Irish High Court sends Facebook’s EU-US data transfers before CJEU “Standard Contractual Clauses” and “Privacy Shield” on the table
Major Judgement on Facebook EU-US data flows. Today (April 12th) the Irish High Court made a reference to the Court of Justice of the European Union (CJEU) for a second time over a complaint by Max Schrems against Facebook’s data sharing with US surveillance services, as disclosed by Edward Snowden. The High Court seeks a preliminary ruling (Wikipedia) on core questions of US surveillance and Facebook’s involvement in it. The questions to the CJEU are available here and the underlying judgement from October 3rd 2017 is available here.
US Surveillance. US surveillance laws (like FISA 702 and EO 12.333) and US surveillance programs disclosed by Edward Snowden (like “PRISM” and “Upstream”) allow the US government legally and factually to access data from large US tech companies, such as Apple, Facebook or Microsoft.
Facebook’s EU-US data transfers. Facebook operates its international business outside of the United States and Canada via a separate company in Ireland called “Facebook Ireland Ltd”. 85,9% of all worldwide Facebook users (everyone except USA and Canada) are managed in Dublin (Link), which is understood to be part of Facebook’s tax avoidance scheme.
Facebook currently sends all user data to its parent company, “Facebook Inc.” in the United States for processing. European law (Articles 25 and 26 of Directive 95/46/EC) requires that data can only be transferred outside of the EU if the personal data is “adequately protected”. This is in conflict with US mass surveillance laws, which “Facebook Inc.” in the USA is subject to.
Max Schrems: “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that. As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run unless they split the service in two or give up tax avoidance in Ireland.”
Standard Contractual Clauses. EU law in principle prohibits all data transfers outside of the EU, where the strict EU privacy laws do not apply. To still allow necessary data flows, there is a number of exceptions to this principle, that expand EU law through a B2B contract.
One exception was “Safe Harbor”, which Facebook used before it was invalidated by the CJEU.
Another exception are “Standard Contractual Clauses” (“SCCs”, also called “Model Clauses”) which a non-EU company can sign to receive data from the EU (official EU info page). Facebook is currently using SCCs between “Facebook Ireland” and “Facebook Inc.” [Facebook’s SCCs].
All contractual systems have an “emergency clause” built in (Article 4 of the SCCs). This clause allows the local data protection authority (the DPC in this case), to stop data flows, even if SCCs are in place, whenever there is a conflicting law in a foreign country (in this case US surveillance laws).