Causa Facebook vs. Schrems: ECJ Advocate General has doubts about the Privacy Shield

Stage success for Max Schrems and his data protection organization Noyb (None of your business): In the Austrian dispute over Facebook's transfer of European citizens' data to the United States, the responsible Advocate General of the European Court of Justice (ECJ), Henrik Saugmandsgaard Øe, largely relied on that Beaten by civil rights activists. In his Opinion presented on December 19, the top lawyer opposed the position of the Irish Data Protection Authority (DPC), which is considered to be very close to the group and which Schrems has been trying to hunt in this complex case for years.

After the ECJ declared the relevant Safe Harbor Agreement invalid for US corporations in October 2015 due to the surveillance obligations for US corporations that Edward Snowden had exposed in the context of the NSA scandal, especially those stipulated in the Foreign Intelligence Surveillance Act (FISA) personal data based on so-called standard contractual clauses in the USA. In the same year, Schrems asked the Irish DPC to implement the ECJ ruling and to prohibit Facebook from further data transfer across the Atlantic. According to the activist, Article 4 of the standard contractual clauses gives the authority exactly this possibility.

The DPC then filed a lawsuit against Facebook and Schrems before the Irish High Court with the aim that the latter should refer the case back to the CJEU. The Irish authorities assumed that the relevant Standard Contract Clauses (SCC) were invalid overall. In these contracts, the foreign company undertakes to comply with European data protection.

Conflict between data protection and surveillance obligations

Saugmandsgaard Øe has now found nothing in the context of the analysis of the questions submitted by the High Court, which could affect the validity of the decision of the EU Commission on the principle recognition of standard contractual clauses. EU law may apply to transfers of personal data to a third country, even if the data transferred is there by the authorities there "for national security purposes" should be processed.

At the same time, the Dane emphasizes that the General Data Protection Regulation (GDPR) specifies it, regardless of the legal basis chosen "continuously high level of protection" to ensure at a comparable level as in the EU for transmitted personal information. The appropriate guarantees given by the exporter, for example, would also have to ensure such a standard.

The top lawyer the SCC also considers practicable only under certain conditions, So would have to "sufficiently effective regulations" exist that these clauses will also be suspended or prohibited if they are violated or "it is impossible to keep them", This could be due to a conflict, for example, between the protection obligations arising from the standard contractual clauses and the monitoring requirements such as the FISA in the third country. In such a case, the company concerned, or in the event of inaction, the supervisory authority – here the DPC – must actually prohibit or prohibit a transfer.