The European Court of Justice’s advocate general backed Max Schrems’ argument in a case focusing on whether Facebook's Dublin-based subsidiary can legally transfer users' personal data to the U.S. parent company.
At issue were so-called standard contractual clauses, which Advocate General Henrik Saugmandsgaard Oe said in a preliminary opinion are valid for protecting consumers’ data privacy when companies transfer data outside the EU for processing.
“The opinion is in line with our legal arguments,” Schrems said in a statement. The legal saga’s origins date to 2013, when Schrems filed a case following revelations by former NSA contractor Edward Snowden of electronic surveillance by U.S. security agencies, including the disclosure that Facebook gave the agencies access to the personal data of Europeans.
Schrems, concerned that his personal information was at risk, had challenged the data transfers through the courts in Ireland, home to Facebook's European headquarters. The Irish Data Commissioner had issued a preliminary decision that the transfers may be illegal because the standard contractual clauses that govern data transfers don't adequately protect consumers' data privacy. The clauses are data protection agreements approved by the EU's executive Commission in which businesses commit to abide by the bloc's stringent privacy standards, including protecting personal data.
The Irish authorities eventually asked the ECJ, which is based in Luxembourg and is the EU's top court, for a ruling on whether these contractual clauses comply with European rules. A final ruling from the court's judges, who often follow the advocate general's opinion, is expected later.
Schrems doesn't have a problem with the data agreements per se but said the commissioner can, under the law, take a more measured approach by halting data transfers in individual cases, like Facebook's.
Saugmandsgaard Oe agreed, saying that the clauses allow for data flows to be suspended or prohibited if there’s a conflict with a third country’s law. Facebook and the Irish Data Protection Commission did not immediately respond to requests for comment.