Facebook Faces Activist, EU Judges in ‘Schrems II’ Privacy Case
Facebook Faces Activist, EU Judges in ‘Schrems II’ Privacy Case
(Bloomberg) -- Facebook Inc. warned the European Union’s top court that toppling a key system used by companies to transfer data out of the EU would threaten trans-Atlantic trade, in the latest twist of a six-year-old saga pitting the social media giant against privacy activist Max Schrems.
Facebook lawyers told the EU Court of Justice that the lawsuit threatens contractual clauses that companies rely on to transfer commercial data overseas. The new protocol was used as the only reliable option after Schrems won an earlier case throwing out an EU-U.S. data accord.
The first Schrems case led to a surprise ruling in 2015 that struck down a widely-used trans-Atlantic data-transfer system over concerns U.S. spies could get unfettered access to EU data. Facebook warned of economic turmoil if the court does the same again.
At risk in the latest case are so-called Standard Contractual Clauses, the most efficient alternative to transferring commercial data after the EU court’s first decision. It also questions parts of the so-called EU-U.S. Privacy Shield, the new trans-Atlantic data transfer pact adopted in 2016 to replace the Safe Harbor accord torpedoed by Schrems.
“Were SCCs to be invalidated, the effect on trade would be immense,” Facebook lawyer Paul Gallagher told the judges. “If data transfers were prohibited, the effect on EU service imports into the U.S. per annum would be a decrease of between 16% and 24%.”
The case stretches back to 2013, when former U.S. contractor Edward Snowden exposed the extent of spying by the U.S. National Security Agency. The revelations led to the original complaints by Schrems asking the Irish data protection commissioner to stop Facebook’s EU-U.S. data transfers.
“There is no evidence before the court suggesting Facebook transfers are under any particular risk and Facebook transfers are encrypted to military grade standard,” Gallagher said. The court’s 2015 ruling led to an “unparalleled” level of engagement between the EU and the U.S. “and a level of disclosure with regard to intelligence operations and legal provisions” that has brought “very significant improvements.”
Schrems, 31, has been challenging Facebook in the Irish courts -- where the social media company has its European base -- arguing that EU citizens’ data is at risk the moment it gets transferred across the Atlantic. The Irish court last year sought the EU judges’ advice, focusing on the standard contractual clauses. The outcome could ultimately affect thousands of companies across the bloc that use the EU-regulated tool.
For Schrems it’s a “systemic” problem, regardless of the transfer tool companies use.
“When data is transferred to Facebook in the U.S. this high level of protection is undermined by certain U.S. laws and that is true of any transfer mechanisms, whether standard contractual clauses, Privacy Shield or other any other contractual arrangement,” his lawyer, Eoin McCullough, said at the hearing. “U.S. law requires Facebook to assist the U.S. in surveillance of non-U.S. persons.”
In a rare instance in EU court hearings, the U.S. is one of a long list of intervenors in what lawyers are calling the “Schrems II” case.
Eileen Barrington, a lawyer for the U.S. government, said “the manner in which the U.S. data collection operates has been mis-characterized.”
She said she was there to assist the court “in so far as necessary with a full understanding of U.S. law and practice in the area of signals intelligence,” which involves the monitoring and interception of radio and radar signals.
But Schrems is pushing the EU court to invalidate the bloc’s newest trans-Atlantic data transfer tool, Privacy Shield, just like it did with Safe Harbor.
The EU “has fundamentally erred when assessing U.S. surveillance laws,” McCullough said.
If the clauses and the Privacy Shield were torpedoed for failing to provide sufficient safeguards to protect the data of European citizens, it would leave companies with few data-transfer alternatives. The legal gap created by such a ruling would expose companies to “significant compliance risks,” said Ross McKean, a data protection lawyer at DLA Piper in London, who isn’t involved in the litigation.
Facebook tried for almost two years, and failed, to prevent the Irish court from referring the dispute to the EU tribunal. Peter Church, a technology and privacy lawyer at Linklaters in London, said it’s “pretty unlikely” the EU court will uphold the standard contractual clauses in their current form. The Irish judge, in the opinion referring the case to the EU tribunal, was “pretty negative” on the issue, he said.
An advocate general at the court will give a non-binding opinion in the “Schrems II” case on Dec. 12 this year. A final ruling could take months longer.
To contact the reporter on this story: Stephanie Bodoni in Luxembourg at sbodoni@bloomberg.net
To contact the editors responsible for this story: Anthony Aarons at aaarons@bloomberg.net, Peter Chapman, Giles Turner
©2019 Bloomberg L.P.