FEBRUARY 2023

International data transfers: safeguards for our advertising and measurement technologies Steps we take to keep data secure

TABLE OF CONTENTS

2

Page 3

Introduction

Page 5

Legal safeguards 1.1

Standard contractual clauses

1.2

Subprocessor commitments

1.3

Security commitments

1.4

Government requests for data 1.4.1

Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. 1801 et seq., FISA Section 702, 50 U.S.C. 1881a and Executive Order 12333

Page 8

Technical measures 2.1

Our ‘defence-in-depth’ approach

2.2

Encryption and security

2.3

Page 10

2.2.1

Encryption

2.2.2

Pseudonymous advertising and measurement data

Data centres and physical security

Organisational measures 3.1

Transparency

3.2

Internal audits and review

3.3

3.2.1

Company-wide privacy risk identification and assessment

3.2.2

Safeguards and controls

3.2.3

Incident management program

3.2.4

Third-party oversight

3.2.5

External data misuse and transparency into scraping

Third-party certifications and compliance offerings

00 INTRODUCTION

Introduction This paper provides more detail on the measures Meta takes to keep information safe and secure when it is transferred using our advertising and measurement technologies.

The free flow of data across borders keeps billions of people connected, allows millions of businesses to trade internationally and enables countless people to work remotely yet together. This free flow of data supports many of the services that are fundamental to our daily lives. It also underpins the global economy. Our global services are built to connect people, places and things they enjoy, regardless of where in the world they may be. This requires a constant global flow of information to make the connections that make people’s experience unique and personalised. Because this information is interconnected, it cannot simply be split up into regional silos. Our services are designed to be global and are supported by a global infrastructure that’s taken over a decade to build. Seamless global data transfers are therefore a necessary ingredient for our services to work.

3

00 INTRODUCTION

In June 2021, the European Commission adopted a revised set of Standard Contractual Clauses (‘EU SCCs’), which can be used to facilitate the lawful transfer of data outside of the European Economic Area (‘EEA’) under the GDPR. In March 2022, the Information Commissioner’s Office (‘ICO,’ the UK’s data protection authority) adopted a UK addendum to the new EU SCCs (‘UK SCCs’) to align the SCCs with applicable UK laws. Meta has incorporated the new EU SCCs and the UK SCCs into the terms for its advertising and measurement technologies. The purpose of this paper is to provide more information about the safeguards and measures we implement for our ads and measurement customers to ensure an adequate level of protection for their data and to keep their data safe and secure when it is transferred internationally. The paper also includes links to other helpful resources that provide further detail. We explain how and why we transfer data, as well as the contractual safeguards and technical and organisational measures we have in place when doing so. We have also included information about how we respond to government requests for data. The content of this paper is not intended to constitute legal advice and should not be relied upon as such. You should always consult your legal counsel for any legal questions you have about your use of our technologies and programs and compliance with applicable laws.

4

01

LEGAL SAFEGUARDS

Legal safeguards 1.1 Standard contractual clauses In order for Meta to provide its ads and measurement services, it is essential to be able to transfer data internationally using its global infrastructure. This is done in accordance with the terms applicable to our ads and measurement technologies, such as the Business Tool Terms and Customer List Custom Audiences Terms. We use the EU SCCs and the ICO’s UK addendum to the SCCs for these transfers to ensure that your data has equivalent levels of protection – for our Business Tool Terms and Customer List Custom Audiences Terms, these SCCs are referred to in the European Data Transfer Addendum and UK Data Transfer Addendum. 1.2 Subprocessor commitments Meta engages sub-processors to support its processing activities as a processor for data it receives from advertisers, as described in our applicable product terms, such as the Business Tool Terms and Customer List Custom Audiences Terms and the Data Processing Terms. These sub-processors are engaged to support the processing activities in the processing locations set out in our sub-processors page. The processing activities are subject to Meta policies and procedures, including the measures listed in our Data Security Terms. Meta flows down its contractual data processing commitments, including under the SCCs, to each of these sub-processors. 1.3 Security commitments Our Data Security Terms apply when they are expressly incorporated into the terms for our advertising technologies, such as the Business Tools Terms, or the Customer List Custom Audience Terms. These Data Security Terms describe the minimum security standards that Meta maintains applicable to those advertising technologies, including the data you send to Meta using those technologies. Where our advertising technologies terms state that Meta processes personal information as an advertiser’s processor, the Data Processing Terms apply. These terms obligate Meta to ensure, amongst other things, that any person authorised to process personal information under the Data Processing Terms is bound by appropriate obligations of confidentiality and to implement appropriate technical and organisational measures to protect the personal information. This includes the measures listed in the Data Security Terms, which are expressly incorporated into the Data Processing Terms.

5

01

LEGAL SAFEGUARDS

6

1.4 Government requests for data Meta responds to government requests in accordance with applicable law and our terms of service. Each and every request we receive is carefully reviewed for legal sufficiency, and we may reject or require greater specificity on requests that appear overly broad or vague. When we comply, we produce narrowly tailored information to respond to that request. We notify people who use our technologies (including advertisers) about requests for their information before disclosing it unless we are prohibited by law from doing so or in exceptional circumstances, such as where a child is at risk of harm, emergencies or when notice would be counterproductive. We will also provide delayed notice upon expiration of a specific nondisclosure period in a court order and when we have a good faith belief that exceptional circumstances no longer exist and we are not otherwise prohibited by law from doing so. As part of our ongoing effort to share more information about the requests we have received from governments around the world, Meta regularly produces a Government Requests for User Data report on government requests for user data to provide information on the nature and extent of these requests and the strict policies and processes we have in place to handle them. Meta does not provide any government with direct access or encryption ‘back doors.’ We believe that intentionally weakening our services in this way would undermine the security that is necessary to protect people who use our global service. We encourage governmental entities to submit only requests that are necessary, proportionate, specific and strictly compliant with applicable laws by publishing guidelines for government requests. In addition, we engage with governments to encourage practices that protect people’s rights. We belong to advocacy groups like the Global Network Initiative, whose mission is to advance the freedom of expression and privacy rights of internet users worldwide, and Reform Government Surveillance, which advocates for government data requests to be rule-bound, narrowly tailored, transparent and subject to strong oversight.

1.4.1. Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. 1801 et seq., FISA Section 702, 50 U.S.C. 1881a and Executive Order 12333 FISA authorises the US government to request data related to US National Security. Section 702 of FISA allows the US government to target specified electronic communication service provider (ECSPs) accounts of non-US persons located outside the United States to acquire foreign intelligence information (including the content of communications). The requests must be for specified accounts with valid account identifiers, and all requests must conform to the terms of a court-approved certification with minimisation requirements.

01

LEGAL SAFEGUARDS

If Meta were to receive a request pursuant to FISA or FISA Section 702, we would follow the same process as for all government requests for user information and comply only where we have a good faith belief that the law requires us to do so. In addition, we scrutinise every government request we receive to make sure it is legally valid. When we do comply, we produce only information that is narrowly tailored to respond to that request. If we determine that a government request is not consistent with applicable law or our policies, we push back and engage governments to address any apparent deficiencies. If the request is unlawful, we will challenge or reject the request. For more information about how we respond to government requests including those under US intelligence laws like FISA, please see our FAQs. Meta does not receive or respond to requests under Executive Order 12333. E.O. 12333 provides a legal framework for governing US intelligence activities to be conducted outside of the United States but does not impose any obligations on a service provider like Meta. Moreover, as outlined below, Meta employs advanced encryption algorithms that enable Meta to secure user data in transit from access by third parties.

Additional information on our approach to government requests, including how Meta responds to US national security requests, can be found in:

Government Requests for User Data Report Government Requests for User Data FAQs Information for Law Enforcement Authorities

In addition to the legal safeguards, Meta has implemented technical and organisational measures, which are set out below in sections 2 and 3.

7

02

TECHNICAL MEASURES

Technical measures 2.1 Our ‘defence-in-depth’ approach At Meta we take what’s called a ‘defence-in-depth’ approach to security, meaning we layer a number of protections to make sure we prevent and address vulnerabilities in our code from multiple angles. It is a massive, ongoing effort that spans teams, departments and time zones. Security engineers and practices are embedded throughout the company to help ensure that data protections are built into our code and designs from the get-go, rather than added on at the end. In the graphic below, you can see how the ‘defence-in-depth’ approach relies on a combination of technology, expert security teams and the wider security community to help protect our technologies. This Designing Security for Billions article details each of the following 5 components — secure frameworks, automated testing tools, peer and design reviews, red team exercises and our bug bounty program — in greater depth.

Defence in depth Keeping Facebook safe requires a multi-layered approach to security.

Secure frameworks Security experts write libraries of code and new programming languages to prevent or remove entire classes of bugs.

Automated testing tools Analysis tools scan new and existing code for potential issues.

Peer and design reviews Human reviewers inspect code changes and provide feedback to engineers.

Red team exercises Internal security experts stage attacks to surface an points of vulnerability. Bug bounty program Outside researchers are incentivised to find and report security flaws. This layered approach greatly reduces the number of bugs live on the platform.

8

02

TECHNICAL MEASURES

2.2 Encryption and security Meta takes a range of measures to protect the data that we process and implements a comprehensive security program, including measures such as encryption when data is in transit, to protect user data at all times. We adapt and improve our security to keep ahead of the evolving risks and security threats that we face. 2.2.1 Encryption Meta employs industry standard encryption algorithms and protocols designed to secure and maintain the confidentiality of data in transit over public networks. Employing advanced encryption algorithms enables Meta to secure user data in transit from access by third parties. 2.2.2 Pseudonymous advertising and measurement data Most companies use unique identifiers within the URLs of their website. Identifiers are a way to uniquely reference users or content such as posts, pictures and videos. Within the Facebook app, these identifiers are known as FBIDs and Meta uses them to load content for users. Scraping is the automated collection of data from a website or app. Unauthorised scraping often involves guessing identifiers, or using purchased identifiers to scrape user’s data. In some cases, scrapers collect identifiers and cross-reference phone numbers or other publicly available data to create reusable data sets that are sometimes sold for profit. Meta created Pseudonymized Facebook Identifiers (PFBIDs), which combine timestamps and FBIDs to generate a unique time-rotating identifier. As we phase out the ability to access the original identifiers, this helps deter unauthorised data scraping by making it harder for attackers to guess, connect and repeatedly access data. These identifiers are not designed to prevent browser tools from removing tracking components from the URL. Meta uses this process to better protect people’s privacy from certain types of enumeration and time-delayed attacks while preserving the ability to have long-lived links.

2.3 Data centres and physical security Our data centres are the backbone of our technologies. They power the apps and services, including Facebook, Messenger, Instagram, WhatsApp and Quest, making it possible to connect billions of people worldwide. Meta designs, controls and maintains our data centres to balance physical and platform security, availability and performance. Customer data is stored and protected in data centres that Meta owns or directly leases. We build our own servers, O/S networking and management systems, as well as AI-supported threat analysis and response. We invest heavily in technologies, processes and teams of dedicated security staff to help ensure the security of our production data centres. Further detailed information about our data centres can be found via our dedicated data centre page (https://datacenters.fb.com/).

9

03

ORGANISATIONAL MEASURES

10

Organisational measures 3.1 Transparency In May 2021, Meta launched the Transparency Center to provide a hub for all our integrity and transparency work. In addition to information on how we enforce our Community Standards, the Transparency Center will be a central destination for all updates on how Meta is responding to decisions, recommendations and most case updates from the Oversight Board. As always, we strive to be open about the ways we protect people’s privacy, security and access to information online. That’s why we publish biannual transparency reports to provide detail on the numbers and maintain accountability in our work. Our reports are designed to give people visibility into how we enforce our policies and respond to data requests while monitoring dynamics that limit access to Meta technologies. Alongside our reports on Government Requests for User Data and our Regulatory and Other Transparency Reports, we also publish reports on Community Standards Enforcement, Widely Viewed Content, Content Restrictions Based on Local Law and Internet Disruptions. 3.2 Internal audits and review We’re scaling how we operationalize privacy, including how we build new technologies, and we have made progress on our work to give people more control over their privacy and our broader mission to honour people’s privacy in everything we do. In order to put our accountability foundation into practice, we have designed processes, product escalation paths and technical mechanisms that embed privacy across all facets of our company operations. More information in relation to all of the below information can be found via our Privacy Progress Update. 3.2.1 Company-wide privacy risk identification and assessment Risk assessments are essential to our ability to identify, assess and mitigate privacy risks. We have designed a privacy risk assessment program that performs an annual assessment to identify and assess privacy risk across the company, as well as a process to assess privacy risk after certain incidents. We will continue to evolve and mature our privacy risk assessment process. 3.2.2 Safeguards and controls We have designed safeguards — operational activities, policies and technical systems — to address privacy risk and meet privacy expectations and regulatory obligations. 3.2.3 Incident management program No matter how robust our mitigations and safeguards, we also need a process to identify when an event potentially undermines the confidentiality, integrity or availability of data for which Meta is

03

ORGANISATIONAL MEASURES

11

responsible, investigate those situations and take any needed steps to address gaps we identify. Our incident management program operates globally to oversee the processes by which we identify, assess, mitigate and remediate privacy incidents. Although the privacy team leads the incident management process, privacy incidents are everyone’s responsibility at Meta, with teams from across the company, including legal, policy and product teams, playing vital roles. We continue to invest time, resources and energy in building a multi-layered program that is constantly evolving and improving. 3.2.4 Third-party oversight Third parties are external partners who do business with Meta but aren’t owned or operated by Meta. These third parties typically fall into 2 major categories: those who provide a service for Meta (like vendors who provide creative support) and those who build their businesses around our technologies (like app or API developers). To mitigate privacy risks posed by third parties that receive access to personal information, we developed a dedicated third-party oversight and management program, which is responsible for overseeing third-party risks and implementing appropriate privacy safeguards. 3.2.5 External data misuse and transparency into scraping Scraping is the automated collection of data from a website or an app. Using automation to access or collect data from our technologies without our permission is a violation of our terms. Our External Data Misuse team is dedicated to detecting, investigating and blocking patterns of behaviour associated with unauthorised access to data. Meta has taken legal action against companies who offer scraping for hire services in respect of people who use our technologies. To help people understand how we work to guard against scraping, we share ongoing updates around actions we’ve taken to protect against data misuse across our technologies and share ways people can best protect their data.

3.3 Third-party certifications and compliance offerings Compliance is an effective way to validate the trustworthiness of a service. Meta encourages and expects verification that our security practices comply with the most widely accepted standards and regulations in the world. Independent third-party auditors test the security safeguards of our ads systems and provide their assessment in written reports (example, SOC 2 and SOC 3 reporting). SOC 2 is an assurance report based on AICPA’s Trust Services principles and criteria. The annual assessment and report adheres to the latest SSAE 18 standard and covers everything from how we secure and protect our technologies and data centres, to how we verify the identities and backgrounds of our employees. These reports demonstrate our ability to meet a common security standard that advertisers can use to conduct risk assessments and determine whether the technical and organisational security measures that are in place meet their requirements.