Thanks Yiannis. Their reasoning is that your account is a North American account if you live there. That means North American data protection laws apply, according to Facebook. This is based on the fact that you supposedly contract with Facebook US (never mind the fact that people move around).

This is super shaky though, as it negates any territoriality of law. It’s not because a service is offered in a country online that it doesn’t need to respect the laws of that country. The new stance being adopted (General Data Protection Regulation) is that European data protection law applies if any part of the processing (including the eventual delivery) happens in Europe. But this only comes in play in May 2018.

Meanwhile, Europe and the US rely on a bilateral arrangement to be able to move personal data from Europe to the US and apply specific protections on that data. There is a sister agreement, much smaller, between Switzerland and the US, and that’s the one I used.