The High Court in Ireland is asking Europe’s top court, the European Court of Justice (ECJ), to decide whether EU countries should outlaw the way Facebook, and other US tech companies, transfer personal data to the US.
The decision, which Justice Caroline Costello handed down in the Irish High Court today means the ECJ will decide whether European data protections continue to apply for EU citizens once their data is moved to the US.
“European Union law guarantees a high level of protection to EU citizens ... they are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area,” Judge Costello said in her ruling.
Protecting Personal Data Through Standard Contractual Clauses
The ruling means the ECJ will look specifically at the use of a data transfer mechanism known as Standard Contractual Clauses (SCCs).
The European Commission introduced the SCC contract clauses as a means to establish safeguards for the transfer of personal data from the EU to countries (such as the US) not otherwise deemed to provide “adequate” protection.
These clauses appear in the contracts establishing US companies in the EU, or trade contracts between European companies and US companies.
The EC introduced them after the Safe Harbor Framework was invalidated in 2015, and have since been used by thousands of companies who rely on them to transfer data to companies outside of the European Union.
Data Transfer Complaint
The Irish High Court ruling follows a complaint made by Austrian lawyer and privacy campaigner Max Schrems, who acted to prevent Facebook’s European headquarters in Dublin from transferring his personal data to the US.
Schrems originally made the complaint to the Irish Data Commissioner, who referred the case in turn to the Irish High Court. The High Court ruled that, as this was an issue that potentially affected all European citizens, it should go to the ECJ.
Schrems previously brought the legal challenge against the original Safe Harbor Agreement that resulted in it being struck down.
The basis of his complaint goes back four years to allegations made by former NSA contractor Edward Snowden in 2013 that the US government, through the NSA, was monitoring personal data and carrying out mass surveillance of individuals’ communications. The Irish High Court ruling reads:
“In considering Mr Schrems’ complaint, the Data Protection Commissioner looked at the legal regime in the United States authorizing electronic surveillance of data transferred from the EU to the US .... She formed the view that there appeared to be well-founded concerns that there is an absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter of Fundamental Rights of the European Union.”
Judge Costello also stressed she was not making any value judgments on the data protection laws in the EU or United States.
Nor was she making any comment on the recently created US ombudsperson dealing with Europeans’ complaints about US surveillance. She said that despite the creation of the ombudsperson, it did not eliminate concerns about surveillance.
Data Protection Resolution Won't Come Anytime Soon
The final ruling from the ECJ may take up to two years and it will be the end of this month before the actual question that goes to the ECJ is clarified.
In the mean time, US companies can still use SCCs or the Privacy Shied that was also introduced after the Safe Harbor agreement was struck down.
The Privacy Shield differs from SCCs in that when using SCCs, there is generally no need for national authorization to transfer personal data out of European Economic Area.
In addition to this, US companies that want to use the Privacy Shield need to certify their compliance with the Privacy Shield annually with the Department of Commerce whereas there are no certifcations required for SCCs.
Even the rigorous stipulations of the Privacy Shield, though, face legal challenges.
In the mean time, the SCCs are now going to the ECJ. Schrems posted his reaction on Twitter afterwards:
A statement from Facebook and cited by the BBC read:
"Standard contract clauses provide critical safeguards to ensure that Europeans' data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business.
"They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption."