deepagopi2011 - Fotolia

EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield

The Advocate General of the European Court says standard contractual clauses are lawful, but raises questions over the impact of US surveillance on the legality of Privacy Shield

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe: Experts examine Dutch government’s IT problems

The European Court of Justice (ECJ) has backed lawyer and privacy activist Max Schrems and Facebook in a legal opinion which found that the contractual agreements widely used by companies to share data between the European Union (EU) and the US are lawful.

Advocate general Henrik Saugmandsgaard Øe said the agreements, known as standard contractual clauses (SCCs), were valid under EU law as mechanisms for ensuring the privacy rights of EU citizens are protected when their data is transferred overseas.

But he raised questions over the lawfulness of the EU-US Privacy Shield agreement on data protection in the light of evidence that the US runs bulk surveillance programmes which breach European privacy laws and fail to give European citizens adequate rights of redress if their data is wrongly intercepted.

The case originates in 2013, when Schrems complained to the Data Protection Commission Ireland that Facebook was providing “mass access” to data on its European customers to the US intelligence agencies, in breach of European privacy law.

Speaking today, Schrems said he was generally pleased with the court’s statement. “The opinion is largely in line with our legal opinion and is an important sign of protecting the privacy of users,” he said.

In a 97-page legal opinion, Saugmandsgaard Øe found that US bulk surveillance programmes did not mean that standard contractual clauses, which are used by more than 100,000 companies to share data with the US, were unlawful.

But he said there was an obligation by national data protection supervisors – in this case Irish data protection commissioner Helen Dixon – to investigate complaints about breaches in European data and to take action if the transfers fail to meet EU law.

“Where appropriate, [the supervisor] must suspend the transfer if it concludes that the standard contractual clauses are not being complied with and that appropriate protection of the data transferred cannot be ensured by other means,” wrote Øe.

Questions over Privacy Shield validity

The Advocate General found that although the European Court of Justice did not need to make a decision on Privacy Shield, there were questions over whether Privacy Shield gave adequate privacy rights to EU citizens when their data is shared with the US.

He said Dixon should be given the chance to re-examine her files in the case. If she considered that Privacy Shield was an obstacle to her powers to suspend Facebook’s transfer of data to the US, it would be open to her to bring the matter before the national courts to refer back to the ECJ.

“Prudence dictates that the court should await the completion of these procedural steps before it examines the impact the Privacy Shield decision has on the way in which a supervisory authority deals with a request to suspend a transfer to the US,” he said.

“I have doubts about the validity of the finding that the US guarantees, in the context of their intelligence services…and adequate level of protection”
Henrik Saugmandsgaard Øe, ECJ

Saugmandsgaard Øe said the validity of the Privacy Shield decision depends on whether the US ensures an “essentially equivalent” level of protection to EU data to that guaranteed by the General Data Protection Regulation (GDPR), the European Charter of Fundamental Human Rights, and the European Convention on Human Rights.

But according to the Advocate General’s opinion, it is not certain that US bulk surveillance programmes – authorised by section 702 of the Foreign Intelligence Security Act and Executive Order 12333 – provide adequate levels of privacy for EU citizens under EU law.

“I have doubts about the validity of the finding that the US guarantees, in the context of their intelligence services…an adequate level of protection,” he said.

A relief for European businesses

The case is expected to be heard by the European Court of Justice next year. In the majority of cases, the ECJ follows the opinion of the Advocate General, though some people involved in the case believe the court may reach a different finding.

Lisa Peets, the lawyer at Covington and Burling representing the Business Software Alliance, which was joined to the case, said the Advocate General’s decision to affirm the validity of SCCs was “tremendously important for companies across the economy, which rely on the SCCs for many of their day-to-day operations”.

Richard Cumbley, partner at Linklaters, said: “The Advocate General’s decision will prompt a huge sigh of relief amongst European businesses that deal with affiliates or suppliers in the US.”

He said the decision meant that businesses could use standard contractual clauses as a mechanism to share data with Europe following Brexit.

“They will therefore be an important tool for UK businesses to receive data from the EU post-Brexit, and make an adequacy finding a desirable rather than critical aspect of the forthcoming trade negotiations.”

Graham Doyle, head of communications for the Irish Data Protection Commission, said the opinion raised important issues. They include that EU law applies when a person’s data is processed by public authorities outside the EU, that US laws and practices lead to interference with the rights of individuals that are incompatible with US law, and that those problems are not cured by Privacy Shield.

“The opinion illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries,” he said.

Antony Walker, deputy CEO of trade group TechUK, said Saugmandsgaard Øe’s opinion was particularly important for small businesses preparing for Brexit, but he said there was still uncertainty over Privacy Shield.

“The Advocate General questioned the validity of Privacy Shield on the right to respect for private life and the right to an effective remedy. There will be a lot of focus on how these questions are addressed by the final CJEU [Court of Justice of the European Union] ruling,” he said.

Read more on Information technology (IT) in Italy

Data Center
Data Management