EU-US data transfer tools used by Facebook ruled legal

Seven-year legal battle set to end after EU adviser decides standard contractual clauses are adequate

EU flag flying

A top European court is a step closer – after a seven-year-long legal battle – towards approving the transfer of EU citizen data overseas, but only if fundamental rights are protected.

An advisor to the European Court of Justice said on Thursday that standard contractual clauses, those used by hundreds of companies to transfer data between the European Union and the United States, can continue to be used as a legal mechanism.

The case was originally brought in 2013 by then student Max Schrems, when the Austrian privacy activist and lawyer filed a complaint against Facebook with the Irish data protection commissioner (DPC) regarding the transfer of European citizens' data to the US. The complaint was that the US government place surveillance above an individual's right to privacy, and therefore there were no guarantees in place to protect EU citizens from similar snooping.

His first complaint, filed nearly seven years ago, was rejected as frivolous; he won the appeal and eventually the case, which saw the Safe Harbour scheme struck down in favour of 2016's Privacy Shield. However, Schrems has consistently argued that there's no real difference between the two.

After that battle, Facebook eschewed the Privacy Shield for standard contractual clauses (SCCs), which allow EU organisations to bake in data protection commitments into contracts they sign with other organisations outside of the zone – in this case, between Facebook Ireland and Facebook's headquarters in the US.

It's the approval of those SCCs that Facebook and other American tech companies will be celebrating today. Such data transfers are legal, according to an opinion document by an advocate general at the Court of Justice of the European Union — but only so long as necessary protections for data are in place, the onus for which is placed on the companies sharing the data. “Standard contractual clauses for the transfer of personal data to processors established in third countries is valid,” Henrik Saugmandsgaard Øe wrote in his non-binding opinion.

Facebook welcomed the approval, saying: "We are grateful for the advocate general’s opinion on these complex questions," a spokesperson said in a statement. "Standard Contractual Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide. We look forward to the final decision from the CJEU."

The apparent approval of such data transfers may sound like a loss for Schrems, but he says the case is more nuanced than may appear. “I am generally happy about the opinion of the Advocate General," he said in a written statement on the website of privacy organisation NOBY. "The opinion is in line with our legal arguments. This is a total blow to the Irish DPC and Facebook as well as a very important step for users’ privacy. What is a problem is that the Advocate General is proposing a lower level or privacy protections for 'national security' under the ECHR, not the EU’s Charter of Fundamental Rights.”

Another win for Schrems is the advocate general calling for data protection authorities – such as the Irish DPC and the Information Commissioner's Office in this country – to step up and do their jobs better, stressing that they have the ability to suspend data transfers if necessary.

"At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints," Schrems said. "This is a huge step for the enforcement of the GDPR."

Such advocate general opinions are not binding, but the court normally follows their recommendations. The final ruling is due next year, at which point Schrems believes there will likely be a difference of opinion between the advocate general and the final judgement.

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

"During the court hearing the Advocate General asked questions in a very different direction than the Judges," Schrems wrote in a statement before the opinion was published. "The judges seemed to be much more critical of US law and the assessment by the European Commission than the Advocate General. I, therefore, expect that the final judgment may provide stricter privacy protections than the opinion on Thursday."

If the ruling is adopted by the court, it means data will be able to keep moving between the EU and the US, such as to send email or book a hotel, says Schrems. "Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA," he said in a statement.

"This is also an economic problem for the US, because foreign revenue will go elsewhere. It is really upon the United States to ensure baseline privacy protections for foreigners. Otherwise no one will trust US companies with their data."

This also means that the UK, should it leave the European Union without a deal, would be able to fall back on SCCs to maintain data flows between the two jurisdictions.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

Cloud solution – yes or no? The answer starts with your strategy
Whitepaper

Cloud solution – yes or no? The answer starts with your strategy

29 Jul 2021
The controversial CLOUD Act
Whitepaper

The controversial CLOUD Act

29 Jul 2021
A new trust model for the 5G era
Whitepaper

A new trust model for the 5G era

24 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021

Most Popular

UK gov considers blocking Nvidia's takeover of Arm
Acquisition

UK gov considers blocking Nvidia's takeover of Arm

4 Aug 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Tesla Megapack goes up in flames at Australian battery site
Hardware

Tesla Megapack goes up in flames at Australian battery site

30 Jul 2021