Facebook’s method of transferring data from the EU to the US for business purposes is being challenged again in court. The Irish data protection commissioner is arguing that the legal mechanism for these transfers does not sufficiently protect EU citizens’ right to privacy. The concern is such transfers could be subject to mass surveillance by US intelligence agencies.
Facebook said data protection safeguards were in place.
The challenge was prompted by privacy activist Max Schrems, who had previously taken Facebook to court over the so-called Safe Harbor data-transfer agreement. He has been tweeting from the Court of Justice of the European Union (CJEU) in Luxembourg, revealing that he thinks it could take until “the end of the year” for the case to be resolved. A ruling against Facebook could potentially undermine the basis on which many businesses send data across the Atlantic – particularly technology giants that rely on cloud computing and communications technology.
Currently, the social network transfers vast amounts of personal data about EU users to servers in the US – everything from people’s names to information about their activity online. In 2013, documents published by ex-CIA contractor Edward Snowden suggested Facebook was a target of “Prism”, a US National Security Agency’s mass surveillance programme. The alternative legal framework Facebook has used since is called “standard contractual clauses” (SCCs). But the Irish data protection commissioner has suggested that SCCs are not fit for purpose given the possibility of intelligence agency surveillance.
Should the CJEU decide that SCCs are indeed problematic, the ruling would have huge ramifications for Facebook and other businesses, said legal expert Orla Lynskey, at the London School of Economics. “That would have a very significant impact for companies,” she told BBC News. “The big question is, when assessing whether or not data can go to third countries [outside the EU], should we be taking into consideration potential access by intelligence or law enforcement agencies?”
Jack Gilbert, associate general counsel for Facebook, said the social network was “grateful” for the consideration of the CJEU. “Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas,” he said. “SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide.”