Max Schems, a digital privacy activist at the NYOB (none of your business) pressure group, does not want his personal data transferred to Facebook in the US. Library picture: Max Schems (on left) is seen speaking at a human rights conference in Vienna, 22 May 2018. Photo credit: Österreichisches Außenministerium/ Rauchenberger (CC BY 2.0) 

The ruling came as part of a lengthy legal campaign against Facebook.

Max Schrems, an Austrian privacy activist, was behind a lawsuit that led the European Court of Justice, in 2015, to strike down the EU-US “Safe Harbour” deal that allowed companies to transfer electronic records across the Atlantic. Brussels and Washington then replaced it with the “Privacy Shield” agreement.

In the current case, Schrems objected to his data being transferred from Facebook Ireland to Facebook Inc in the US under the terms of the EU’s General Data Protection Regulation. Schrems lodged a complaint with the Data Protection Commissioner in Ireland, which in turn filed a case before the High Court of Ireland. 

The High Court asked the European Court of Justice if the boilerplate contracts used by online services that transfer personal data to the US and elsewhere sufficiently protect European citizens.

The High Court additionally asked the ECJ if personal data transferred to the US can subsequently be used for national security and law enforcement purposes, and specifically which sets of law, protections and safeguards regulate the rights of EU citizens whose data is transferred to the third countries.

On Wednesday, the ECJ said that under GDPR personal data can only be shared with a third country if “an adequate level protection” is guaranteed. Because the agreement does not require the US to offer the same level of protection as European rules, the transfer of personal data should be suspended.

The court, however, said, the use of standard contract clauses was acceptable.

Schrems said after the ruling was issued that the deal was struck down “because of overreaching US surveillance”.

Schrems also stated:

“I am very happy about the judgment. It seems the court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”

Eva Nagle, associate general counsel at Facebook, said in a statement emailed to Delano:

“We welcome the decision of the Court of Justice of the European Union to confirm the validity of standard contractual clauses for transfers of data to non-EU countries. These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens. Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of Privacy Shield and we look forward to regulatory guidance in this regard. We will ensure that our advertisers, customers and partners can continue to enjoy Facebook services while keeping their data safe and secure.”

Lawyers warned that European businesses need to look for “alternatives” to Privacy Shield. Olivier Reisch, a partner at the law firm of DLA Piper in Luxembourg, stated on 16 July:

“Today’s judgment has serious implications on the transfer of personal data outside the EU and is a wake-up call for EU businesses. For those businesses that previously relied upon Privacy Shield, an alternative transfer mechanism must be found. However, before using standard contractual clauses, which are the most commonly-used alternative transfer mechanism, businesses will need to verify the existence of appropriate safeguards, taking into consideration the real-life risks of such transfer, within the context of the sector / industry and other relevant factors including the destination country. This will also apply for businesses currently using standard contractual clauses. EU data protection authorities will have the unenviable task of determining the sufficiency of appropriate safeguards and is likely to trigger a further round of political discussions between the EU and U.S.”

Hunton Andrews Kurth, a US law firm, stressed the “urgency” of the situation, stating:

“Organizations that currently rely on the EU-U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S.”

The matter will now return to the High Court for final adjudication.

The case was C-311/18 Facebook Ireland and Schrems.

Updated 16 July at 4pm with statements from Facebook, DLA Piper and Hunton Andrews Kurth, and additional comments from Max Schrems