Meta

Steps We Take to Transfer Data Securely

Every day, the free flow of data across borders keeps billions of people connected, allows millions of small businesses to trade internationally, and enables countless people to work in lockdown together. This free flow of data supports many of the services that are fundamental to our daily lives. It also underpins the global economy. It means a small tech start-up in Germany can use a US-based cloud provider. A Spanish product development company can run an operation across multiple time zones. A French retailer can maintain a call centre in Morocco. Millions of people can keep in touch with friends and family who live in different countries using video conferencing software. It also supports critical public services such as health and education.

Our global services are built to connect you to the people, places and things you enjoy, regardless of where in the world they may be. The content you see on our services is not static like a normal webpage, but is always being updated. For example, when you load Facebook on your phone, your News Feed might show you recent posts from friends in New York and Dublin, enable you to read the comments on the page of a small business from Italy, or participate in a discussion in a group with people from around the world. This content is a dynamic selection of information that changes over time without regard to international boundaries. All of this requires a constant global flow of information to make the connections that make your experience using Facebook unique and personalized.

Because this information is interconnected, we couldn’t simply split it up into regional silos. Our services are designed to be global and are supported by a cutting-edge global infrastructure that’s taken us over a decade to build. Seamless global data transfers are therefore a necessary ingredient for our services to work.

Cross-border data transfers between the European Union and the United States have been the subject of recent litigation and regulatory action, including a ruling in July last year by the Court of Justice of the European Union (CJEU). The CJEU invalidated the EU-US Privacy Shield, a legal mechanism for transatlantic data transfers, in light of concerns over whether US surveillance laws provided EU users with the protections required by EU law. Like many other businesses — large and small — Facebook relies on Standard Contractual Clauses (SCCs) to transfer data to countries outside the EU, including to the United States. Since the ruling, Facebook has been working to follow the steps set out by the CJEU to ensure that we can continue to transfer data safely and securely in accordance with GDPR.

We want to explain in more detail the commitments we make to our EU users to keep their information safe and secure when it is transferred to the US, and the policies we have in place to evaluate and respond to government requests. We’re also providing answers to Frequently Asked Questions where you can learn more. 

Keeping Your Data Safe

To keep your data safe when it is transferred from the EU/EEA to the US we rely on SCCs, a tool approved by the European Commission which provides several important legal safeguards and whose validity was confirmed by the CJEU.

We also use a number of supplementary measures to protect your data. These include:

You can also learn more about standard contractual clauses. For more information on the safeguards and measures we have in place to protect your data when it is transferred to the US, please see our FAQs.

Responding to Government Requests for Information

FISA is the authority governing US government requests related to US National Security. In responding to FISA requests, Facebook follows the same process as for all government requests for user information — we comply only where we have a good-faith belief that the law requires us to do so. In addition, we scrutinize every government request we receive to make sure it is legally valid, no matter which government makes the request. When we do comply, we produce only information that is narrowly tailored to respond to that request. If we determine that a government request is not consistent with applicable law or our policies, we push back and engage governments to address any apparent deficiencies. If the request is unlawful we will challenge or reject the request. 

By publishing guidelines for government requests, we encourage governmental entities to submit only requests that are necessary, proportionate, specific and strictly compliant with applicable laws. 

In addition, we engage with governments to encourage practices that protect peoples’ rights. We belong to advocacy groups like the Global Network Initiative, whose mission is to advance the freedom of expression and privacy rights of Internet users worldwide, and Reform Government Surveillance, which advocates for government data requests to be rule-bound, narrowly tailored, transparent, subject to strong oversight and protective of end-to-end encryption. 

For more information about how we respond to government requests including those under US intelligence laws like FISA, please see our FAQs.