Protecting Europeans from personal data transfers outside the EU

Duncan Barry Tuesday, 17 September 2019, 09:52 Last update: about 6 years ago

• Facebook's method of transferring personal data from the EU to the US for business purposes lands in Europe’s top court.

In July 2016, the EU-US Privacy Shield imposed stronger obligations on US companies to protect the personal data of Europeans, reflecting the requirements of the Court of Justice of the European Union (CJEU) which ruled the previous Safe Harbour framework invalid.

This framework provided a legal mechanism for companies to transfer personal data from the EU to the United States.

However, a few years down the line, the issue cropped up on whether Europeans are protected enough from US surveillance when Facebook transfers their personal data. The job of answering that question now lies with Europe's top court, despite Facebook’s bid to stop the case.

This legal battle which revolves around Facebook's transfer of data belonging to Europeans to the US has now ended up in CJEU. The landmark case opened in the CJEU on July 9.

Facebook has argued that privacy safeguards are in place when this information is sent to US servers, which can include everything from account data to online activity.

Standards in place require that data sent outside the EU to non-EU countries should still adhere to the General Data Protection Regulation (GDPR) rules but the issue is that existing standards might not be enough given the alleged widespread surveillance activities of countries including the US. The GDPR itself is a regulation that requires companies to protect the personal data and privacy of residents of EU countries. It replaces an outdated data protection directive from 1995 and restricts the way businesses collect, store and export people’s personal data.

Facebook, on the other hand, argued that “standard contractual clauses provide important safeguards to ensure that Europeans' data are protected once transferred overseas. Standards have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide”.

This comes after what was deemed ‘a lack of respect for privacy’ from Facebook following a privacy security breach which impacted some 50 million user accounts. This attack took place in September 2018 when Facebook was already facing scrutiny over how it handles the private information of its users. At the time, Facebook representatives had been quoted as saying that an attack on its computer network had exposed the personal information of nearly 50 million users.

Another major privacy breach was the Facebook–Cambridge Analytica data scandal - a major political scandal in early 2018 when it was revealed that Cambridge Analytica had harvested the personal data of millions of Facebook profiles without their user’s consent and used it for political advertising purposes. It has been described as a watershed moment in the public understanding of personal data and led to a great fall in Facebook's stock price at the time and led to calls for tighter regulation of tech companies' use of personal data.

A decision by the CJEU on this case is expected by the end of this year.

If you’d like any information on EU data protection rules and how they may affect you, MEUSAC is available to answer your questions directly or it will help you to liaise with the relevant authorities, depending on the case in question.

The author is Communications and Events Executive at MEUSAC.