The European Court of Justice’s Advocate General has determined in a non-binding opinion today that transfer of data outside the European bloc is legal; a win for Facebook over the Irish Data Protection Commissioner (DPC).
“Standard contractual clauses (SCC’s) for the transfer of personal data to processors established in third countries is valid,” AG Henrik Saugmandsgaard Øe determined, in a decision published by the Court of Justice [pdf] early Thursday.
The Advocate General role is to propose a legal solution to court’s justices. The judges themselves are still deliberating and will rule at a later date, but the AG’s opinion represents a win for Facebook, and will come as a relief to businesses reliant on standard contractual clauses to underpin their trans-Atlantic data transfers.
The AG sums up the roots of the dispute pithily in the opinion, for those seeking a refresher: “The data of Facebook users residing in the EU… are transferred to… servers located in the United States, where they are processed.
“In 2013, Mr Schrems lodged a complaint with the Irish authority… taking the view that, in the light of the revelations made by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency, the law and practices of the United States do not offer sufficient protection against surveillance, by the public authorities, of the data transferred to that country. ”
Standard Contractual Clauses Decision: “A Huge Sigh of Relief”
Law firm Linklaters said: “The Schrems II case seeks to confirm that a number of different data transfer mechanisms… cannot be used without significant due diligence by EU businesses with material risks if they get the judgements wrong.
“The AG’s opinion suggests that these are issues for the Commission and Government and not individual businesses, suggesting that standard contractual clauses remain a solid basis for transferring data outside the EU. They will therefore be an important tool for UK businesses to receive data from the EU post Brexit, and make an adequacy finding a desirable rather than critical aspect of the forthcoming trade negotiations.”
Richard Cumbley, TMT partner at law firm Linklaters, added in an emailed comment: “The Advocate General’s decision will prompt a huge sigh of relief amongst European businesses that deal with affiliates or suppliers in the US.
He added: “It is also good news for the new Conservative government in the UK and its ambitious timetable to achieve a trade deal by the end of 2020, as it makes the need for a so called “adequacy finding” less acute.
Privacy activist Max Schrems, who brought the case, responded [pdf]: The Advocate General explained to the DPC that the SCCs have a built-in co-called “pressure valve” (Article 4 SCCs) that allows the DPC to suspend data flows whenever there is a problem with US law. The opinion makes clear that DPC has the solution to this case in her own hands: She can order Facebook to stop transfers tomorrow.
“Instead, she turned to the CJEU to invalidate the whole system. It’s like screaming for the European fire brigade, because you don’t know how to blow out a candle yourself.”
He added: “The case itself cannot overcome the deeper clash of EU and US law. In the long term I hope that the US legislator will come to realize that no foreign customer will trust US industry, if there are no solid privacy protection in the US.
“You can’t say ‘trust us with all your data, but actually you have no rights'”.