According to Reuters, Facebook is modifying its terms and conditions so that the data of around one and a half billion of its users will be processed by Facebook USA rather than Facebook Ireland.
As of today, the data of the users of Africa, Asia, Oceania and Latin America are processed by Facebook Ireland, thus falling under the umbrella of the applicable EU data protection laws.
Despite not being European, the processing of data of the users from these countries would have fallen straight under the GDPR, entering into force on May 25, 2018. This will likely not be the case.
Indeed, art. 3 of GDPR provides that the GDPR covers “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” GDPR 3(1) or the processing and the “processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union” if the activities are related to the “offering of goods or service … to such data subjects in the Union” GDPR 3(2)(a) or “the monitoring of their behavior” GDPR 3(2)(b).
Facebook, however, declared that it will make GDPR protection available to all its users “in spirit” (declaration of M. Zuckerberg of April) but did not express a firm commitment to do so.
For more information on this and fro advice on GDPR implementation, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.