Facebook once again recently taught us that it may be easier to avoid a law, than to comply with it.
On April 17, 2018, Facebook confirmed that to meet its mission to comply “in spirit” with “the whole” of the European Union’s General Data Protection Regulation (GDPR) , which takes effect on May 25, 2018, Facebook is effectively moving data for approximately 1.5 million users outside the reach of the law. By offering “new privacy experiences” complete with updated terms of service and data policy, Facebook is transitioning responsibility for all users outside the US, Canada and the EU from Facebook’s Irish company to its American branch located in California. As a result, effected users will be unable to file complaints with Ireland’s Data Protection Commissioner or in Irish courts; instead, U.S. privacy laws will apply, thereby avoiding application of the GDPR (unless American courts disagree).
Privacy researcher Lukasz Olejnik calls this “a major and unprecedented change in the data privacy landscape” resulting in “reduction of privacy guarantees and the rights of users.”
This is not the first time Facebook has played international law leap frog to find the most beneficial statutory scheme; although, Facebook’s earlier move was in favor of Irish law and did not try to avoid its application. In 2012, Facebook defended its use of the “Double Irish” accounting technique to reduce its tax liabilities.
While privacy is the main issue, Facebook still took time to confirm that the data transfer will have no tax implications. Facebook will continue to funnel revenue through its Irish corporation, but will deal with privacy issues through its headquarters in California.