EU-US data transfer tool in Facebook case gets cancelled in EU Court
LUXEMBOURG CITY (LUXEMBOURG) – Europe’s top court on Thursday cancelled the validity of a mechanism used by a lot of companies to send data to the United States. This was in favour of the concerns about US surveillance raised by privacy activist Max Schrems during his clash with Facebook.
The EU-US Privacy Shield was founded in 2016 to safeguard personal data of Europeans as it is transferred across the Atlantic for commercial purposes. The same court also rejected its predecessor, which was known as Safe Harbour, in 2015.
The EU Court of Justice said, “In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes, or the existence of guarantees for potentially targeted non-US persons.”
However, judges confirmed the validity of another data transfer mechanism called Standard Contractual Clauses but emphasised that those keeping a guard over privacy must delay or prohibit transfers outside the EU if protection of the data is doubtful.
Companies including Facebook, industrial giants and carmakers make use of these clauses to transfer the data of Europeans around the world regarding services such as cloud infrastructure, data hosting, payroll, finance and marketing.
Data transfers that underpin standard contractual clauses or face hefty fines for breaking EU privacy laws, have to be suspended if the court had invalidated those clauses.
The case – C-311/18 Facebook Ireland and Schrems – approached the Court of Justice of the European Union (CJEU) in Luxembourg after the use of the standard clauses by Facebook was questioned by Schrems, saying they lacked effective data protection safeguards.
Schrems shot to fame in its pursuit to overturn Safe Harbour and after winning a legal battle in 2015. EU’s concerns about data transfers arose recurrently after former US intelligence contractor Edward Snowden’s revelations in 2013 of mass US surveillance.
Facebook’s lead regulator known as The Irish Data Protection agency took the case to the Irish High Court, seeking guidance from the CJEU.
The General Data Protection Regulation (GDPR), introduced in the EU, in 2018, aims to increase the control that individuals have over their personal information. Companies that fail to comply are charged fines of up to 4% of global annual turnover.
(Photos syndicated via Reuters)
This story has been edited by BH staff and is published from a syndicated field.