ECJ opinion backs EU data transfer contracts

Austrian Max Schrems (R) and lawyer Herwig Hofmann (L) after the verdict of the European Court of Justice in Luxembourg, 06 October 2015. [EPA/JULIEN WARNAND]

The European Commission’s standard contractual clauses (SCC), used for data transfers between EU and non-EU countries, are “valid”, according to a non-binding opinion from an advocate general at the Court of Justice of the European Union (CJEU).

The opinion is a symbolic victory for social media giant Facebook, who use SCCs in an bid to safeguard privacy standards for European users of the platform.

However, Advocate General Henrik Saugmandsgaard Øe on Thursday stressed the importance of data protection authorities suspending data transfers when obligations set out in standard contractual clauses are not complied with.

The opinion follows a legal challenge from Austrian privacy activist Max Schrems, who stated that the Commission standard contractual clauses do not adequately protect citizen’s privacy. Such contracts are issued in the absence of a data transfer adequacy agreement between the Commission and parties outside of the bloc, in an attempt to provide sufficient data protection safeguards. They are used by thousands of businesses worldwide, including tech giants such as Facebook.

In the vast majority of cases, legal opinions by the Advocate General are followed by the court and a final decision from judges is expected within the coming months.

Schrems’ challenge, in the now unlikely event that it would be supported by the court, could have far-reaching consequences on the way data flows operate between EU and non-EU businesses, and may oblige firms to stop making such data transfers or potentially face hefty fines.

US mass surveillance

Schrems is no stranger to challenges against Facebook’s data protection practices. In 2013, he filed a complaint with the Irish Data Protection Commissioner, in a bid to put an end to Facebook’s transferring of data from Ireland to the United States due to concerns that Facebook USA had been siphoning off the data to the US authorities as part of the PRISM mass surveillance program  – the National Security Agency’s harvesting of internet communications data from US firms.

This led to a 2015 case, in which Schrems successfully mounted a legal challenge over the EU’s ‘Safe Harbour’ privacy principles, which were developed to stop private companies in the EU or US losing or accidentally revealing personal data belonging to citizens.

That year, CJEU Advocate General Yves Bot issued an opinion to the court that stated the Safe Harbour agreement should be rendered invalid, adding that individual data protection authorities could suspend data transfers to other countries should there be evidence of data protection rights being breached. The ECJ ultimately upheld Bot’s opinion.

Privacy shield

Also of note in Saugmandsgaard Øe’s opinion on Thursday was his take on the EU’s data transfer accord with the US, the Privacy Shield agreement. The 2016 Privacy Shield agreement obliges American companies to protect personal data belonging to EU citizens, according to EU standards and consumer rights.

Saugmandsgaard Øe’s opinion states that the CJEU should not necessarily be required to rule on the validity of the agreement, due to the fact that the dispute in question only concerns the Commission’s establishment of standard contractual clauses. However, the Advocate General himself questioned the legitimacy of the agreement, stating that there are “reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”

Speaking this morning, Caitlin Fennessy, former Privacy Shield Director at the U.S. International Trade Administration and now Senior Privacy Fellow and Research Director at the International Association of Privacy Professionals (IAPP), told EURACTIV that Saugmandsgaard Øe’s opinion, should it have found standard contractual clauses to be invalid could “cause a ton of anxiety across the business community (that) may upend the status quo.”

She added that the dispute between Facebook and Schrems is “not a question that contracts can solve” but rather “a question of national security.” Along this axis, Fennessy also said that  the Privacy Shield agreement functions in practice as a “commercial instrument” that cannot necessarily address national security challenges.

(Edited by Benjamin Fox)

Subscribe to our newsletters