LUXEMBOURG (Reuters) – Standard contracts used by Facebook and many other firms to send users’ data to third countries are valid, a legal adviser to the EU said on Thursday, but he left scope for such transfers to be blocked if EU data protection standards are not met in those states.
Facebook found itself in the spotlight after Austrian privacy activist Max Schrems challenged its use of standard contractual clauses on the grounds that they do not offer sufficient data protection safeguards.
Schrems had also called on Ireland, where Facebook has its European headquarters, to act against the company because it is subjected to U.S. surveillance laws, which he believes could threaten Europeans’ rights.
Schrems successfully fought against the EU’s previous ‘Safe Harbour’ privacy rules in 2015.
Henrik Saugmandsgaard Øe, advocate general (AG) at the Court of Justice of the European Union (CJEU), said the clauses used by many companies to underpin activities such as outsourced services, cloud infrastructure, data hosting and finance are legal.
However, he added privacy regulators must prohibit such data transfer when there is a conflict between obligations related to standard clauses and those imposed by the law of the third country of destination.
Schrems said he was “generally happy” with the legal opinion.
“Everyone will still be able to have all necessary data flows with the U.S., like sending emails or booking a hotel in the U.S.,” he said.
“Some EU businesses may not be able to use certain U.S. providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the National Security Agency (NSA).”
“It is really upon the United States to ensure baseline privacy protections for foreigners. Otherwise no one will trust U.S. companies with their data.”
The opinion calls into question the sufficiency of U.S. protections, said Caitlin Fennessy, research director at the International Association of Privacy Professionals.
“This suggests a near-term diplomatic solution will be critical,” she said.
Facebook said in a statement, “We are grateful for the Advocate General’s opinion on these complex questions. Standard Contractual Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide.”
The court should follow the adviser’s opinion on the clauses, said Patrick Van Eecke, global chair of law firm DLA Piper’s data protection practice.
“In an open and global economy which is highly dependent of data flows crossing the national borders of countries or regions, putting up hurdles prohibiting international data transfers is not good for business and not good for people either,” he said.
Ireland’s Data Protection Commission, Facebook’s lead regulator in the EU, welcomed the advocate general’s opinion noting that it “illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries, to include the laws of the United States.
The case is C-311/18 Facebook Ireland and Schrems.
Reporting by Foo Yun Chee, additional reporting by Kirsti Knolle in Vienna and Graham Fahy in Dublin; editing by Kirsten Donovan, Jason Neely and Alexandra Hudson