EU regulators must block tech companies from transferring data outside the bloc in cases in which privacy rules are broken, an advisor to the European Union’s top court said Thursday, December 19, part of a lengthy legal case involving an Austrian privacy campaigner and Facebook, reported The Financial Times.
In a legal case that has been running for nearly seven years, Henrik Saugmandsgaard Oe, advocate-general at the European Court of Justice, said the main set of tools that enables hundreds of thousands of companies to transfer emails, pictures and other personal data outside the EU provides sufficient protection for consumers.
“Standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is valid,” he wrote in a decision published in Luxembourg on Thursday. However, he noted that national regulators have an obligation to act in any case where they feel that data protections are insufficient.
His opinion came after supporters of the current framework said a blanket ban would cause economic upheaval and hamper Europe’s access to social media and a host of other online services, many of which are provided by US companies.
Facebook responded, “We are grateful for the advocate-general’s opinion on these complex questions. Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas.”
Campaigners however, led by Austrian data privacy activist, Max Schrems, who is also a party to this case, have argued that the current way of transferring data, particularly by companies such as Facebook and Google, continues to expose EU citizens to surveillance by intelligence agencies and governments, mainly in the US.
As part of his complaint, Mr Schrems had specifically asked that the Irish Data Protection Commissioner invoke a part of the law, known as Article 4, that would allow it to suspend data transfers from Facebook Ireland in specific cases where necessary.
“The advocate-general is now telling the Irish data protection authority again to just do its job,” Mr Schrems said. “We asked for a targeted solution, only for companies that fall under these surveillance laws. The DPC could have issued such a decision within a day,” Mr Schrems continued. “But they didn’t want to use article 4 and kicked it back to Luxembourg . . . this whole case is a responsibility-shifting exercise, because the Irish are terrified they’ll be sued into the ground by Facebook.”
Full Content: Financial Times
Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.