The world’s largest social media company said on Tuesday that it “had to make changes to respond to Brexit and will be transferring legal responsibilities and obligations for UK users” from Facebook’s branch in Dublin, Ireland, to its California headquarters.
The change would come into effect in 2021, Facebook said, and users would be notified by an update in the terms of service in the first half of the year.
The move, first reported by Reuters, means that UK data will no longer fall under the EU privacy regime, the General Data Protection Regulation, thought to be the most stringent globally. It follows a similar decision announced by Google in February.
The Information Commissioner’s Office, the UK’s privacy regulator, has said that the UK would introduce its own data protection regime, the “UK GDPR”, which mirrors the EU rules.
Nevertheless, some privacy advocates warn that UK regulators may not be as tough when it comes to enforcing local rules, and that the UK government may at a later point weaken their privacy requirements.
“The trend is likely to be for UK enforcement to be less robust than in Europe. Facebook are betting that they can evade tough regulation and they will have an easier time if they move their data out of European servers,” said Jim Killock, executive director of the UK-based digital campaigning non-profit Open Rights Group.
“It may be over time that the UK weakens its requirements about personal protections and data flows,” he added.
Facebook said that “there will be no change to the privacy controls or the services Facebook offers to people in the UK”, including how it gathers and processes data, and how it responds to law enforcement requests for user information.
It added that Facebook’s US operations already have legal responsibility for other non-EU users.