Schrems II (the revenge of Snowden) and a Facebook restructuring?

Following last week’s historic #SchremsII judgment in the EU Court of Justice (see also @t_streinzPropp/@peterswire, Bird and Bird, and Daskal), I’m wondering again about an idea I considered at the time of the first @Snowden revelations of US mass surveillance.

Given the global reach of various US surveillance powers (especially #FISA “foreign intelligence” collection, and the CLOUD Act) over US entities, could corporate restructuring be the most effective mechanism to insulate Europeans’ data from Trump? ?  (Far fewer Europeans currently use platforms based in China, India or Russia, but these issues of course apply in spades with WeChat/微信 or VKontakt/ВКонта́кте.)

It’s unlikely I know, but could Facebook break off an entirely legally separate FB Europe entity, headquartered within ??; clone all of its backend infrastructure inside the EU; and deal with all EU customers from there, with the servers federated with the US mothership but transfers only made with explicit user consent? Perhaps we need a new Swiss neutral corporate form as insulated as far as possible from US compulsion… (Could that be a holding company? FB International Holdings? Now we are *really* getting deep into Swiss and international law 🙂

Facebook’s whole value as a company is based on its #networkeffects of 2.99bn “Monthly Active Persons” (FB+IG+WA). I mean by federation that transatlantic “friends” would continue their relationship as normal; but only data actually passing between them would hop the pond. (As @jorisvanhoboken and @alecmuffet noted, this is potentially a lot of data, given FB sharing is often multiway rather than person-to-person. This would be an interesting empirical question to test.)

This corporate and technical restructuring would certainly be expensive for Facebook (and significantly reduce the efficiencies of operating at global scale). @aureliepols states ‘the re-engineering costs for a company who’s culture is built on “move fast & break things” ie NOT “build robust processes & document them” would be out of this world! Some less complex data ecosystems have already mentioned cost increases of 30%’. But if I was an EU official, I might note protecting fundamental rights is more important than pandering to FB’s “fast-moving” engineering processes; and 30% more costs for a world-historically-profitable/valuable company might be considered… ??‍♂️ Aurélie adds: ‘if I was the CEO, with his shareholder structure, it’s about recognising the importance of this fundamental right for the viability of the business. In the mean time, they only seem to be “litigating up” ie sunken costs despite hiring great people’.

A US legal friend kindly (and anonymously) advises… ‘Your point re separate entities is right. Then the game becomes partially data “transfer pricing” — the sharing of data across entities should trigger a taxable event. We’re not fully there yet… that needs to be built out legally. Also the antitrust policing will be fun. But your point is legally viable in corporate law. Congress would push back potentially through money laundering concerns. That’s my best guess…’

@anupamchander had a good rejoinder: “Microsoft had a brilliant solution to the initial Microsoft-Ireland problem: hire Deutsche Telekom to host German data on its behalf. But apparently that solution proved unworkable, per this report.’ Handelsblatt called the Telekom cloud solution ‘over-priced, under-performing and unpopular with customers’, and their sources tell them ‘Microsoft Cloud Deutschland’ has lost Microsoft over 100 million euro.”

@t_streiz added: ‘It’s also particularly fitting because it seems to be the US government’s preferred way to insulate US residents’ [TikTok] data from China’. I think it’s fascinating that corporate form doesn’t seem to have yet persuaded many in the US — it’s a real-life experiment in what it will take. In response to Congressional concerns, the company said its ‘parent is a privately owned company backed by some the best-known US investors, which hold 4 of its 5 board seats. As we have said repeatedly, we have never shared TikTok user data with the Chinese government, and would not do so if asked’.

@nidhalaigh asked about the reach of the USA CLOUD Act. That’s why it’s essential this be a completely separate entity, with very strict legal and technical controls about the exchange of data between Facebook, Inc and FB Europe AG (say, a separate, German listed company). Clearly, you can’t stop the US getting jurisdiction over data when it has to be sent to a US entity (to message or share data with a US-served “friend”). If the AG was caught under CLOUD as an “affiliate” then the Inc-AG relationship must be such the US corporation cannot enforce such demands under the EU member state law. 

I have no problem with police or prosecutors from states with high human rights standards requesting evidence from FB Inc or AG, using mechanisms such as CLOUD (I’m not saying that route is anywhere near perfect.) If the country where FB Europe AG was incorporated signed an agreement with the US under CLOUD, the AG would still have all the protections of the EU legal framework when US police sent a request under that agreement.

Anupam responded: ‘I fully agree — but we have to be mindful that “high human rights standards” isn’t translated into a soft bigotry of “white folks” in this context. White supremacy is indeed insidious.’ I agree — this is one reason the accession of African and Latin American states to #Convention108+ is important (as is the work going on at @coe on the Cybercrime Convention protocol on cross-border evidence-gathering.)

Three final thoughts, for future posts. FB could of course simply reconstitute itself as a European-headquartered and hosted company, serving the world from an EU member state (likely Germany) with the highest global levels of constitutional privacy protection ? (TikTok’s already-separated-from-China-parent is having difficulties doing this convincingly in either the Caymen Islands or the UK.)

Propp and @peterswire are right to cite us as saying post-Snowden, the Obama administration’s foreign intelligence reforms were world-leading. But Europe is catching up quickly via cases such as Digital Rights Ireland v IrelandBig Brother Watch v UK and Privacy International v GCHQ  (in the latter two I was delighted to act as an expert witness), and fundamentally better protects the human rights of everyone (not just Americans, with limited protections for their friends), and stronger scrutiny by the Court of Justice and the European Court of Human Rights of European states’ intelligence-related laws. It’s thanks to plaintiffs such as DRI, BBW, Privacy International and Schrems, rather than most of Europe’s data protection regulators, this is happening. (Indeed, Schrems’ case in effect was largely to force the Irish Data Protection Commission to act — we shall see what happens next. The @EU_EDPB met on Friday and issued a statement, and Hamburg and Berlin’s state regulators have responded forcefully.)

As a whole or part of a federation, a FB Europe AG would need to be built on astonishing levels of secure tech, if it was to have any chance of reducing the US National Security Agency’s effective access to the data it was hosting. (Perhaps evolving towards an entirely peer-to-peer system, with users’ data stored in end nodes and protected using hardware-rooted encryption, in devices with formally verified, open source hard- and software… Apparently ARM is close to such a toolchain!)

Lastly, all this effort and cost could be avoided with an international treaty on human-rights-compliant intelligence processes. And Trumpian pigs might fly… ?