EU-US data transfer tools used by Facebook ruled legal

European flag

A top European court is a step closer – after a seven-year-long legal battle – towards approving the transfer of EU citizen data overseas, but only if fundamental rights are protected.

An advisor to the European Court of Justice said on Thursday that standard contractual clauses, those used by hundreds of companies to transfer data between the European Union and the United States, can continue to be used as a legal mechanism.

The case was originally brought in 2013 by then student Max Schrems, when the Austrian privacy activist and lawyer filed a complaint against Facebook with the Irish data protection commissioner (DPC) regarding the transfer of European citizens' data to the US. The complaint was that the US government place surveillance above an individual's right to privacy, and therefore there were no guarantees in place to protect EU citizens from similar snooping.

His first complaint, filed nearly seven years ago, was rejected as frivolous; he won the appeal and eventually the case, which saw the Safe Harbour scheme struck down in favour of 2016's Privacy Shield. However, Schrems has consistently argued that there's no real difference between the two.

After that battle, Facebook eschewed the Privacy Shield for standard contractual clauses (SCCs), which allow EU organisations to bake in data protection commitments into contracts they sign with other organisations outside of the zone – in this case, between Facebook Ireland and Facebook's headquarters in the US.

It's the approval of those SCCs that Facebook and other American tech companies will be celebrating today. Such data transfers are legal, according to an opinion document by an advocate general at the Court of Justice of the European Union — but only so long as necessary protections for data are in place, the onus for which is placed on the companies sharing the data. “Standard contractual clauses for the transfer of personal data to processors established in third countries is valid,” Henrik Saugmandsgaard Øe wrote in his non-binding opinion.

Facebook welcomed the approval, saying: "We are grateful for the advocate general’s opinion on these complex questions," a spokesperson said in a statement. "Standard Contractual Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide. We look forward to the final decision from the CJEU."

The apparent approval of such data transfers may sound like a loss for Schrems, but he says the case is more nuanced than may appear. “I am generally happy about the opinion of the Advocate General," he said in a written statement on the website of privacy organisation NOBY. "The opinion is in line with our legal arguments. This is a total blow to the Irish DPC and Facebook as well as a very important step for users’ privacy. What is a problem is that the Advocate General is proposing a lower level or privacy protections for 'national security' under the ECHR, not the EU’s Charter of Fundamental Rights.”

Another win for Schrems is the advocate general calling for data protection authorities – such as the Irish DPC and the Information Commissioner's Office in this country – to step up and do their jobs better, stressing that they have the ability to suspend data transfers if necessary.

"At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints," Schrems said. "This is a huge step for the enforcement of the GDPR."

Such advocate general opinions are not binding, but the court normally follows their recommendations. The final ruling is due next year, at which point Schrems believes there will likely be a difference of opinion between the advocate general and the final judgement.


Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation


"During the court hearing the Advocate General asked questions in a very different direction than the Judges," Schrems wrote in a statement before the opinion was published. "The judges seemed to be much more critical of US law and the assessment by the European Commission than the Advocate General. I, therefore, expect that the final judgment may provide stricter privacy protections than the opinion on Thursday."

If the ruling is adopted by the court, it means data will be able to keep moving between the EU and the US, such as to send email or book a hotel, says Schrems. "Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA," he said in a statement.

"This is also an economic problem for the US, because foreign revenue will go elsewhere. It is really upon the United States to ensure baseline privacy protections for foreigners. Otherwise no one will trust US companies with their data."

This also means that the UK, should it leave the European Union without a deal, would be able to fall back on SCCs to maintain data flows between the two jurisdictions.