EU-US data transfer tools used by Facebook ruled legal

Seven-year legal battle set to end after EU adviser decides standard contractual clauses are adequate

EU flag flying

A top European court is a step closer – after a seven-year-long legal battle – towards approving the transfer of EU citizen data overseas, but only if fundamental rights are protected.

An advisor to the European Court of Justice said on Thursday that standard contractual clauses, those used by hundreds of companies to transfer data between the European Union and the United States, can continue to be used as a legal mechanism.

Advertisement - Article continues below

The case was originally brought in 2013 by then student Max Schrems, when the Austrian privacy activist and lawyer filed a complaint against Facebook with the Irish data protection commissioner (DPC) regarding the transfer of European citizens' data to the US. The complaint was that the US government place surveillance above an individual's right to privacy, and therefore there were no guarantees in place to protect EU citizens from similar snooping.

His first complaint, filed nearly seven years ago, was rejected as frivolous; he won the appeal and eventually the case, which saw the Safe Harbour scheme struck down in favour of 2016's Privacy Shield. However, Schrems has consistently argued that there's no real difference between the two.

After that battle, Facebook eschewed the Privacy Shield for standard contractual clauses (SCCs), which allow EU organisations to bake in data protection commitments into contracts they sign with other organisations outside of the zone – in this case, between Facebook Ireland and Facebook's headquarters in the US.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

It's the approval of those SCCs that Facebook and other American tech companies will be celebrating today. Such data transfers are legal, according to an opinion document by an advocate general at the Court of Justice of the European Union — but only so long as necessary protections for data are in place, the onus for which is placed on the companies sharing the data. “Standard contractual clauses for the transfer of personal data to processors established in third countries is valid,” Henrik Saugmandsgaard Øe wrote in his non-binding opinion.

Facebook welcomed the approval, saying: "We are grateful for the advocate general’s opinion on these complex questions," a spokesperson said in a statement. "Standard Contractual Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide. We look forward to the final decision from the CJEU."

Advertisement - Article continues below

The apparent approval of such data transfers may sound like a loss for Schrems, but he says the case is more nuanced than may appear. “I am generally happy about the opinion of the Advocate General," he said in a written statement on the website of privacy organisation NOBY. "The opinion is in line with our legal arguments. This is a total blow to the Irish DPC and Facebook as well as a very important step for users’ privacy. What is a problem is that the Advocate General is proposing a lower level or privacy protections for 'national security' under the ECHR, not the EU’s Charter of Fundamental Rights.”

Another win for Schrems is the advocate general calling for data protection authorities – such as the Irish DPC and the Information Commissioner's Office in this country – to step up and do their jobs better, stressing that they have the ability to suspend data transfers if necessary.

Advertisement - Article continues below

"At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints," Schrems said. "This is a huge step for the enforcement of the GDPR."

Such advocate general opinions are not binding, but the court normally follows their recommendations. The final ruling is due next year, at which point Schrems believes there will likely be a difference of opinion between the advocate general and the final judgement.

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

"During the court hearing the Advocate General asked questions in a very different direction than the Judges," Schrems wrote in a statement before the opinion was published. "The judges seemed to be much more critical of US law and the assessment by the European Commission than the Advocate General. I, therefore, expect that the final judgment may provide stricter privacy protections than the opinion on Thursday."

If the ruling is adopted by the court, it means data will be able to keep moving between the EU and the US, such as to send email or book a hotel, says Schrems. "Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA," he said in a statement.

Advertisement - Article continues below

"This is also an economic problem for the US, because foreign revenue will go elsewhere. It is really upon the United States to ensure baseline privacy protections for foreigners. Otherwise no one will trust US companies with their data."

This also means that the UK, should it leave the European Union without a deal, would be able to fall back on SCCs to maintain data flows between the two jurisdictions.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020