In a win for Facebook, a senior legal adviser at the European Union's Court of Justice said on Thursday that standard contracts for the transfer of personal data outside the bloc are in line with EU law on data protection.

But the opinion by Saugmandsgaard Øe, an advocate-general at the EU court, also said transfers to the U.S. under contractual clauses could be stopped if it was shown that the expected safeguards on adequate data protection were not respected.

The legal adviser's opinion is not binding, but the EU court follows such recommendations in 70% of cases.

The opinion stems from a case initially brought before the Irish courts by privacy advocate Max Schrems, who demanded that Facebook stop data transfers to the U.S. because government authorities there were looking at private data on national security grounds. Facebook's European headquarters are located in Ireland.

In 2018, Schrems brought a case in an Irish court arguing that standard contractual clauses (SCCs), which are used by companies for the treatment of citizens' data transferred outside the EU, broke EU law. He argued that these clauses did not ensure that EU citizens' data would be protected in the U.S. because U.S. authorities had collected private data from companies citing national security concerns. Whistleblower Edward Snowden had exposed that the U.S. National Security Agency had been collecting private data from companies in 2013.

Schrems, who won a ruling from the EU court against the bloc's "safe harbour" arrangements for data transfer in 2015, said Facebook should stop sending data to the U.S. because these clauses failed to ensure data protection.

The advocate-general said the standard clauses were a valid way to ensure the protection of data transferred to the U.S., even though the U.S. authorities were able to gain access to private information. But he argued that transfers to the U.S. under contractual clauses could be stopped if it was shown that the expected safeguards on adequate data protection were not respected.

The compatibility of standard contractual clauses with the EU's Charter of Fundamental Rights "depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour", the advocate-general said.

Øe said that data controllers and supervisory authorities are obliged to stop, suspend or ban transfer when the commitments to provide adequate levels of data protection in the clauses cannot be met.

Schrems told Reuters he was "generally happy" with the legal opinion.

He noted that everyone will still be able to have all necessary data flows with the U.S., such as sending emails or booking a hotel in the U.S. But he cautioned that some EU businesses may not be able to use certain U.S. providers for outsourcing anymore because U.S. surveillance laws require these companies to disclose data to the National Security Agency.

"It is really upon the United States to ensure baseline privacy protections for foreigners," he said. "Otherwise no one will trust U.S. companies with their data."

Facebook said in a statement that it is grateful for the advocate general's opinion. "Standard Contractual Clauses provide important safeguards to ensure that Europeans' data are protected once transferred overseas," the company said.

Lisa Peets, a partner who leads Covington & Burling's technology and media practice, said in a statement that the advocate-general's opinion is in line with the arguments put forward by its client, the Business Software Alliance. "It's tremendously important for companies across the economy, who rely on the [standard contractual clauses] for many of their day-to-day operations.

"We will now wait for the decision of the court in this very important case."

|

Read more:

Top EU Court Hears Arguments in Privacy Case That Could Upend Transatlantic Data Transfers