As Expected, EU Court Of Justice To Review If Internet Company's Privacy Practices Are Acceptible
from the here-we-go dept
The European Court of Justice is going to look into the acceptability of US internet company’s privacy practices under the so-called “Privacy Shield” framework that was put in place last year. As you may recall, for years, the EU and the US had a “safe harbor” agreement, under which tech companies underwent a fairly silly and almost entirely pointless process (I know, because we did it ourselves…) by which the companies effectively promised to live up to the EU’s data protection rules, in order to move data from servers in the EU across the Atlantic to the US. It is important that companies be allowed to do this, because without it, the internet doesn’t function all that well. But, because of NSA snooping, it became clear that what companies were promising couldn’t match what was actually happening. And thus, the EU Court of Justice tossed out the framework, saying that it violated EU data protection rules.
After a bit of a scramble, the EU and the US came to an agreement on another framework, called the “Privacy Shield” that both argued was acceptable. It required US companies to do better in handling Europeans’ data, to make sure EU residents had redress over data protection and included some transparency requirements regarding US government access to the data. However, as we noted at the time, unless the US was drastically changing how the NSA did surveillance, it seemed nearly impossible for the Privacy Shield to be valid under EU law. And, indeed, Max Schrems, the guy whose lawsuit brought down the original “safe harbor” quickly challenged the Privacy Shield in an Irish court. Over the past few months, we’ve pointed out that some of Trump’s statements on surveillance made it clear that the Privacy Shield was not likely to survive.
Earlier this week, the Irish court asked the European Court of Justice to review. The ruling is long (over 150 pages) and pretty detailed. The court clearly recognizes how important this issue is:
The case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond. Firstly, it is relevant to the data protection rights of millions of residents of the European Union. Secondly, it has implications for billions of euros worth of trade between the EU and the US and, potentially, the EU and other non-EU countries. It also has potentially extremely significant implications for the safety and security of residents within the European Union. There is considerable interest in the outcome of these proceedings by any parties having a very real interest in the issues at stake.
The court hasn’t yet officially asked the CJEU to weigh in, but rather has said that it will — but first it wants the parties involved in the case to more or less argue about what exactly should be the questions submitted to the CJEU.
Most of the ruling itself is basically around whether or not there’s anything to discuss here at all. Facebook — the service whose privacy practices are at issue in this particular case — tried to argue that because surveillance issues are “national security” and there’s a carve out for national security, there’s no issue with the Privacy Shield But the court doesn’t buy that. First, it says that the issue under scrutiny is about the relationship between the EU and its member states (and how the data protection rules work) rather than a question about “national security” in the US. Similarly, it points to the original Schrems ruling that got the old safe harbor tossed out and notes that no one had a problem with saying the law applied in that case:
The submission is inconsistent with the ruling of the High Court in Schrems v. The Data Protection Commissioner  3 I.R. 75 and the CJEU in Schrems where the court proceeded on the basis that it had jurisdiction to rule on the reference. If Facebook?s submission in this case is correct, it did not have jurisdiction so to proceed. Eight Member States, the European Parliament, the European Commission and the European Data Protection Supervisor intervened in those proceedings. If Facebook?s point was well made, it is remarkable that none of these participants raised this fundamental matter of jurisdiction.
So, there’s still time before the CJEU will sort this out, but we stand by our initial statement. Unless the US changes its NSA surveillance practices, it’s difficult to see how the Privacy Shield comes to an end any different than the old privacy safe harbors. If the US doesn’t want to have the Privacy Shield rejected again, it might want to start by reforming surveillance — and it can do that right away in refusing to renew Section 702 of the FISA Amendments Act without significant reform and modifications.