Workplace data transfer FAQs
At Workplace, we're committed to your privacy and security, with world-class infrastructure and enterprise-grade security features designed to keep your Workplace community safe. We want to explain in more detail the commitments we make to our customers to keep their data safe and secure when it is transferred from the European Economic Area (EEA) to the US. We have therefore put together this FAQ for our customers to explain how and why we transfer data, as well as the protections that we have in place when doing so.
Is Workplace data transferred outside the European Economic Area (EEA)?
Yes. In order to be able to provide the Workplace service, it is essential for us to be able to transfer data outside the EEA and to utilise our global infrastructure. We do this in accordance with our Workplace Online Terms and specifically, the European Data Transfer Addendum. Workplace customer data processed by Meta Ireland will be transferred to countries outside the EEA, including the United States, for the purposes described in our Workplace Online Terms. These data transfers are necessary to operate and provide the Workplace service.
What mechanism does Workplace use to transfer data from the EU to the US?
From 7 September 2023, Meta will rely on the new Data Privacy Framework (DPF) for the transfer of Workplace customer data from the EU to the US. The DPF resolves a long-standing conflict of law between the EU and US, and means that we have the legal clarity to continue providing our services in Europe for the foreseeable future.
The DPF came into effect earlier this summer after the European Commission adopted its adequacy decision. It is a robust agreement that ensures the continued protection of Europeans' data and renews legal safeguards for thousands of transatlantic companies that transfer data between Europe and the US. It ensures that vital digital connections between businesses on both sides of the Atlantic can continue uninterrupted.
What measures and safeguards have we put in place to protect Workplace data when it is transferred outside the EEA?
We have in place a number of safeguards and measures for Workplace data being transferred outside the EEA, including:
Security:
Meta maintains an Information Security Management System (ISMS) for Workplace. ISMS is put in place to establish, maintain and continuously improve the confidentiality, integrity and availability of Workplace information assets and to ensure the trust of users using the Workplace platform. This has allowed Meta to maintain both ISO27001 and ISO27018 for Workplace, in addition to maintaining a SOC2 report and the robust technical safeguards outlined in the Data Security Addendum of the Workplace Online Terms. Becoming ISO27001- and ISO27018-compliant demonstrates that Workplace is committed to protecting its operations and information from internal and external threats.
Encryption of data in transit so that it cannot be read:
Meta employs industry-standard encryption algorithms and protocols designed to secure and maintain the confidentiality of data in transit over public networks. Employing advanced encryption algorithms enables Meta to secure Workplace data in transit from access by third parties.
Operational policies and procedures:
We have robust policies and procedures in place to ensure that Workplace data is adequately protected in relation to requests from governmental agencies. For example, we will only comply with a governmental request for Workplace user data after we are satisfied that the request complies with applicable law and our policies. If the request is unlawful (e.g. overly broad or legally deficient in any way), we will push back or challenge the request. We encourage governmental agencies to submit only requests that are necessary, proportionate, specific and strictly compliant with applicable laws, by publishing guidelines for government requests. More details about how we respond to government requests are provided in the Reviewing Government Requests FAQ.
No "back door" governmental access: We do not provide any government with direct access or encryption "back doors". We believe that intentionally weakening our services in this way would undermine the security that is necessary to protect people who use our global service.
Oversight:
We have a dedicated, trained Law Enforcement Response Team (LERT) that reviews and evaluates every government request for user data individually, whether the request was submitted related to an emergency or through legal process obtained by law enforcement or national security authorities. This team ensures that all requests are consistent with applicable law and our policies.
Meta's Transparency Report:
We publish information on government requests we receive in our Transparency Report. Information regarding requests made under the US Foreign Intelligence Surveillance Act (FISA) is included in the report with the maximum level of detail permitted under US law.
Advocacy:
We appreciate the focus of governments across the globe on protecting and safeguarding people's data, including in the US and Europe, and we work hard to do our part. We actively engage with governments to encourage practices that protect peoples' rights. We belong to advocacy groups such as Global Network Initiative, whose mission is to advance the freedom of expression and privacy rights of Internet users worldwide; and are a founding member of Reform Government Surveillance, which advocates for government data requests to be rule-bound, narrowly tailored, transparent, subject to strong oversight and protective of end-to-end encryption. We support surveillance reform and frequently engage with various government and regulatory bodies to advocate the same.
Individual rights:
In addition to the rights under EU law and US law, individuals also have the right to submit a complaint or questions about Meta's DPF certification through TRUSTe, an alternative dispute resolution provider based in the United States.
How does Meta handle law enforcement requests relating to Workplace?
Meta's policy is to redirect government requesters to the Workplace customer in the first instance. If Meta is required to respond to a request for information relating to Workplace customer data, then this Government Requests FAQ sets out the policy and processes which will apply.
Meta scrutinises every government request we receive, regardless of which government makes the request, to make sure that it is legally valid. If we determine that a government request is not consistent with applicable law or our policies, we push back and engage the governmental agency to address any apparent deficiencies. If the request is unlawful (e.g. overly broad, or legally deficient in any way), we will challenge or reject the request. We encourage governmental entities to submit only requests that are necessary, proportionate, specific and strictly compliant with applicable laws, by publishing guidelines for government requests.
We have robust policies to ensure that every government request is scrutinised, regardless of which government makes the request. Meta must comply with valid and compulsory legal requests from US government agencies. These requests must be made in accordance with applicable law and our policies, and we only produce the information that is narrowly tailored to respond to each request.