacy Shield. There were substantial submissions on these matters by Facebook and the US government before the CJEU. Nevertheless the CJEU clearly held, that US law is not just not "equivalent" but in breach of Article 7, 8 and 47 of the Charter of Fundamental Rights.
Facebook further discounts EU law by mainly confusing judgments by the European Court for Human Rights (ECtHR) in Strasbourg (part of the Council of Europe, with 47 member states, including Turkey and Russia) under the low standard in Article 6 and 8 of the European Convention for Human Rights (ECHR) with the judgments of the Court of Justice of the European Union (CJEU) and its much higher standard under the Charter of Fundamental Rights of the European Union (CFR).
Contrary to the approach on EU law, Facebook "magnifies" protections under US law, that it has already brought forward countless times before the Irish High Court and the Court of Justice in the "Schrems II" litigation. They were all rejected. Nevertheless, Facebook is relying on these elements yet again to reach its conclusion that US law would provide protections to non-US persons.
This combination of full rejection of the CJEU ruling, discounting EU law and magnifying US law somehow justify illegal EU-US data transfers.
Document 3: Factors Assessment
In the 7-page "Factor Assessment" Facebook does not really argue that certain factors are somehow limiting the impact of EU-US data transfers.
Instead, the introduction explains that under the "Equivalence Assessment", Facebook comes to the conclusion that EU and US law are equivalent (contrary to the CJEU judgments). Therefore, Facebook says that the Factors Assessment is rather a "case by case" description of their EU-US transfers, than actually factors that are limiting surveillance.
The limited factors that would point at a lesser interference with EU fundamental rights in Facebook's view are e.g. the number of US government requests according to Facebook's own transparency report. The other "factors" simply describe facts like that the recipient is Facebook Inc. or that Facebook Inc. is in fact receiving FISA requests from the US government (page 7 of the "Factor Assessment"):
It is unclear how these "factors" can help make a transfer legal. In fact, Facebook does not really seem to rely on these "factors" to justify that the transfer would be legal, but rather designed the document to be a mere factual description. The main argument continues to be that the CJEU is wrong and EU and US law is in fact equivalent.
Document 4: Record of Safeguards, including Supplementary Measures
Finally, Facebook generated a document of 14 pages called "Record of Safeguards", which is mainly a long table of "measures", including "organizational measures" as well as "technical measures". They are in fact all baseline policies, required for example under Article 32 GDPR, like "mobile device management" or having an internal policy about how to react to government requests.
Interestingly, Facebook only employs 130 persons to respond to all government requests globally. This would mean that a legal request is checked for an average of about 10-15 minutes. As a measure to protect against fake government requests, Facebook mainly highlights that it verifies if the email address comes from a government domain name. It is unclear if Facebook reviews if a specific government entity has the rights to make demands for personal data of account holders.None of the listed measures seem to have any direct connection with US surveillance laws.
The only element that mentions FISA 702 and EO 12.333 highlights that Facebook employs industry standard encryption algorithms and protocols in transit, these standards are TLS encryption (as usual for any website) and AES encryption (as any smartphone does). Facebook acknowledges that not all data is encrypted, as it mentions that only nearly all Facebook traffic is TLS encrypted. In fact, there is no measure that would in any way protect against an order under FISA 702 PRISM / DOWNSTREAM (so surveillance directly at Facebook), but are only connected to "UPSTREAM" (so surveillance via the Internet backbone). As Facebook holds all the encryption keys and can access all data in the clear, there is no way that TLS and AES is a relevant protection:
Facebook closes the document with "proactive" measures, like lobbying and contributing to the development of US law and with having more information for users in FAQs.
We asked Alan Butler of epic.org on the "Record of Safeguards":
Legal Basis for the publication. As pointed out in our First Advent Reading, the four noyb Advent Readings are in protest of the DPC's illegal removal of noyb in a pending procedure. All documents were provided via the complaints procedure of Mr Schrems, pending for 8.5 years before the Irish DPC.
In a system outlined by Mr Schrems's lawyers and accepted by the DPC, Mr Schrems is allowed to freely use documents from the procedure, in cases where Facebook is under a legal duty to provide these documents, which is clearly the case here:
Article 5(1)(a) GDPR requires Facebook to be transparent. Article 13(1)(f) requires Facebook to inform users about how to obtain a copy of the measures, justifying an international transfer and Article 15(2) GDPR specifically provides a right to get a copy of them. In fact, users are unable to challenge a data transfer, if they are not informed about existing protections. The SCCs themselves foresee similar provisions since they give the users the right to enforce the SCCs (Clauses 3, 8.9, and 14 of the SCCs). It seems that any company that uses Facebook as a processor or joint controller would also have to be provided with the TIA.
Nevertheless, Facebook and the Irish DPC's position is that the GDPR and the SCCs do not allow users to get a copy of Facebook's TIA, but they are only available to the relevant supervisory authority (so in this case only the DPC).
The documents do not even contain commercially or technically sensitive information and are not protected under any relevant law.