Facebook and other companies that transfer troves of personal data to the US were buoyed after a senior adviser to Europe’s top court validated the main legal mechanism they rely on.
In a legal case that has been running for nearly seven years, Henrik Saugmandsgaard Oe, advocate-general at the European Court of Justice, said the main set of tools that enables hundreds of thousands of companies to transfer emails, pictures and other personal data outside the EU provides sufficient protection for consumers.
“Standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is valid,” he wrote in a decision published in Luxembourg on Thursday.
His opinion came after supporters of the current framework said a blanket ban would cause economic upheaval and hamper Europe’s access to social media and a host of other online services, many of which are provided by US companies.
While his opinion is not legally binding, it is likely to influence the outcome of a court case, expected in the next few months, that will determine how companies in all sectors treat data transfers to outside the EU.
Companies such as Facebook started using SCCs, template clauses in contracts that have been approved by the European Commission, in 2015 after the ECJ ruled that the so-called Safe Harbor framework for data transfers was inadequate under EU law because US authorities could gain general access to the data, as revealed by the National Security Agency whistleblower Edward Snowden.
Facebook said: “We are grateful for the advocate-general’s opinion on these complex questions. Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas.”
Eduardo Ustaran, a partner at Hogan Lovells, said: “This is primarily a big victory for the European Commission so far, as the advocate-general accepts the reasoning that the standard contractual clauses, as a tool, do their job to protect personal data outside the EU.
“However, it places the onus on the companies and ultimately the regulators to scrutinise the functioning in practice of the contractual protections in place.”
Campaigners, led by Austrian data privacy activist, Max Schrems — who is also a party to this case — have argued that the current way of transferring data, particularly by companies such as Facebook and Google, continues to expose EU citizens to surveillance by intelligence agencies and governments, mainly in the US.
As part of his complaint, Mr Schrems had specifically asked that the Irish data protection commissioner invoke a part of the law, known as article 4, that would allow it to suspend data transfers from Facebook Ireland in specific cases where necessary.
“The advocate-general is now telling the Irish data protection authority again to just do its job,” Mr Schrems said. “We asked for a targeted solution, only for companies that fall under these surveillance laws. The DPC could have issued such a decision within a day,” Mr Schrems said.
“But they didn’t want to use article 4 and kicked it back to Luxembourg . . . this whole case is a responsibility-shifting exercise, because the Irish are terrified they’ll be sued into the ground by Facebook.”