Max Schrems challenges legality of EU data transfer tools

The latest clash between Facebook and Austrian privacy activist Max Schrems could disrupt hundreds of thousands of companies as Europe’s top court rules on Thursday on the legality of tools companies use to transfer Europeans’ data around the world, Reuters reports.

Schrems is an Austrian privacy campaigner who has been raising issues around Facebook - and by proxy every company that collects user data - for almost a decade.

At stake are standard contractual clauses used by Facebook, banks, industrial giants, carmakers and others to transfer personal data to the United States and other parts of the world for services ranging from cloud infrastructure, data hosting, payroll and finance to marketing.

Another key issue is whether the EU-U.S. Privacy Shield, set up in 2016 to protect Europeans’ personal data transferred across the Atlantic for commercial use, is lawful. The same court rejected its predecessor known as Safe Harbour.

If the court finds the mechanisms are illegal, companies could have to suspend the data transfers that underpin standard contractual clauses or face hefty fines for breach of EU privacy laws. Other options are costly and complex and seldom used.

The latest case - C-311/18 Facebook Ireland and Schrems - came before the Luxembourg-based Court of Justice of the European Union (CJEU) after Schrems challenged Facebook’s use of standard clauses as lacking sufficient data protection safeguards.

Schrems shot to fame for winning a legal battle in 2015 to overturn Safe Harbour. EU concerns about data transfers mounted after former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance.

The Irish Data Protection agency, which is Facebook’s lead regulator, took the case to the Irish High Court, which then sought guidance from the CJEU.

Last December a CJEU adviser said such data transfer mechanisms were legal with the caveat that they could be blocked if countries receiving such information fail to meet European data protection standards.

In the EU, the General Data Protection Regulation (GDPR), introduced in 2018, seeks to increase individuals’ control over their personal information. Companies that fail to comply are liable to fines of up to 4% of global annual turnover.

Follow EU Today on Social media:

EUToday Correspondents

EUToday Correspondents

Our team of independent correspondents, based across Europe and beyond, are at the centre of geopolitical dynamics. We are united by our commitment to free and unbiased journalism, and our devotion to the concept of true and unfettered democracy. We take our job very seriously!

Related posts