NL   /   EN

Team / Boekx Advocaten

media / 15 december 2015

Letter to Facebook re Data Protection after Safe Harbour

By registered mail, regular mail and e-mail: info@facebook.com, press@fb.com

Facebook Netherlands B.V.                                                      Facebook Ireland Limited

Herengracht 124-128                                                              4 Grand Canal Square, Grand Canal Harbour

1015 BT Amsterdam The Netherlands                                         2 Dublin Ireland

 

Facebook Inc. and Instagram LLC                                                WhatsApp Inc.

1601 Willow Rd                                                                       650 Castro Street, Suite 120-219

Menlo Park, CA 94025-1456                                                        Mountain View, California

United States of America                                                           United States of America

 

 

 

 

Amsterdam, 15 December 2015

 

 

Re:

Data protection after ECJ judgment Schrems C-362/14 

Our ref.:

20150153 Privacy First/PILP and others - Facebook

Email:

volgenant@boekx.com, blokhuis@boekx.com, vangroenendaal@boekx.com

 

 

 

 

Dear Mr. Zuckerberg,

 

Further to the judgment of European Court of Justice of 6 October 2015 in the Schrems v. Data Protection Commissioner case[1], we are contacting you on behalf of

and also on behalf of a number of individual Dutch users of Facebook, Instagram and WhatsApp, i.e. Mrs. Quirine Eijkman, based in Amsterdam, and Mr. Menso Heus, based in Amsterdam. These organisations and individuals are actively engaged in the public discussion about the fundamental right to protection of private life and the protection of personal data.

These fundamental rights are enshrined in the European Convention for Human Rights, in the European Charter of Fundamental Rights of the European Union and in all national constitutions and legislation of the Member States of the European Union, including the Netherlands. The basic principles of the protection for personal data are set out in the EU Data Protection Directive,[2] which must be interpreted in the light of the fundamental rights guaranteed by the EU Charter.[3] In its case law, the European Court of Justice has emphasised the importance of these rights.[4]

 

In its judgment of 6 October 2015, the European Court of Justice invalidated the Safe Harbour Decision of the European Commission regarding the transfer of personal data from the European Union to the United States. This judgment is effective immediately. Any continued transfer of personal data to the United States based upon this Safe Harbour Decision is unlawful with immediate effect. This was confirmed by the Article 29 Working Party[5] and by the European Commission.[6]

 

The European Court of Justice found that Facebook transferred personal data obtained in the European Union to the United States for further processing, relying on the Safe Harbour Decision for this mass transfer.

 

The European Court of Justice invalidated the Safe Harbour Decision because the legislation of the United States fails to ensure a level of protection essentially equivalent to that guaranteed in the legal order of the European Union.[7] In particular, legislation permitting the United States’ authorities to have access on a generalised basis to the content of electronic communications is regarded as compromising the essence of the fundamental right to respect for private life. Furthermore, data subjects from the European Union currently have no administrative or judicial means of redress in the United States, which would enable them to access, rectify or erase the data relating to them. These issues are not resolved yet.

 

To date, Facebook has not participated in the public debate on these issues. Facebook just stated that the judgment ‘is not about Facebook’ and that ‘Facebook has done nothing wrong’.

 

Following the Schrems-judgment, Facebook Ireland Ltd. entered into an agreement with Facebook Inc. based on the Standard Contractual Clauses drafted by the European Commission in 2010. Thus, it would appear that Facebook continues its activities unchanged, including transfer of personal data of data subjects from the European Union to the United States. This applies to all of the services of the Facebook concern, including Facebook, Instagram and WhatsApp. However, the use of Standard Contractual Clauses is no longer possible, as these clauses do not resolve the fundamental problems identified by the European Court of Justice in Schrems.

 

Should Facebook wish to rely on explicit consent of individual users of Facebook, Instagram and WhatsApp, this will not be sufficient either. European data subjects have not given prior, explicit and unambiguous consent[8] to Facebook to grant the United States’ authorities access on a generalised basis to the content of their communications, without any means of redress. And even if data subjects would give such consent, that option would be flawed. Consent needs to be specific and informed and freely given.

 

From our point of view, there is currently no basis to legally transfer personal data of data subjects from the European Union to the United States. The only solution to this issue is that the United States’ legislator enacts legislation which (a) limits storage and access of the public authorities in the United States of personal data transferred from the European Union to the United States and (b) provides for legal redress for data subjects from the European Union.[9] Until such solution is found, no personal data can legally be transferred from the European Union to the United States.

 

We invite Facebook to publicly engage in a meaningful and transparent dialogue aimed at finding such solution, and to pressure the authorities to find such solution. Facebook is invited to publicly share its current and intended policies and practice on data transfer. This applies to the services of Facebook, WhatsApp and Instagram and to any other services the Facebook–group offers.

 

On behalf of our clients, we request – and to the extent legally required we summon – all Facebook entities to end the current unlawful transfer of personal data from the European Union to the United States until the moment that the legislation of the United States is amended in order to provide for a level of protection essentially equivalent to that guaranteed in the legal order of the European Union. Please provide this assurance ultimately by Friday 15 January 2016 (18:00 CET).

 

If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings[10] in the Netherlands and to request a preliminary injunction from the competent Dutch Court.

 

We look forward to hearing from you.

 

Yours sincerely,              

 

 

 

 

 

 

 

Otto Volgenant                                            Fulco Blokhuis                                     Jurian van Groenendaal

Attorneys-at-law

 

 

 

 


[1] European Court of Justice, Grand Chamber, 6 October 2015, C-362/14,  http://curia.europa.eu/juris/document/document.jsf?docid=169195&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=172521

[2] Directive 95/46/EC.

[3] For instance the judgment in Österreichischer Rundfunk and Others, C 465/00, C 138/01 and C 139/01, EU:C:2003:294, paragraph 68; Google Spain and Google, C 131/12, EU:C:2014:317, paragraph 68; and Ryneš, C 212/13, EU:C:2014:2428, paragraph 29.

[4] See for instance the judgments in Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 47; Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 53; and Google Spain and Google, C‑131/12, EU:C:2014:317, paragraphs, 53, 66, 74.

[5] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf

[6] http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/files/eu-us_data_flows_communication_final.pdf

[7] The standards for judicial oversight of secret surveillance measures are set forth in the ECtHR Grand Chamber decision of 4 Decembver 2015, Zakharov v. Russia, appl. no. 47143/06, http://hudoc.echr.coe.int/eng?i=001-15932

[8] as required by Article 26 sub 1 of Data Protection Directive 95/46.

[9] We refer to the letter dated 13 November 2015 of 34 privacy organisations to the US Department of Commerce and the European Commission: http://thepublicvoice.org/EU-US-NGO-letter-Safe-Harbor-11-15.pdf.

[10] Reference is made to article 3:305a sub 2 of the Dutch Civil Code.

Bekijk PDF