Facebook Wins Data Transfer Opinion Against Max Schrems

Facebook and other tech firms will breathe a sigh of relief after a landmark opinion from a high-level adviser to the EU’s top court.

The opinion for the European Court of Justice (ECJ) found that personal data transfers from tech companies in the EU into the US are “valid”.

In June this year it was revealed that Facebook’s transfer of data belonging to European citizens to the United States would be examined by the ECJ.

Path to ECJ

Facebook lost a bid for the landmark case to be referred to the ECJ, after the Irish Supreme Court backed a ruling made by the Irish High Court in May 2018.

Facebook had for years been consistently trying to stop the case reaching the ECJ, which was brought against Facebook by Austrian privacy activist Max Schrems.

Facebook’s legal manoeuvres began after the Irish data protection watchdog in 2016 decided to refer the social networking giant’s data transfer practices to the US, to the ECJ.

It should be remembered that the ECJ in 2015 had suspended the Safe Harbour agreement that allowed data-sharing between the EU and the US.

It had ruled against the long-standing agreement as it felt it no longer sufficiently protected European information against US surveillance, in light of the Edward Snowden whistleblowing revelations about the scale of US snooping.

The Irish probe began in 2015 and Ireland was chosen to lead Europe’s response to the court decision as Facebook’s EU headquarters is in Dublin.

This fact prompted Austrian lawyer Max Schrems to bring his data privacy case against Facebook to the Irish data protection watchdog.

In his complaint, Schrems argued in 2013 that the Edward Snowden disclosures showed there is no effective data protection regime in the United States.

Facebook for its part has argued that the General Data Protection Regulation (GDPR) rules make the case irrelevant.

Advocate General opinion

And now in a non-binding opinion, advocate general Henrik General Saugmandsgaard Oe of the ECJ on Thursday said the EU clauses are “valid”.

While he said it was not for the tribunal to rule on the legality of the separate Privacy Shield pact in this case, Saugmandsgaard Oe expressed concerns over people’s right to privacy and “an effective remedy”.

Whilst this advice is non-binding, but opinions from the advocate general are typically followed by the court in a majority of cases.

A ruling by the Luxembourg-based court usually arrives several months later.

In his opinion, the advocate general said the standard contractual clauses adopted by the European Commission provide a “general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there”.

“In his view, that is the case in so far as there is an obligation – placed on the data controllers and, where the latter fail to act, on the supervisory authorities – to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with,” the advocate general said.

Expert take

Experts have been quick to point out the sense of relief for many businesses after the opinion was delivered.

“The Advocate General’s decision will prompt a huge sigh of relief amongst European businesses that deal with affiliates or suppliers in the US,” said Richard Cumbley, TMT partner at Linklaters.

“It is also good news for the new Conservative government in the UK and its ambitious timetable to achieve a trade deal by the end of 2020, as it makes the need for a so called ‘adequacy finding’ less acute,” said Cumbley.

“The Schrems II case seeks to confirm that a number of different data transfer mechanisms – most importantly so called ‘standard contractual clauses’, thousands of which are used today to share information about UK and other European employees and customers with businesses in the US and elsewhere – cannot be used without significant due diligence by EU businesses with material risks if they get the judgements wrong,” said Cumbley.

“The AG’s opinion suggests that these are issues for the Commission and Government and not individual businesses, suggesting that standard contractual clauses remain a solid basis for transferring data outside the EU,” he added. “They will therefore be an important tool for UK businesses to receive data from the EU post Brexit, and make an adequacy finding a desirable rather than critical aspect of the forthcoming trade negotiations.”

Can you protect your privacy online? Take our quiz!