ECJ says EU rules on data transfers to US ‘valid’ in Max Schrems case

Court raises concern that US law could affect right of tech firms to move data from EU

Privacy activist Max Schrems speaking in Dublin last year. Photograph: Nick Bradshaw

Privacy activist Max Schrems speaking in Dublin last year. Photograph: Nick Bradshaw

 

Personal data transfers from tech companies in the EU into the US are “valid”, according to an opinion from a high-level adviser to the EU’s top court, which provides a major boost to companies such as Facebook.

However, he said companies and regulators needed to ensure that “sufficiently sound mechanisms” were in place to suspend or prohibit such transfers where there is a conflict “between the obligations arising under the standard clauses and those imposed by the law” of the country to which the data is being sent.

That presents potential challenges for big tech companies, including Facebook, and the Data Protection Commission.

At issue in the European Court of Justice were so-called standard contractual clauses, and parts of the EU-US Privacy Shield. The “shield” is a data-transfer pact which was adopted in 2016 after its predecessor agreement was torpedoed by Austrian privacy activist Max Schrems.

In a non-binding opinion, advocate general Henrik Saugmandsgaard Øe of the Court of Justice of the EU on Thursday said the EU clauses themselves are “valid”.

But while it was not for the tribunal to rule on the legality of the separate Privacy Shield pact in this case, he expressed concerns over people’s right to privacy and “an effective remedy”.

The advice may provide clues for the outcome of the final decision. Rulings by the Luxembourg-based court usually come several months later.

In his opinion, the advocate general said the standard contractual clauses adopted by the European Commission provide a “general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there”.

Cloud

Data transfers are an essential part of the modern economy. Many companies rely on cloud services with suppliers located outside the EU, or use service providers with round-the-clock support from locations across the world. Businesses often centralise their marketing priorities globally or need to centralise travel bookings for their staff.

The issues in this case involve the data of Facebook users which are transferred from the company’s Irish subsidiary to servers located in the US where the data is then processed.

In 2013, Mr Schrems complained that, in light of revelations made by whistleblower Edward Snowden concerning the activities of the US intelligence services, in particular the National Security Agency (NSA), the law and practices of the US do not offer sufficient protection against surveillance.

In 2015, Mr Schrems successfully fought against the EU’s previous privacy rules, triggering the current case when he challenged Facebook’s use of the contractual clauses on the grounds that they don’t offer sufficient data protection safeguards.

Richard Cumbley, partner at magic circle law firm Linklaters, said the decision will “prompt a huge sigh of relief amongst European businesses that deal with affiliates or suppliers in the US”.

Restaurant in Brussels

Speaking prior to publication of the opinion, Hogan Lovells partner Eduardo Ustaran noted that any change to the law could have been widely felt.

“Even a restaurant or a corner shop in Brussels [would be affected] because they are almost certainly using an email service provider outside the EU,” he said.

Judges, who will rule in the coming months, follow advisers’ recommendations in four out of five cases. – Additional reporting: Bloomberg/Reuters/Financial Times Limited