Facebook UK Users & EU Privacy: Changes in 2024

Facebook intends to align with Google and transfer millions of UK users from the protection of European Union privacy regulations to the United States next year, as reported by Reuters yesterday, due to upcoming changes related to Brexit in its terms and conditions.

The company confirmed this shift to the news agency, stating: “Similar to other organizations, Facebook is required to implement adjustments in response to Brexit and will be transferring legal responsibilities and obligations for users in the UK from Facebook Ireland to Facebook Inc.”

Facebook also noted, “There will be no alteration to the privacy settings or the services Facebook provides to individuals in the UK,” although this statement does not address the fact that moving from EU to US jurisdiction inherently results in a diminished level of legal protection for data and privacy.

According to Reuters, Facebook will notify users of this change within the next six months, offering them the ‘option’ to discontinue using Facebook’s services (including Facebook, Instagram, and WhatsApp) if they disagree with the legal transition.

As previously reported in February when Google announced a comparable legal relocation for UK users—moving them from its EU division to the US—this action stems from the United Kingdom’s decision to leave the European Union, thereby distancing itself from EU standards, including its established data protection framework.

With the Brexit transition period nearing its conclusion, it remains uncertain whether the UK will secure a trade agreement with the EU or depart without one—the latter potentially increasing the likelihood that the UK will also fail to obtain a data adequacy agreement from the EU, possibly leading to greater divergence in data protection standards, as the incentive of seamless EU-UK data transfers for continued alignment would be removed.

The UK government has also indicated its desire to leverage data for economic advancement, releasing a National Data Strategy in September that proposes normalizing data-sharing levels comparable to those seen during the pandemic.

The document questioned the entire concept of data protection, stating the government intends to “promote domestic best practice and collaborate with international partners to ensure data is not unduly restricted by national borders and fragmented regulatory systems, allowing it to be utilized to its fullest extent.”

Following this publication, privacy advocates have voiced concerns that provisions within a UK-Japan (post-Brexit) trade agreement may weaken the UK’s current data protection regulations (which are presently based on adopted EU standards) and could permit data transfers to countries with “weak or voluntary data protection arrangements,” as the Open Rights Group cautioned last month.

The United States is one such country lacking a comprehensive data protection framework. While California has enacted its own consumer privacy law and voters in November approved measures to strengthen it, there is currently no equivalent to GDPR at the federal level.

Given the considerable uncertainty surrounding the UK’s future standards post-Brexit, it is understandable that technology companies like Google and Facebook are capitalizing on the opportunity to reduce their liability under EU privacy regulations—by removing the 45 million+ UK users from the jurisdiction of its Dublin subsidiary, in Facebook’s case.

The recent Schrems II ruling by Europe’s highest court has also heightened legal risks and uncertainty regarding transfers of personal data from the EU to the US, providing Facebook with another potential justification for revising its UK terms and conditions.

Naturally, this development is not advantageous for UK users, considering the privacy protections they stand to lose.

However, this situation is more attributable to Brexit than to large technology companies. In this instance, Brexit implies that, starting next year, UK users will need to rely on their own government not to diminish national privacy standards in pursuit of trade agreements with nations like the US, while also hoping that Facebook (of all companies!) will safeguard their privacy interests.

It is true that UK data protection legislation will remain in effect. (Although successfully obtaining support from the ICO for your rights may prove challenging.)

However, the overarching guarantee of standards provided by EU law will expire in 2021.

The US Cloud Act, enacted in 2018, already facilitates easier data exchange between UK and US agencies for investigative purposes, for instance.

Furthermore, the UK government has a concerning history regarding mass surveillance and attacks on encryption.

Its new ‘child-safety-focused’ plan to regulate Internet services also appears likely to pressure digital services to avoid robust encryption to enable mandatory content monitoring and other forms of identity verification.

In short, Brexit appears poised to result in the opposite of regaining control in the data realm—with diminished privacy and reduced online freedom on the horizon for UK citizens.