Standard contractual clauses (SCCs) that Facebook uses to transfer data to the US, where it is at risk of mass surveillance, allow the Irish data protection commissioner (DPC) to stop individual transfers, which is an obvious solution to the problem, according to Austrian lawyer Max Schrems.
“We don’t have a problem with SCCs – we have a problem with enforcement,” Schrems said in a statement ahead of the hearing in Luxembourg, adding that the Irish DPC has a duty to act, instead of referring the case back to the CJEU [Court of Justice of the European Union].”
The case before the CJEU is therefore not about all EU-US data transfers, only about transfers to the US that are subject to mass surveillance, according to noyb, the European non-profit organisation set up by Schrems that enforces the right to privacy through litigation, with the support of more than 3,500 donors.
In most situations, noyb said there are simple ways to avoid mass surveillance and many industry sectors, such as banking and the airline industries, which do not fall under any such mass surveillance law because US surveillance laws such as FISA 702 apply only to electronic communication service providers.
The problem arises mainly with cloud service and communication providers that fall under surveillance laws, such as Facebook, Google, Apple and Amazon Web Services, but not with any other industry sector or “necessary” data transfers such as emails and bookings, as specified in article 49 of the GDPR.
The complaint targets only Facebook, which is named in the Snowden documents as aiding the US National Security Agency (NSA) with mass surveillance under the Prism programme. And, according to Schrems, if correctly applied and enforced by the DPC, the SCCs provide a proper solution.
Facebook has relied on the European Commission’s assessment of US law in the Privacy Shield agreement which says that US surveillance laws comply with EU requirements and argues that this assessment should also apply to the SSCs.
But Schrems argues that this assessment by the EC is wrong and that because Privacy Shield is based on a false interpretation of US law, it should be invalidated, like Safe Harbor.
Read more about Facebook and Max Schrems
- Irish Supreme Court dismisses attempt by Facebook to prevent the European Court of Justice considering the validity of US-EU data transfers, after Austrian lawyer Max Schrems argued that they put the privacy of EU citizens at risk.
- Facebook’s challenge to a High Court ruling that raises serious concerns about data transfers between Europe and the US is more about appearance than facts, lawyers for the Irish Data Protection Commission told Dublin’s Supreme Court.
- Social media giant challenges a ruling by Dublin’s High Court over a judgment that it says made “extraordinary and incorrect” findings about the US legal system.
The prospect that SCCs may be invalidated by the CJEU has raised concerns about the implications this would have for companies that rely on SCCs to carry out their day-to-day business. However, according to noyb, a potential solution lies in simply outsourcing data processing that could be done in Europe or other countries that provide proper data protection standards, rather than in the US.
The CJEU is to receive an opinion from the advocate general, Henrik Saugmandsgaard Øe , on 12 December and is expected to issue a final judgment towards the end of the year or early in 2020.
After the CJEU judgment, the DPC will finally have to decide on the complaint, and the decision could again be subject to appeals by Facebook or Schrems.
Read more on Privacy and data protection
All EU states can take data protection cases against Facebook, says EU court
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Facebook takes legal action against Irish privacy watchdog
Irish privacy watchdog orders Facebook to stop sending user data to the US