Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Facebook Wins an EU Privacy Ruling
Will Dispute Over Sharing European's Data With US Continue?Facebook’s sharing of data on European users with the U.S. is legal and provides enough protections, the legal adviser to the EU’s top court said on Thursday.
See Also: The Biggest & Boldest Data Breaches & Insider Threats of 2023
Although the decision is nonbinding, some legal experts say opinions from the advocate general are typically followed by the court in a majority of cases.
Henrik Saugmandsgaard Oe, advocate general to the Court of Justice of the European Union, upheld the standard contractual clauses, or SCCs, for the transfer of personal data to processors in other countries and pronounced them as valid. The standard contractual clauses are sets of contractual terms and conditions to which the sender and the receiver of personal data agree.
Austrian law student and privacy activist Max Schrems had challenged Facebook’s use of such contractual clauses on the grounds that they do not offer sufficient data protection safeguards. The clauses underpin important business activities such as outsourced services, cloud infrastructure, data hosting, human resources management, payroll, finance and marketing.
This is not the first time that Schrems has fought for the privacy rights of Europeans. In 2015, he successfully fought against the EU’s previous “Safe Harbor” privacy rules. Those rules, which were developed between 1998 and 2000, were designed to prevent private organizations within the European Union or United States that store customer data from accidentally disclosing or losing personal information.
Arguing that transfer of data to the U.S. could lead to mass surveillance in violation of EU privacy law, Schrems’ efforts led to the replacement of the Safe Harbor rules with the “Privacy Shield” system in 2016. But Facebook said it would not use the “Privacy Shield” and instead rely on standard contractual clauses.
BREAKING: SCCs upheld by CJEU AG.#CJEU: "According to Advocate General Saugmandsgaard Øe, Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries is valid."#Schrems #GDPR #DPA pic.twitter.com/jjQe6RC0T4
— Neil Brown (@neil_neilzone) December 19, 2019
Background to the Case
Data privacy has become a major concern since revelations in 2013 by former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance which triggered outrage among politicians in Europe.
Schrems’ latest efforts focused on standard contractual clauses used by Facebook and hundreds of thousands of companies to transfer personal data to the United States and other parts of the world. SCCs are aimed at protecting personal data leaving the European Economic Area through contractual obligations in compliance with the EU’s General Data Protection Regulation.
Schrems challenged Facebook’s use of such standard clauses on the grounds that they do not offer sufficient data protection safeguards.
Schrems argued the clauses still do not take into account the privacy of EU citizens and residents. But the advocate general ruled that the data transfers using the standard clauses is valid.
Reaction
Reacting to the ruling, Schrems said: “Problem is that the advocate general is proposing a lower level or privacy protections for “national security” under the European Convention of Human Rights, not the EU’s Charter of Fundamental Rights.”
Meanwhile, Facebook said in a statement that it was “grateful” for the opinion and said standard contractual clauses “provide important safeguards to ensure that Europeans’ data are protected once transferred overseas.”
Some privacy experts argue that the SCC mechanism is useful if companies suspend transfers when the receiving country has surveillance regimes that undermine safeguards within the SCCs. But some argue that the advocate general did not resolve the heart of the matter and predicted there will be further challenges if the EU courts don’t resolve the issues involved.
The immediate danger is over but the uncertainty remains. The #AG didn’t address the heart of the matter & there will be further challenges if @EUCourtPress doesn’t resolve the human rights & conflicts of law.
Unfair to place this burden on companies. #Schrems https://t.co/Arb5DgFs3S— GSMA Europe (@GSMAEurope) December 19, 2019
Who Is Schrems?
Schrems, 31 began his fight against Facebook eight years ago. Last year, he launched None of Your Business, a non-profit organization that aims to challenge more companies with privacy lawsuits.
The Financial Times reports that Schrems’ journey started as a 23-year-old law student when he had requested his personal data from Facebook for a college paper. He found that the social media giant had amassed 1,200 pages of things he had “liked” and every private message he’d ever sent. He filed 22 complaints claiming that Facebook was breaking European data protection law, undermining the fundamental right to privacy.