Bad News For 'Privacy Shield': As Expected, EU's Top Court Will Examine Legality Of Sending Personal Data To US
from the knock-on-effects-could-be-rather-serious dept
Last October, Techdirt wrote about an important decision by the Irish High Court in a case concerning data transfers from the EU to the US. The original complaint was brought by Max Schrems in the wake of revelations by Edward Snowden back in 2013 that the NSA had routine access to user information held by companies like Facebook. As the post explained, the judge found that there were important legal issues that could only be answered by the EU’s highest court, the Court of Justice of the European Union (CJEU). The High Court said that it intended to refer various questions to the CJEU, but has done so only now, as Schrems explains in an update on the case (pdf). He points out that the eleven questions sent to the CJEU (found at the end of the document embedded below) go further than considering general questions of law:
While I was of the view that the Irish Data Protection Authority could have decided over this case itself, but I welcome that the issue will hopefully be dealt with once and forever by the Court of Justice. What is remarkable, is that the High Court also included questions on the ‘Privacy Shield’, which has the potential for a full review of all EU-US data transfer instruments in this case.
That more or less guarantees that the CJEU will rule definitively on whether the Privacy Shield framework for transferring EU personal data to the US is legal under EU data protection law. And as Mike noted in his October post, it is hard to see the CJEU approving Privacy Shield, which does little to address the court’s earlier criticisms of the preceding US-EU agreement, the Safe Harbor framework, which the same court struck down in 2015. That would be a serious problem for companies like Facebook and Google whose data is routinely accessed by the NSA. As Schrems suggests:
In the long run the only reasonable solution is to cut back on mass surveillance laws. If there is no such political solution between the EU and the US, Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation.
In theory, a ruling that Facebook has broken EU privacy laws by allowing the NSA to access the personal data of EU citizens would not necessarily be an issue for other companies not involved in these surveillance programs. However, there is a cloud on the horizon even for them. As Schrems explains, data transfers from the EU to the US typically use contract law in the form of “Standard Contractual Clauses” (SCCs) to lay down the legal framework. Schrems says he is fine with that approach, because the Irish Data Protection Commissioner (DPC) can use an “emergency clause”, built in to SCCs, to halt dodgy data sharing in cases like Facebook. However:
The Irish Data Protection Commissioner took the view that there is a larger, systematic issue concerning SCCs. The DPC took the view, that as the validity of the SCCs is at stake the case should therefore be referred to the CJEU.
The danger with this decision to ask the CJEU to examine the validity of SCCs is that if it rules against them, it would affect every company using them, whether or not they were involved in NSA surveillance. Schrems has a theory as to why the DPC has taken this risky route:
I am of the view the Standard Contractual Clauses are perfectly valid, as they would allow the DPC to do its job and suspend individual problematic data flows, such as Facebook’s. It is still unclear to me why the DPC is taking the extreme position that the SCCs should be invalidated across the board, when a targeted solution is available. The only explanation that I have is that that they want to shift the responsibility back to Luxembourg [where the CJEU sits] instead of deciding themselves.
Given the massive knock-on effects that the ruling could have on digital flows across the Atlantic, including political consequences, the desire for the Irish DPC to give that responsibility to someone else is plausible. The CJEU is unlikely to feel intimidated in the same way, which means that US companies must now worry about the prospect of SCCs being struck down along with Privacy Shield.