EU defends US data pact, as Facebook court case opens
The European Commission spoke out on Tuesday (9 July) in defence of its data-sharing agreement with the US, known as Privacy Shield - against the backdrop of a wider legal dispute between an Austrian privacy campaigner and social media giant Facebook.
"We basically concluded that the Privacy Shield works in practice," a European Commission spokesman told reporters in Brussels on Tuesday (9 July), noting that the US still needs to make some improvements.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
The self-validating agreement, enforced by the United States, is intended to protect the personal data of Europeans whenever sent to firms based in the US.
After lengthy delays, the US administration under president Donald Trump has finally implemented some of those intended measures.
But broader issues remain - particularly over the US's national security access to data, under its foreign intelligence amendments act (FISA), in particular personal information stored on US-based cloud providers.
Ireland
Meanwhile on Tuesday, a parallel legal battle was also unfolding at the European Court of Justice in Luxembourg.
At stake is whether the transfer of data by Facebook to the United States from Ireland meets EU privacy standards, and if Ireland's data protection commissioner (DPC) can even rule on such issues.
The potential fallout of a negative verdict for Facebook is huge, given its European user base. A final verdict is expected by the end of the year.
Facebook Ireland sends the data to its parent company in the United States for processing.
The social media giant has been using so-called standard contractual clauses (SCCs) to shift the data to the United States after Privacy Shield's predecessor, Safe Harbour, was scrapped by the European Court of Justice in 2015.
The clauses have a built-in emergency feature that allows local European data protection authorities to stop such data flows, should the personal data of Europeans be violated while in the United States and elsewhere.
Austrian privacy campaigner Max Schrems had argued that the Irish DPC at the time was duty bound to trigger the emergency clause, given revelations of US mass surveillance made in 2013 by former National Security Agency agent Edward Snowden.
The DPC referred the matter to the Irish High Court in 2016, which found that the US government engages in the "mass processing" of European personal data.
The Irish judges then sent the case to the European court amid speculation that the SCCs could follow a similar fate as the now-defunct Safe Harbour.
Facebook claims the transfers should be allowed and fall within the scope of Privacy Shield. It also argues US surveillance laws comply with EU requirements under the data pact.
"They basically tell the Court [it] has no right to even decide in this case," tweeted Schrems during the hearing on Tuesday, noting that Facebook had also argued the EU has no right to adjudicate on national security issues.
Critics say Privacy Shield is little more than a re-marketed version of Safe Harbour, which still enables the US to carry out the bulk collection of data.
In a statement earlier this week, Schrems voiced further frustration over the case.
"Over these six years, the DPC has actually decided in a mere 2-3 percent of the cases that were brought before it. We don't have a problem with 'Standard Contractual Clauses', we have a problem with enforcement," he said.
Site Section
Related stories
- Bulk collection still allowed under EU-US data 'shield'
- EU court to probe new Facebook data challenge
- EU court invalidates EU-US data transfer pact
- All 'big five' tech firms listened to private conversations
- EU states given right to police Facebook worldwide
- Facebook cries foul on EU request for internal documents