Share on Facebook Share
Share on TwitterTweet
Share on Google Plus Plus
We wrote recently about clouds gathering over the Privacy Shield framework that governs transatlantic data flows for thousands of US companies. As that post explained, even if the Privacy Shield is struck down by the EU courts, as some believe it will be, there are alternative mechanisms that can ensure the legality of data transfers out of the EU to the US. The most important of these is the use of standard contractual clauses (SCCs), also known as “model clauses”. However, last week an Irish judge said she would make a formal request for the Court of Justice of the European Union (CJEU), the EU’s highest court, to rule whether SCCs for this purpose were invalid too. If the CJEU decides they are, that will make sending personal data of EU citizens across the Atlantic hard, or even impossible, for many top Internet companies like Google and Facebook.
Last week’s court decision is another victory for the Austrian privacy activist Max Schrems. He’s been questioning the legality of Facebook’s transfer of his personal data from Ireland, where Facebook has its European headquarters, to the US for many years. But a turning point in his campaign was the release by the whistleblower Edward Snowden of hitherto secret documents that showed the NSA had routine access to the personal data of Facebook users under the PRISM program. As a result of that revelation, and Schrems’ dogged perseverance through the Irish and EU courts, the CJEU ruled in 2015 that the Safe Harbor scheme used by Facebook at that time did not provide sufficient protection for EU citizens.
Although the Privacy Shield framework was hurriedly drawn up to replace Safe Harbor, Facebook decided