EU court advocate upholds use of standard contract clauses on int'l data transfers

News Broadband Europe 19 DEC 2019
EU court advocate upholds use of standard contract clauses on int'l data transfers

The EU Court of Justice's advocate-general has upheld the use of standard contract clauses to ensure international transfers of personal data adhere to EU privacy standards. However, in the latest development in the case of Max Schrems versus Facebook, the court said that companies using the clauses should abandon the practice if the destination country for their data was found to provide inadequate protection of personal data. 

The opinion was issued by advocate-general Saugmandsgaard Oo on questions posed by the High Court of Ireland on behalf of the Irish data protection regulator. The latter has authority over Facebook in the EU and is investigating a complaint from Schrems that Facebook violates EU privacy law by sending data on users to the US where they may be subject to state surveillance. 

The standard contractual clauses allow companies to transfer personal data outside the EU even if the European Commission has not delivered a so-called adequacy decision on the destination country, that it meets EU privacy standards. Many companies rely on these clauses for transfers to the US, especially after Schrems succeeded in having the US's original 'safe habour' status removed by the EU court. 

The Irish authority is now reconsidering Schrems' complaint after the EU court ruling in 2015. Schrems claims that Facebook's contract with users is not consistent with the Commission's decision of 2010 on the standard contractual clauses, and even if it were, this would not be enough to justify the transfer of his personal data to the US. He wants the regulator to suspend such data transfers, as non-US citizens have no legal recourse in the US if their privacy is violated there. 

The advocate-general upheld the Commission's decision on the use of the clauses, saying this was a valid means to ensuring general application of the data protection rules. He noted though that this does not exempt companies or regulators from their duty to ensure that data protection is actually enforced in the destination countries. If a country is found to violate the EU principles, then the use of such clauses should be ended and the regulators need to act to stop the data transfers.  

The AG's opinion is not binding, but the court tends to follow its recommendations in the final ruling. The opinion was welcomed by the Computer and Communications Industry Association, which noted that "Standard Contractual Clauses are the only viable and affordable instrument for European companies to transfer data beyond the dozen countries the EU deems adequate”.

Schrems said in a first reaction that he was generally pleased with the AD's opinion, which tended to follow his legal arguments. He called on the Irish Data Protection Commissioner to act and suspend the transfers to the US. "The opinion makes clear that DPC has the solution to this case in her own hands: She can order Facebook to stop transfers tomorrow. Instead, she turned to the CJEU to invalidate the whole system. It’s like screaming for the European fire brigade, because you don’t know how to blow out a candle yourself."

Categories:

Internet

Companies:

European Commission

Regions:

Europe

Tags:

Regulations, Information services, Legislation - Lawsuits

Related Articles

EUROPE 6 SEP 2022

Irish regulator imposes EUR 405 million fine on Meta for violating teen privacy

Meta's Instagram service has been told to pay a EUR 405 million fine for the way it handled teen data, Politico reported. The fine, imposed by the Irish Data Protection Commission (DPC) follows a EUR 225 million fine imposed on WhatsApp and another of EUR 17 million on Facebook. The regulator is still investigating at least six other cases with Meta-owned companies.

EUROPE 16 JUL 2020

EU court overturns Privacy Shield, blocking personal data transfers to US

Max Schrems has won a new victory against Facebook and how the social network handles personal data. After having the US's 'safe harbour' status for data transfers overturned in 2015, the privacy activist has won a new case at the EU Court of Justice overturning the Privacy Shield agreement which replaced it in 2016. This means it is not legal for EU-based companies to transfer personal data to the US, as the country does not offer sufficient protection as required under the EU's privacy law.

EUROPE 25 MAY 2020

Irish regulator progresses in GDPR cases against Twitter, WhatsApp, Facebook

The Irish Data Protection Commission (DPC) announced it's making progress on investigations into major social media companies thought to have violated the EU's General Data Protection Regulation. This includes procedures against Twitter, WhatsApp and Facebook.

EUROPE 31 MAY 2019

Facebook loses Irish Supreme Court appeal in data privacy case

Ireland's Supreme Court has dismissed Facebook's appeal over last year's High Court ruling to refer aspects concerning the validity of European Commission decisions approving EU-US data transfer channels to the European Court of Justice (ECJ). In a unanimous decision, the Supreme Court said it would not overturn any aspect of the High Court's ruling, meaning the ECJ will now hear the case in July.

EUROPE 26 MAY 2016

Facebook 'model contracts' to face EU privacy lawsuit

The Irish privacy watchdog said it would refer Facebook to the EU Court of Justice for possible violations of EU data protection law with the social network's transfer of data on EU users to the US, Reuters reports. The Irish Data Protection Commissioner earlier started an investigation into Facebook's transfers to ensure that personal privacy is properly protected from US government surveillance. The IDPC said it would ask the Court of Justice of the European Union (CJEU) to determine the validity of Faceb

NETHERLANDS 16 DEC 2015

Dutch privacy organisations threaten Facebook with lawsuit

Four Dutch privacy organisations have threatened to take legal action against Facebook over the social network's privacy policies. Privacy First, Bits of Freedom, Public Interest Litigation Project (PILP) and the Platform Bescherming Burgerrechten called on Facebook to stop sending data on users to its US-based servers. They said Facebook no longer has a legal basis for this since the EU Court of Justice struck down the 'safe harbour' agreement between the EU and US and said the US could not be considered a

EUROPE 3 DEC 2015

Schrems asks privacy regulators to enforce EU court ruling

The 'Europe vs Facebook' coalition, led by Austrian student Max Schrems, has asked the data protection authorities of Ireland, Belgium and the German City of Hamburg to enforce on Facebook the recent judgement by the European Court of Justice regarding transfers of personal data from the European Union to the US. The court ruled on 6 October that transfers of personal data from the EU to the US are violating European fundamental rights to privacy and a fair procedure and struck down the 'safe harbour' data-

EUROPE 6 OCT 2015

EU-US 'safe harbour' data transfers declared invalid

The European Court of Justice (ECJ) has ruled that the 'safe harbour' agreement on data transfers between the EU and US is invalid, casting doubt on the extent to which US tech giants such as Facebook, Google and Apple can continue to collect data from their users in the EU. The ECJ's ruling upholds the opinion of its advocate-general Yves Bot, who last month said the 'safe harbour' deal should be invalidated "because the surveillance carried out by the US is mass, indiscriminate surveillance," leaving the

EUROPE 25 MAR 2015

Facebook user sues Ireland at ECJ for sharing data with US

Austrian Facebook user Maximilian Schrems is suing the Irish data protection commission at the European Court of Justice for declining to intervene in a case pitting him against Facebook, which he argues that EU-based companies should not be able to transfer users' personal data to the US under so-called safe harbour protections. The case reported by the Guardian occured in Ireland because Facebook has its European headquarters in Dublin. Schrems managed to recover 1,222 ages of material from Facebook in 20

Just In

19 DEC 16:42

SLT-Mobitel launches 5G network in Sri Lanka

19 DEC 16:19

Dialog Axiata launches 5G network, connects 1.5 million subscribers

19 DEC 15:56

UK govt to ban AI-enabled nudification apps to protect women, girls

19 DEC 15:42

3 UK launches last-minute Christmas sale

Commentary

13:56

Video market set for slower growth ahead

11:38

Netflix buys Warner Bros to deepen content catalogue

11:11

KPN's mixed performance in Q3 raises questions for strategy day

15:26

Stock markets breaking records but what happened to Odido's IPO plans?

Background

01:04

The week in telecom: Wi-Fi bolt-ons take off to boost broadband growth, video market works on consolidation

01:39

The week in telecom: Netflix wins bidding for Warner Bros, Apple poaches new execs, Samsung debuts trifold

13:51

Proximus vs. Telenet: Proximus performs better in Q3 while Telenet uses up cash

14:16

Proximus Domestic still struggling with low margins

Complete profile

Before downloading the whitepaper, we would like to ask you to complete your profile with company and position. After confirming you will receive the white paper.