Steps We Take to Transfer Data Securely

By Erin Egan, Chief Privacy Officer, Policy

Every day, the free flow of data across borders keeps billions of people connected, allows millions of small businesses to trade internationally, and enables countless people to work in lockdown together. This free flow of data supports many of the services that are fundamental to our daily lives. It also underpins the global economy. It means a small tech start-up in Germany can use a US-based cloud provider. A Spanish product development company can run an operation across multiple time zones. A French retailer can maintain a call centre in Morocco. Millions of people can keep in touch with friends and family who live in different countries using video conferencing software. It also supports critical public services such as health and education.

Our global services are built to connect you to the people, places and things you enjoy, regardless of where in the world they may be. The content you see on our services is not static like a normal webpage, but is always being updated. For example, when you load Facebook on your phone, your News Feed might show you recent posts from friends in New York and Dublin, enable you to read the comments on the page of a small business from Italy, or participate in a discussion in a group with people from around the world. This content is a dynamic selection of information that changes over time without regard to international boundaries. All of this requires a constant global flow of information to make the connections that make your experience using Facebook unique and personalized.

Because this information is interconnected, we couldn’t simply split it up into regional silos. Our services are designed to be global and are supported by a cutting-edge global infrastructure that’s taken us over a decade to build. Seamless global data transfers are therefore a necessary ingredient for our services to work.

Cross-border data transfers between the European Union and the United States have been the subject of recent litigation and regulatory action, including a ruling in July last year by the Court of Justice of the European Union (CJEU). The CJEU invalidated the EU-US Privacy Shield, a legal mechanism for transatlantic data transfers, in light of concerns over whether US surveillance laws provided EU users with the protections required by EU law. Like many other businesses — large and small — Facebook relies on Standard Contractual Clauses (SCCs) to transfer data to countries outside the EU, including to the United States. Since the ruling, Facebook has been working to follow the steps set out by the CJEU to ensure that we can continue to transfer data safely and securely in accordance with GDPR.

We want to explain in more detail the commitments we make to our EU users to keep their information safe and secure when it is transferred to the US, and the policies we have in place to evaluate and respond to government requests. We’re also providing answers to Frequently Asked Questions where you can learn more. 

Keeping Your Data Safe

To keep your data safe when it is transferred from the EU/EEA to the US we rely on SCCs, a tool approved by the European Commission which provides several important legal safeguards and whose validity was confirmed by the CJEU.

We also use a number of supplementary measures to protect your data. These include:

  • Encryption and security:  We take a range of measures to protect your data. We implement a comprehensive security program, including measures such as encryption when data is in transit, to protect user data at all times. We adapt and improve our security to keep ahead of the evolving risks and security threats that we face.
  • No “back door” governmental access: We do not provide any government with direct access or encryption “back doors.” We believe that intentionally weakening our services in this way would undermine the security that is necessary to protect people who use our global service.
  • Robust policies: For a long time, we have had comprehensive policies in place governing how we evaluate and respond to government requests for user data. We review each request and only provide information in response to requests that we determine are valid, producing only information that is narrowly tailored to respond to that request. 
  • Standing up for our users: Where government requests are deficient (e.g. overbroad or legally deficient), we push back and engage governments to address any apparent deficiency. Where necessary, we will challenge or reject unlawful government requests. We would also challenge any order seeking to require us to redesign our systems in a way that would undermine the security we provide to protect people’s data, or that attempted to gag us from disclosing the existence of such an order and our efforts to fight it.
  • Providing transparency: We strive to be open and proactive about the way we safeguard people’s privacy, security and access to information online. For this reason, it is our policy to notify users of requests for their information prior to any disclosure, unless we are prohibited by law from doing so or in exceptional circumstances when notice would be counterproductive such as when a child is at risk of harm. Since 2013, we’ve published biannual transparency reports concerning the nature and extent of government requests we receive for user data, including as much information as we can provide about the number of requests received under the United States Foreign Intelligence Surveillance Act (FISA) during the reporting period in compliance with US law. These reports give our community visibility into how many requests we receive, and how we apply our policies and respond to data requests.

You can also learn more about standard contractual clauses. For more information on the safeguards and measures we have in place to protect your data when it is transferred to the US, please see our FAQs.

Responding to Government Requests for Information

FISA is the authority governing US government requests related to US National Security. In responding to FISA requests, Facebook follows the same process as for all government requests for user information — we comply only where we have a good-faith belief that the law requires us to do so. In addition, we scrutinize every government request we receive to make sure it is legally valid, no matter which government makes the request. When we do comply, we produce only information that is narrowly tailored to respond to that request. If we determine that a government request is not consistent with applicable law or our policies, we push back and engage governments to address any apparent deficiencies. If the request is unlawful we will challenge or reject the request. 

By publishing guidelines for government requests, we encourage governmental entities to submit only requests that are necessary, proportionate, specific and strictly compliant with applicable laws. 

In addition, we engage with governments to encourage practices that protect peoples’ rights. We belong to advocacy groups like the Global Network Initiative, whose mission is to advance the freedom of expression and privacy rights of Internet users worldwide, and Reform Government Surveillance, which advocates for government data requests to be rule-bound, narrowly tailored, transparent, subject to strong oversight and protective of end-to-end encryption. 

For more information about how we respond to government requests including those under US intelligence laws like FISA, please see our FAQs.

To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy