EU court boost for activist in Facebook data transfer legal battle
Image credit: Dreamstime
EU regulators must make more effort to stop tech companies from transferring data to countries with weaker data protection standards, an adviser at the European Court of Justice (ECU) has said.
A preliminary opinion by the ECU’s – the EU’s top court – advocate general stated that existing EU legal rules for data transfers should remain in place, however, but said there should be stricter enforcement by authorities.
This statement gives a boost to Austrian privacy activist Max Schrems, who launched a complex legal case involving Facebook seven years ago due to concern that Europeans were subject to mass US government surveillance.
“Companies will momentarily ‘breathe a sigh of relief’ that the EU will likely maintain the legal mechanism that many companies now use to move data around the world,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals.
However, Fennessy said the opinion also paves the way for challenges to transferring data on a case-by-case basis, if a country is deemed to not have adequate protections.
Although the privacy activist case involves Mark Zuckerberg’s Facebook, experts say it could have 'far-reaching implications' for social media and other tech companies that move large amounts of data over the internet.
According to Schrems, the case could potentially affect Google, Microsoft and any other US companies that provide electronic communications services, but not data transfers between traditional businesses like airlines, hotels and banks.
The advocate general’s opinion is not binding; however, it may influence the court’s judges when they issue their final ruling next year, likely by March next year.
At issue are so-called “standard contractual clauses”, which force businesses to abide by strict EU privacy standards when transferring messages, photos and other information.
Companies such as Facebook routinely move such data among its servers around the world, and the clauses – stock terms and conditions – are used to ensure the EU rules are maintained when data leaves the bloc.
Schrems had argued the clauses meant authorities in individual EU countries can, by law, halt transfers if the data is sent somewhere with weaker privacy rules.
Advocate general, Henrik Saugmandsgaard Oe, said in a preliminary opinion that the standard contractual clauses are valid, but added that a provision in the clauses means companies and regulators have an obligation to suspend or prohibit transfers if there is a conflict with the law in a non-EU country such as the US.
“If Silicon Valley wants to have the data of the whole world, which it does, then it cannot at the same time be subject to surveillance laws that basically don’t have any rights for foreigners,” Schrems said.
He added the opinion validates that “generally data transfers are fine unless there’s a specific surveillance law in another country that undermines European privacy protections”.
Schrems filed his initial complaint against Facebook back in 2013 on the grounds that the data transferred did not have adequate protections against espionage by US government authorities.
His complaint followed revelations by former National Security Agency (NSA) contractor Edward Snowden of electronic surveillance by US security agencies, including the disclosure that Facebook gave the agencies access to the personal data of Europeans.
Schrems, concerned that his personal information was at risk, had challenged the data transfers through the courts in Ireland, which is home to Facebook’s European headquarters.
The Irish Data Protection Commission attempted to sidestep the issue by arguing the clauses were legally invalid. The commission eventually sent the case to the Luxembourg-based ECJ, the EU’s highest court.
Facebook, which had argued US surveillance does not violate EU privacy laws, said it was grateful for the opinion.
“Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas,” the Menlo Park, California, company said in a statement.
The Irish Data Protection Commission said the opinion provided “clarity of analysis”. Spokesman Graham Doyle said it shows the complexities that arise when EU data-protection laws interact with laws of other countries.
Legal experts have said businesses “will be relieved the opinion validates the current legal practices for data transfers”.
“The alternative would be quite a turnaround,” said Elliot Fry, a senior associate at the UK law firm Cripps Pemberton Greenish. “It would have required a lot of upheaval in relation to international transfers. So that is far and away from the most important aspect of this.”
Back in July, the ECJ ruled that companies which incorporate the ‘Like’ button on their websites are liable for Facebook tracking and must request user consent to transfer their data to Facebook.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.