EU-US Data Flows Face Another Major Test

Transatlantic data flows are again in jeopardy after the EU Court of justice (CJEU) was asked to scrutinize the mechanism used by Facebook and other tech companies to transfer data on EU citizens to the US.

Max Schrems, the Austrian law student whose complaint about US mass surveillance first brought the Safe Harbor agreement crashing down, is again at the center of a case with potentially huge implications for US tech giants and their customers.

After the last ruling, Facebook has been relying on standard contractual clauses (SCCs) to transfer data from its EU base in Ireland back across the Atlantic.

However, Schrems still wasn’t happy about the protections offered against the US authorities potentially snooping on his personal data.

Now the Irish High Court has once again asked the CJEU to decide – as it did with Safe Harbor – whether SCCs are still valid.

In response to the verdict, Schrems questioned why the court couldn’t simply allow the Irish privacy watchdog to suspend Facebook’s data flows and instead had to broaden the debate to include the validity of all SCCs in this context.

However, he claimed the court had agreed with his position that US surveillance is ongoing and a threat to privacy.

“Facebook didn’t really get anywhere saying 'there is no surveillance, look the other way',” Schrems said in a brief video following the ruling.

“In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that,” he continued in a written statement. “As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”

Emily Taylor, CEO of Oxford Innovation Labs and Chatham House associate fellow, claimed that the ruling came as no surprise.

"The case shows that the Snowden revelations continue to reverberate on both sides of the Atlantic," she told Infosecurity Magazine. "The CJEU has taken a consistently hard line against mass data collection and retention, and increasingly relies on the EU Charter of Fundamental Rights. The Charter allows for 'more extensive protection' of fundamental rights such as privacy, compared with the more familiar European Convention."

Taylor added that the UK's own surveillance laws, recently updated with the Investigatory Powers Act, could end up severely restricting cross-border data transfers with the EU in the same way.

The good news for Facebook is that it could take over a year for a judgement from the CJEU, during which time SCCs are still valid.

What’s Hot on Infosecurity Magazine?