Max Schrems data transfer case passed to European Court of Justice
Wed 4 Oct 2017
An Irish High Court judge has referred a major data transfer privacy case to the European Court of Justice.
The case involves Max Schrems, an Austrian lawyer known for his activism on data privacy, and Facebook, which carries out its European operations from Ireland.
This is not the first time Schrems has challenged the social media giant in the European courts, causing some commentators to dub the case ‘Schrems 2.0.’
The case, while extremely complex, boils down to questions over the way in which Facebook transfers data between Europe and the U.S., which have differing approaches to privacy and data regulations.
Currently, Facebook transfers data between countries using ‘standard contract clauses’ (SCCs). As many businesses operate in the same way, if it is decided that these SCCs are not valid, as Justice Caroline Costello says there are ‘well-founded grounds’ for believing, there may be enormous knock-on effects for businesses around the world.
The intent of SCCs is to allow EU citizens the same data protection in the U.S. as they would get in Europe. Schrems initially took the case to Ireland’s Data Protection Commissioner, requesting that Facebook not be allowed to use SCCs because of its relationship with American intelligence agencies.
He said: “It is still unclear to me why the DPC is taking the extreme position that the SCCs should be invalidated across the board, when a targeted solution is available.
“The only explanation that I have is that that they want to shift the responsibility back to Luxembourg instead of deciding themselves.”
He noted that Facebook is required by law in the U.S. to provide personal data to the National Security Agency, whereas that is prohibited under European law.
Facebook rebuked the findings of the court, stating: “Standard contract clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business.
“They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.”
The case grows increasingly complex when looking at accusations levelled at Facebook that it was involved in Prism, a program of mass surveillance in the U.S. As well as this, the previous data sharing system between Europe and the U.S., called ‘Safe Harbor’, was ruled invalid by the European Court of Justice in October 2015.
For now, the eventual decision of the European Court of Justice holds massive implications. International Association of Privacy Professionals CEO Trevor Hughes commented: ‘Many are concerned that restrictions on these flows will limit the growth of economies around the world and create splintered islands for data-driven services.
‘All eyes are now on Luxembourg, where the court will hopefully decide soon to clear the legal uncertainty in this area.’