By Foo Yun Chee and Michele Sinner
LUXEMBOURG (Reuters) – Agreements that let Facebook and other firms send European citizens’ data to the United States and other countries are valid, a key EU court adviser said on Thursday, although he left room for such transfers to be blocked if European data protection standards are not met in countries receiving the information.
The case is based on a challenge by Austrian privacy activist Max Schrems, who argued that Facebook’s contracts do not protect data to European levels, especially given concerns about activities by U.S. spy agencies.
Schrems had also called on Ireland, where Facebook has its European headquarters, to act against the company because it is subjected to U.S. surveillance laws, which he believes could threaten Europeans’ rights.
Schrems successfully fought against the EU’s previous ‘Safe Harbour’ privacy rules in 2015.
Henrik Saugmandsgaard Øe, advocate general (AG) at the Court of Justice of the European Union (CJEU), said the agreements used by many companies including Facebook to underpin activities such as outsourced services, cloud infrastructure, data hosting and finance are legal.
The court, which follows such recommendations in four out of five cases, will rule in the coming months.
However, he added privacy regulators must prohibit such data transfer when laws of the countries receiving the data, such as the United States, conflict with the data protection requirements of the agreements, known as standard contractual clauses.
Schrems said he was “generally happy” with the legal opinion.
“Everyone will still be able to have all necessary data flows with the U.S., like sending emails or booking a hotel in the U.S.,” he said.
“Some EU businesses may not be able to use certain U.S. providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the National Security Agency (NSA).”
“It is really upon the United States to ensure baseline privacy protections for foreigners. Otherwise no one will trust U.S. companies with their data.”
The opinion calls into question the sufficiency of U.S. data protections, said Caitlin Fennessy, research director at the International Association of Privacy Professionals.
“This suggests a near-term diplomatic solution will be critical,” she said.
Facebook said in a statement, “We are grateful for the Advocate General’s opinion on these complex questions. Standard Contractual Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide.”
The court should follow the adviser’s opinion on the clauses, said Patrick Van Eecke, global chair of law firm DLA Piper’s data protection practice.
“In an open and global economy which is highly dependent of data flows crossing the national borders of countries or regions, putting up hurdles prohibiting international data transfers is not good for business and not good for people either,” he said.
Ireland’s Data Protection Commission, Facebook’s lead regulator in the EU, welcomed the advocate general’s opinion noting that it “illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries, to include the laws of the United States.
The case is C-311/18 Facebook Ireland and Schrems.
(Reporting by Foo Yun Chee, additional reporting by Kirsti Knolle in Vienna, Graham Fahy in Dublin, Peter Henderson in San Francisco and Munsif Vengattil in Bengaluru; editing by Kirsten Donovan, Jason Neely and Alexandra Hudson)