LUXEMBOURG (CN) — In a win for Facebook, a magistrate for Europe’s highest court backed the validity Thursday of data transfers from the European Union to the United States.
The case stems from a requirement that data transfers to non-EU countries cannot occur unless the EU endorses their protection levels or unless users sign a standard contractual clause, granting permission for their data to be shared.
After it was revealed in the Edward Snowden leaks that Facebook participated in the PRISM program, where America’s National Security Agency collected internet communications without a warrant, Austrian privacy activist Max Schrems filed a complaint against Facebook in 2013.
The case began in Ireland, where Facebook has its European headquarters, but the High Court there referred the matter to the European Court of Justice for insight on the particulars of EU law.
While the Luxembourg-based court has not yet ruled after hearing arguments in September, Advocate General Henrik Saugmandsgaard Øe shared his recommendations for the case Thursday in wrote in a nonbinding opinion.
“The standard contractual clauses … represent … a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there,” the opinion states.
Facebook collected the data at issue in the European Union, via its Irish subsidiary, and then sent to the U.S. This is a widely used practice among tech companies that store data on servers all over the world.
Despite today’s ruling being seen as a win for Facebook, Schrems himself he too is happy with the result. “This is a total blow to the Irish DPC and Facebook as well as a very important step for users’ privacy,” Schrems said in a statement, using an abbreviation for Data Protection Commission.
Schrems focused in particular on a section of Øe’s opinion that says “there is an obligation — placed on the controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer when … those clauses cannot be complied with.”
“At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints,” Schrems said.
Øe, originally from Denmark, is one of the 11 advocate generals who provide legal opinions to the ECJ upon request. Though opinions are nonbinding, verdicts typically follow the same legal reasoning.
This is the second case Schrems has brought over digital privacy. He previously sued Facebook in 2011 after requesting his personal data from Facebook and discovering just how extensive the information was.
That case also reached the European high court and resulted in what is known as the Schrems I verdict, which invalidated the Safe Harbor Framework. That EU regulation allowed the EU to share data on its citizens with the United States and was replaced in 2016 with the EU–US Privacy Shield.
A ruling in the case is expected in the coming months.