ECJ opinion backs Facebook over data privacy 'standard contractual clauses'

Advocate general Henrik Saugmandsgaard Øe backs standard contract clauses, but warns they require ongoing scrutiny

The European Court of Justice (ECJ) has backed Facebook over the use of ‘standard contractual clauses' governing transfers of personal data, in a legal opinion published today by ECJ advocate general Henrik Saugmandsgaard Øe.

The clauses oblige organisations transferring data outside of the EU to abide by the EU's own privacy and data processing standards. However, the opinion added the caveat that EU regulators must block such transfers if cases arise in which privacy rules are broken.

In a case brought by Austrian lawyer and privacy activist Max Schrems, he had argued that the clauses established by the European Commission, intended to provide an ‘adequate level of protection' for data transfers, are insufficient. Schrems had complained to the Data Protection Commissioner of Ireland - Facebook's data protection registrar in the EU - which had forwarded the case to the ECJ.

However, while the opinion backed Facebook's use of the clauses, Schrems claimed that the opinion was also "in line with our legal arguments". He added that the opinion also raised "serious doubts" over Privacy Shield, the successor data privacy framework to Safe Harbour, which was struck down in October 2015.

Schrem's complaint asserted that the standard contractual clauses relied on by Facebook to justify its data transfers is undermined by US law, which obliges Facebook to make personal data of users available to US authorities. Furthermore, he added, the clauses lack legal remedies for EU citizens who fear that their personal data has been misused following transfer.

In an earlier case, Schrems had successfully argued that the Safe Harbour agreement over the transfer of personal data from the EU to the US for processing contravened EU citizens' privacy rights under the Charter of Fundamental Rights of the European Union.

That case was kicked off following the first of the Edward Snowden revelations, which demonstrated how far-reaching the US National Security Agency's data-collection activities had become. The end of Safe Harbour affected around 4,500 organisation across the EU, while the European Commission scrambled to put an alternative arrangement in place that wouldn't unduly inconvenience online organisations.

After Safe Harbour was struck down, Facebook turned to standard contractual clauses to govern its data transfers.

Schrems' long-running case was referred to the ECJ by Ireland's data protection body in 2016 after it formed a preliminary view that his complaint had merit. In particular, it pointed out that no legal remedies existed for EU citizens should a violation of the clauses be uncovered.

Eduardo Ustaran, co-head of the global Privacy and Cyber-security practice at law firm Hogan Lovells, described the opinion as "a big victory for the European Commission". He continued: "The advocate general accepts the reasoning that the standard contractual clauses, as a tool, do their job to protect personal data outside the EU.

"However, it places the onus on companies and, ultimately, on regulators, to scrutinise the functioning of the contractual protections in practice. In essence, this means that organisations transferring data out of the EU cannot just sign the agreement and forget about it. Instead, they must ensure the importing organisation can comply with it.

"The Advocate General also seems to question the standard of data protection provided by the Privacy Shield, which appears to be held to a higher standard than the standard contractual clauses."