Sigh of relief as ECJ rules EU-US data transfers 'valid'

The European Court of Justice (ECJ) has decided that personal data transfers from tech companies in the European Union into the United States are “valid”.

In June, it was revealed that Facebook’s transfer of data belonging to European citizens to the US would be examined by the ECJ.The social media giant lost a bid for the landmark case to be referred to the ECJ, after the Irish Supreme Court backed a ruling made by the Irish High Court in May 2018.

Facebook had been consistently trying to stop the case - brought by Austrian privacy activist and lawyer Max Schrems - from reaching the ECJ, which in 2015 had suspended the Safe Harbour agreement that allowed data-sharing between the EU and the US.

It ruled against the long-standing agreement, stating that it no longer sufficiently protected European information against US surveillance, in light of the Edward Snowden whistleblowing revelations.

The Irish investigation began in 2015 - chosen to lead Europe’s response to the court decision, as Facebook’s EU headquarters is in Dublin. This prompted Schrems to bring his data privacy case against Facebook to the Irish data protection watchdog.

He argued in 2013 that the Edward Snowden disclosures showed there is no effective data protection regime in the US. Facebook argued that the General Data Protection Regulation (GDPR) rules made the case irrelevant.

On Thursday, in a non-binding opinion, ECJ advocate general Henrik General Saugmandsgaard said the EU clauses are “valid”.

While it was not for the tribunal to rule on the legality of the separate Privacy Shield pact in this case, he expressed concerns over people’s right to privacy and “an effective remedy”.

In his opinion, the advocate general said the standard contractual clauses adopted by the European Commission provide a “general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there”.

The statement continued: “So far as there is an obligation - placed on the data controllers and, where the latter fail to act, on the supervisory authorities - to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with."

Mark Thompson, global lead for KPMG’s Privacy Advisory Practice, commented: “There will be a collective sigh of relief throughout the business community at the non-binding opinion of the advocate general.

"This case had the potential to significantly increase the administrative burden on EU based businesses transferring data internationally – a practice which is common across almost all sectors and sizes," he continued. "This opinion reduces the likelihood of Privacy Shield and standard contractual clauses being revoked allowing businesses to continue to rely upon these, avoiding costly and time consuming remediation.”

    Share Story:

Recent Stories