LONDON – EU regulators must block tech companies from transferring data outside the bloc in cases in which privacy rules are broken, an advisor to the European Union’s top court said Thursday, in a long legal case involving an Austrian privacy campaigner and Facebook.
The European Court of Justice’s advocate general said that so-called “standard contractual clauses” – in which businesses commit to abide by EU privacy standards when transferring messages, photos and other information – are adequate. Companies like Facebook routinely transfer such data across the world, and the EU rules mean they have to observe EU privacy rules.
Activist Max Schrems had argued that the clauses mean that authorities in individual EU countries can, under the law, halt data transfers in specific cases if data privacy is violated.
Advocate General Henrik Saugmandsgaard Oe agreed, saying in a preliminary opinion that under the clauses, companies and regulators have an obligation to suspend or prohibit transfers if there’s a conflict with the law in a third country such as the U.S.
The advocate general’s opinion is not binding but may influence the court’s judges when they issue their final ruling.
The case has threatened far-reaching implications for social media companies that move large amounts of data via the internet. Facebook’s European subsidiary regularly does so.
The legal saga’s origins date to 2013, when Schrems filed an initial case following revelations by former NSA contractor Edward Snowden of electronic surveillance by U.S. security agencies, including the disclosure that Facebook gave the agencies access to the personal data of Europeans.
Schrems, concerned that his personal information was at risk, had challenged the data transfers through the courts in Ireland, home to Facebook’s European headquarters.
The Irish Data Commissioner had issued a preliminary decision that the transfers may be illegal because the standard contractual clauses that govern data transfers don’t adequately protect consumers’ data privacy.
The Irish authorities eventually asked the ECJ, which is based in Luxembourg and is the EU’s top court, for a ruling on whether these contractual clauses comply with European rules.
“The opinion follows exactly our approach which says that generally data transfers are fine, unless there’s a specific surveillance law in another country that undermines European privacy protections,” Schrems said.
Facebook said it was grateful for the opinion. “Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas,” it said in a statement.
The Irish Data Protection Commission said it provided “clarity of analysis.”
“The opinion illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries, to include the laws of the United States,” spokesman Graham Doyle said.
Richard Cumbley, a partner at law firm Linklaters, said EU businesses dealing with U.S. affiliates or suppliers will be relieved at the opinion, which suggests the clauses “remain a solid basis for transferring data outside the EU.” But, he added, companies will still have to carry out “significant due diligence” when using them.
–Philipp-Moritz Jenne in Vienna contributed to this story.