Judge data-transfer contracts on their own merits, EU official says

10 November 2017 3:12pm

9 November 2017. By Vesela Gladicheva.

Facebook's transatlantic data-transfer contracts don't need to meet the same high legal bar as EU rulings on foreign privacy regimes, a senior European Commission official has said.

And that's a message the commission will also be telling EU judges as they handle a new Irish dispute over the social-media company’s handling of users' data.

Bruno Gencarelli said a variety of ways are available to lawfully move data outside the bloc, and that European judges shouldn't apply the same test to contractual clauses as to "adequacy" decisions on third countries.

"What for us is very important is that the diversity of [EU] transfer tools ... is fully recognized," according to Gencarelli, who heads the EU executive's department for international data flows and protection.

The comments came a month after the Irish High Court decided to seek guidance on the case from the EU Court of Justice in Luxembourg. The referral could cause uncertainty for companies handling personal information in the EU, which commonly shift data from the bloc to other countries under the terms of these contracts.

"We will certainly be active on that case," Gencarelli told a conference* in Brussels, confirming that the commission would formally "intervene" to offer its views before the EU court.

An adequacy decision issued by the commission ranks highest of all data-transfer methods in terms of robustness, Gencarelli said.

"It cannot be that the same test is applied across the board to all EU transfer tools," he said.

"The practice shows these tools have been considered to be subject to different tests and conditions," the official said.

In 2015, the EU court invalidated the EU-US Safe Harbor data-transfer accord, which had been used by thousands of companies since 2000. The instrument — which had confirmed that the American legal system ensures a level of data protection similar to that of the EU — failed to provide sufficient safeguards to European residents, the court ruled.

* "IAPP Europe Data Protection Congress,” Brussels, Nov. 8-9, 2017

CCPA Report