Austrian activist Max Schrems displays a logo of social platform Facebook with his smartphone.
Joe Klamar | AFP | Getty Images
Facebook’s sharing of data on its European users with the U.S. is legal and provides sufficient protections, the legal advisor to the EU’s top court said Thursday.
In a symbolic win for the social network, Henrik Saugmandsgaard Oe, advocate general to the Court of Justice of the European Union (CJEU), said the use of so-called standard contractual clauses by Facebook and other firms to transfer information abroad is “valid.”
“Standard contractual clauses for the transfer of personal data to processors established in third countries is valid,” he said in written opinion Thursday.
The decision is not a ruling as such, but legal experts say opinions from the advocate general are typically upheld. “Based on history, in most cases the opinion is followed by the courts,” says Patrick Van Eecke, technology partner at law firm DLA Piper.
Schrems has been battling Facebook and other internet platforms in the courts for several years. His main contention is with the sharing of data from Europe to the U.S., claiming it aids Washington’s surveillance of citizens and governments in the bloc.
He successfully brought down the EU’s “Safe Habor” data regime in 2015, but argues the bloc’s new “Privacy Shield” arrangement on EU-U.S. data transfers is merely an update to the previous system and remains unlawful.
In Facebook’s case, Schrems argues that so-called standard contractual clauses used by Facebook to transfer data from its European subsidiary in Ireland to its main business in California fails to respect the privacy of EU citizens.
Data protection has become a major concern in the wake of revelations from former National Security Agency contractor Edward Snowden, who in 2013 blew the whistle on numerous global surveillance programs.
Europe last year ushered in stringent new privacy rules aimed at giving consumers more rights over how their data is used. Called the General Data Protection Regulation, or GDPR, the framework requires firms to seek explicit consent from users in order to handle their data. Fines under GDPR range from 20 million euros to 4% of a company’s annual income.
