EU regulators must block technology companies from transferring data outside the bloc in cases in which privacy rules are broken, an advisor to the European Union’s top court said Thursday, part of a lengthy legal case involving an Austrian privacy campaigner and Facebook.
The European Court of Justice’s advocate general said that so-called “standard contractual clauses” - in which businesses commit to abide by strict EU privacy standards when transferring messages, photos and other information - are adequate. Companies like Facebook routinely move such data among its servers around the world, and the clauses - stock terms and conditions - are used to ensure the EU rules are maintained when data leaves the bloc.
Activist Max Schrems, worried about Europeans facing mass U.S. surveillance, had argued the clauses mean authorities in individual EU countries can, by law, halt data transfers in specific cases if data privacy is violated.
Advocate General Henrik Saugmandsgaard Oe agreed, saying in a preliminary opinion that a provision in the clauses means companies and regulators have an obligation to suspend or prohibit transfers if there’s a conflict with the law in a third country such as the U.S.
The advocate-general’s opinion is not binding but may influence the court’s judges when they issue their final ruling.
The case has potentially far-reaching implications for social media companies that move large amounts of data via the internet. Facebook’s European subsidiary regularly does so.
The legal saga’s origins date to 2013, when Schrems filed an initial case following revelations by former NSA contractor Edward Snowden of electronic surveillance by U.S. security agencies, including the disclosure that Facebook gave the agencies access to the personal data of Europeans.
Schrems, concerned that his personal information was at risk, had challenged the data transfers through the courts in Ireland, home to Facebook’s European headquarters.
The Irish Data Protection Commission tried to sidestep the issue by arguing the clauses were legally invalid and eventually sent the case to the Luxembourg-based ECJ, the EU’s highest court.
“The opinion follows exactly our approach which says that generally data transfers are fine, unless there’s a specific surveillance law in another country that undermines European privacy protections,” Schrems said. He noted that applies only to data sent to or from “electronic communications service providers” such as Facebook, Google and Microsoft, and not between traditional businesses like airlines, hotels and banks.
He added the case has raised issues with wider implications for U.S. tech companies’ global ambitions, “because if Silicon Valley wants to have the data of the whole world, which it does, then it cannot at the same time be subject to surveillance laws that basically don’t have any rights for foreigners.”
Facebook, which had argued U.S. surveillance doesn’t violate EU privacy laws, said it was grateful for the opinion. “Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas,” it said in a statement.
The Irish Data Protection Commission said it provided “clarity of analysis.”
“The opinion illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries, to include the laws of the United States,” spokesman Graham Doyle said.
Richard Cumbley, a partner at law firm Linklaters, said EU businesses dealing with U.S. affiliates or suppliers will be relieved at the opinion, which suggests the clauses “remain a solid basis for transferring data outside the EU.” But, he added, companies will still have to carry out “significant due diligence” when using them.