Governance & Risk Management , Privacy , Standards, Regulations & Compliance

Facebook Wins an EU Privacy Ruling

Will Dispute Over Sharing European's Data With US Continue?
Facebook Wins an EU Privacy Ruling

Facebook’s sharing of data on European users with the U.S. is legal and provides enough protections, the legal adviser to the EU’s top court said on Thursday.

See Also: How Enterprise Browsers Enhance Security and Efficiency

Although the decision is nonbinding, some legal experts say opinions from the advocate general are typically followed by the court in a majority of cases.

Henrik Saugmandsgaard Oe, advocate general to the Court of Justice of the European Union, upheld the standard contractual clauses, or SCCs, for the transfer of personal data to processors in other countries and pronounced them as valid. The standard contractual clauses are sets of contractual terms and conditions to which the sender and the receiver of personal data agree.

Austrian law student and privacy activist Max Schrems had challenged Facebook’s use of such contractual clauses on the grounds that they do not offer sufficient data protection safeguards. The clauses underpin important business activities such as outsourced services, cloud infrastructure, data hosting, human resources management, payroll, finance and marketing.

This is not the first time that Schrems has fought for the privacy rights of Europeans. In 2015, he successfully fought against the EU’s previous “Safe Harbor” privacy rules. Those rules, which were developed between 1998 and 2000, were designed to prevent private organizations within the European Union or United States that store customer data from accidentally disclosing or losing personal information.

Arguing that transfer of data to the U.S. could lead to mass surveillance in violation of EU privacy law, Schrems’ efforts led to the replacement of the Safe Harbor rules with the “Privacy Shield” system in 2016. But Facebook said it would not use the “Privacy Shield” and instead rely on standard contractual clauses.

Background to the Case

Data privacy has become a major concern since revelations in 2013 by former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance which triggered outrage among politicians in Europe.

Schrems’ latest efforts focused on standard contractual clauses used by Facebook and hundreds of thousands of companies to transfer personal data to the United States and other parts of the world. SCCs are aimed at protecting personal data leaving the European Economic Area through contractual obligations in compliance with the EU’s General Data Protection Regulation.

Schrems challenged Facebook’s use of such standard clauses on the grounds that they do not offer sufficient data protection safeguards.

Schrems argued the clauses still do not take into account the privacy of EU citizens and residents. But the advocate general ruled that the data transfers using the standard clauses is valid.


Reacting to the ruling, Schrems said: “Problem is that the advocate general is proposing a lower level or privacy protections for “national security” under the European Convention of Human Rights, not the EU’s Charter of Fundamental Rights.”

Meanwhile, Facebook said in a statement that it was “grateful” for the opinion and said standard contractual clauses “provide important safeguards to ensure that Europeans’ data are protected once transferred overseas.”

Some privacy experts argue that the SCC mechanism is useful if companies suspend transfers when the receiving country has surveillance regimes that undermine safeguards within the SCCs. But some argue that the advocate general did not resolve the heart of the matter and predicted there will be further challenges if the EU courts don’t resolve the issues involved.

Who Is Schrems?

Schrems, 31 began his fight against Facebook eight years ago. Last year, he launched None of Your Business, a non-profit organization that aims to challenge more companies with privacy lawsuits.

Max Schrems

The Financial Times reports that Schrems’ journey started as a 23-year-old law student when he had requested his personal data from Facebook for a college paper. He found that the social media giant had amassed 1,200 pages of things he had “liked” and every private message he’d ever sent. He filed 22 complaints claiming that Facebook was breaking European data protection law, undermining the fundamental right to privacy.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.