Tech

Facebook secures a symbolic victory in EU court battle against privacy activist Max Schrems

Key Points
  • A legal advisor to the EU's top court says the use of tools by Facebook and other firms to transfer data abroad is "valid."
  • It is not a ruling as such, but opinions from the advocate general are typically followed by the court in a majority of cases.
  • Austrian privacy activist Max Schrems says he is "generally happy," adding the opinion "follows almost all of our arguments."
Facebook secures a symbolic victory in EU court battle
VIDEO2:1002:10
Facebook secures a symbolic victory in EU court battle

Facebook's sharing of data on its European users with the U.S. is legal and provides sufficient protections, the legal advisor to the EU's top court said Thursday.

In a symbolic win for the social network, Henrik Saugmandsgaard Oe, advocate general to the Court of Justice of the European Union (CJEU), said the use of so-called standard contractual clauses by Facebook and other firms to transfer information abroad is "valid."

"Standard contractual clauses for the transfer of personal data to processors established in third countries is valid," he said in written opinion Thursday.

His non-binding opinion is not a ruling as such, but legal experts say opinions from the advocate general are typically followed by the court in a majority of cases. The CJEU will rule on the case in the coming months.

Privacy activist Max Schrems has been battling Facebook and other internet platforms in the courts for several years. His main contention is with the exporting of data from Europe for processing in the U.S., claiming it aids Washington's surveillance of citizens and governments in the bloc.

He successfully brought down the EU's "Safe Habor" data regime in 2015, but argues the bloc's new "Privacy Shield" arrangement on EU-U.S. data transfers is merely an update to the previous system and remains unlawful.

The CJEU advocate general in his written opinion appeared to sympathize with Schrems' concerns about the Privacy Shield, "in the light of the right to respect for private life and the right to an effective remedy."

He said that there was ultimately an "obligation" on data controllers and regulatory authorities to suspend the transfer of data where it conflicts with the laws of the country that information is being sent to.

Austrian activist Max Schrems displays a logo of social platform Facebook with his smartphone.
Joe Klamar | AFP | Getty Images

In Facebook's case, Schrems has argued that standard contractual clauses used by the social network to transfer data from its European subsidiary in Ireland to its main business in California fails to respect the privacy of EU citizens.

Schrems 'generally happy'

Schrems praised the opinion submitted to the CJEU, claiming it "follows almost all of our arguments." He said in a statement that he was "generally happy" and called the news a "total blow" to Facebook.

While the Austrian law student has held issue with Facebook's transferring of data abroad, he said that he did not believe the measures used by the firm should be "invalidated" globally — an action that would prevent thousands of other businesses from using them.

Schrems also said in a tweet to CNBC that the advocate general was in agreement with his view that "the Authorities MUST stop any transfer at any time if there is any issue with US surveillance."

Tweet

Facebook said it was "grateful" for the opinion and said standard contractual clauses "provide important safeguards to ensure that Europeans' data are protected once transferred overseas."

"We look forward to the final decision from the CJEU," a spokesperson for the tech giant said in a written statement emailed to CNBC.

Data protection has become a major concern in the wake of revelations from former National Security Agency contractor Edward Snowden, who in 2013 blew the whistle on numerous global surveillance programs. Europe last year ushered in stringent new privacy rules aimed at giving consumers more rights over how their data is used.

Called the General Data Protection Regulation, or GDPR, the framework requires firms to seek explicit consent from users in order to handle their data. Fines under GDPR range from 20 million euros to 4% of a company's annual income. Schrems has argued that GDPR clashes with U.S. surveillance law.

"I'm very happy with this view from the advocate general," Patrick Van Eecke, technology partner at law firm DLA Piper, told CNBC over the phone. "I sincerely hope that the court is going to follow, as they often do, the opinion of the advocate general."

"If they wouldn't do that — and there is a chance they wouldn't — I think that would be bad news, not just for the U.S.-EU relations but for the global data economy."