Facebook CTO: Clear legal grounds needed for EU-US data exports

New law means no more data centres for social giant

European commission photo via Shutterstock

A European Court last month threw data-sharing with the US into a thicket by tearing up the so-called safe harbor agreement.

The catalyst for that was Facebook – or, rather Austrian Max Schrems, who’d accused Facebook of illegally analyzing user data, tracking users on third-party pages and participating in the US National Security Agency’s spying program.

Ireland’s ICO washed their hands of the case, so Schrems went to Brussels.

Safe harbor was the equivalent of Schengen-style, passport-free, frictionless travel across the EU, but for data.

Under European law, personal information on EU citizens must stay within the Continent for privacy reasons. Safe harbor let data go outside the EU, to the US, on a promise to keep people's data secure.

The scrapping of safe harbor threw at least observers into chaos: it’s the end of data sharing, it’ll be the start of data-centre tidal-wave building boom, thought many.

The truth lies somewhere in between, with US firms falling back on Model Clauses, template agreements written by the Commission that let firms in members states continue to send data to countries outside the EU lacking “adequate levels” of protection.

But, model clauses are risky: data exporter and importer are liable to action and damages should there be an infringement. Data importers are also liable for the actions of any third parties with whom they work in handling customers’ data.

It’s gone from passport-free travel to a potential data Vietnam.

Facebook was the catalyst. I asked Facebook’s chief technology officer Mike Schroepfe what happens next for his firm – does it now build out European data centres?

European data centres for European data as some have suggested?

First, Schroepfe – speaking at Facebook’s HQ in London – was careful to stress Facebook complies with local laws. This we know.

But what next – does Facebook build more Europe-based data centres? currently it has just one, at Luleå in Sweden, just outside the Artic Circle.

“It’s a challenge,” Schroepfe told The Reg on flying visit to London on Thursday morning.

“Because even if you have have a data centre in Europe, most Europeans are sharing their data with people outside Europe, so we need to have clear legal grounds to make sure that your feed isn’t limited to only the people who are also in the EU, which destroys a lot of the value you want out of the product.”

“Whereever the data centre and computing happens to be is one part of it, but the idea of email, and social networks and chats lets them to connect regardless of there geographic location. We think that’s what people are asking us to do with the products we build and we just want to make sure that is possible.”

So, it would seem: no new, European-centric data centres. Irrelevant, anyway, Facebook contends, given the dynamics of pan-global data.

Incompatible, too, with Facebook's business model.

Rather, Facebook appears to be banking on a return to the days of data Schengen. ®

Biting the hand that feeds IT © 1998–2018