This article was published 6 yearsago

Facebook has failed in its final attempt to ward off a referral in the Court of Justice of the European Union, concerning data transfer for EU users to the US on privacy grounds. Facebook was transferring private data of EU citizens to the US using the Standard Contractual Clauses (SCC).

The case goes back to 2013, when Max Schrems, an Austrian privacy rights activist, filed a complaint against Facebook Ireland. The case cam in with Edward Snowden’s big US revelations still fresh, for transferring personal data of its users to the US. It was seen as a threat to information privacy of an individual in EU and the case ultimately ended in front of the CJEU. In 2015, CJEU declared the International Safe Harbor Privacy Principles, which was a  EU-US data transfer agreement, invalid. At that time more than 4,500 companies were using this to transfer data to the US. After the Safe Harbor was deemed invalid, the EU-US Privacy Shield came into existence as its replacement.

Schrem’s case is against Facebook exploiting these clauses to transfer data to the US. Recently, Facebook requested an appeal in Ireland’s Supreme Court to block its High Court’s referral over the EU-US data transfer case. The methods of these data transfers are under scrutiny. The case will now be handled by EU’s highest court. Facebook has lost its last opportunity to ditch the case. The High Court referral questions CJEU regarding the compatibility of the Privacy Shield with the US laws. The CJEU will also be validating whether the methods employed for data transfer including the SCC and the Privacy Shield are legal.

For Facebook it began when it shared personal data of more than 87 million users with Cambridge Analytica, which is a political consultancy, by improper means. Since it has faced Ireland’s courts, it is desperately trying to avoid this case. The implications of this ruling important for the future of numerous other companies that have signed the Privacy Shield agreement. Any changes in the agreement can restrict the data transfer from the EU to the US will be restricted to certain extent. Many companies use personal data from their consumers like browsing histories and information on monetary transactions to target specific advertisements to these consumers. These activities will be questioned and accessed during the ruling by CJEU.

Various institutions in the European Union are arguing about the Privacy Shield agreement and SCC over breach of privacy rights of individuals. This ruling will be an important step towards securing rights of people under the EU and preventing future incidents of data breach.