Many large U.S. tech companies routinely transfer private EU citizen’s data without sufficient protection from U.S. mass surveillance.
On Tuesday, in a case which has significant implication for many big companies, Ireland’s High Court stated it would ask EU’s top court to rule on the way in which internet companies, including Facebook, Apple and Google, transfer users’ data to the United States.
The development marks the latest attempt at questioning the way big tech firms routinely transfer data outside the 28-nation European Union without providing EU consumers sufficient protection from U.S. surveillance.
Data privacy has increasingly come under the spotlight after Edward Snowden, a former U.S. intelligence contractor unveiled the scope of the mass U.S. surveillance in 2013 which caused political outrage across the globe.
Irish High Court Judge Caroline Costello said she had decided to ask the European Court of Justice for a preliminary ruling in the case.
“European Union law guarantees a high level of protection to EU citizens … they are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area,” she said.
The Irish Data Protection Commissioner’s office became involved after Max Schrems, an Austrian law student and a privacy activist, made a complaint in Dublin regarding Facebook’s handling of his data in the United States.
According to the judge, the Irish Data Protection Commissioner “has raised well-founded concerns that there is an absence of an effective remedy in U.S. law compatible with the requirements of Article 47 of the Charter (of Fundamental Rights).”
Significantly, she added that the newly created U.S. ombudsperson which deals with Europeans’ complaints regarding U.S. surveillance did not eliminate those concerns.
As per the spokeswoman from Facebook, it was essential the EU court “considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses (SCCs) and U.S. law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.”
Facebook has previously maintained that the case could potentially lead to a breakdown in transatlantic data transfers that could knock EU economic output by up to 1.3%.
The European Court of Justice (ECJ) had earlier ruled against the common legal arrangements that are routinely used by thousands of firms to transfer personal data outside the EU thus causing a serious headache for companies.
Millions such transfers happen routinely every day and include credit card transactions, hotel bookings or moving employee data between countries.
“I hope we will get a decision that ends this ping-pong and stops kicking the can down the road,” said Schrems, speaking to reporters outside the Irish court.
He went on to add, he does not expect the standard contractual clauses to be banned by EU’s top court.
According to Linklaters, a law firm, it believes the ECJ was unlikely to halt transatlantic data transfers; it expects the ECJ’s ruling to lead to additional safeguards, which are likely to come at additional costs.
“This decision will be closely watched by many businesses as it could have significant implications for their ability to transfer personal data internationally,” said Richard Cumbley, partner in Linklaters’ technology group.