Bad News For 'Privacy Shield': As Expected, EU's Top Court Will Examine Legality Of Sending Personal Data To US

from the knock-on-effects-could-be-rather-serious dept

Last October, Techdirt wrote about an important decision by the Irish High Court in a case concerning data transfers from the EU to the US. The original complaint was brought by Max Schrems in the wake of revelations by Edward Snowden back in 2013 that the NSA had routine access to user information held by companies like Facebook. As the post explained, the judge found that there were important legal issues that could only be answered by the EU’s highest court, the Court of Justice of the European Union (CJEU). The High Court said that it intended to refer various questions to the CJEU, but has done so only now, as Schrems explains in an update on the case (pdf). He points out that the eleven questions sent to the CJEU (found at the end of the document embedded below) go further than considering general questions of law:

While I was of the view that the Irish Data Protection Authority could have decided over this case itself, but I welcome that the issue will hopefully be dealt with once and forever by the Court of Justice. What is remarkable, is that the High Court also included questions on the ‘Privacy Shield’, which has the potential for a full review of all EU-US data transfer instruments in this case.

That more or less guarantees that the CJEU will rule definitively on whether the Privacy Shield framework for transferring EU personal data to the US is legal under EU data protection law. And as Mike noted in his October post, it is hard to see the CJEU approving Privacy Shield, which does little to address the court’s earlier criticisms of the preceding US-EU agreement, the Safe Harbor framework, which the same court struck down in 2015. That would be a serious problem for companies like Facebook and Google whose data is routinely accessed by the NSA. As Schrems suggests:

In the long run the only reasonable solution is to cut back on mass surveillance laws. If there is no such political solution between the EU and the US, Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation.

In theory, a ruling that Facebook has broken EU privacy laws by allowing the NSA to access the personal data of EU citizens would not necessarily be an issue for other companies not involved in these surveillance programs. However, there is a cloud on the horizon even for them. As Schrems explains, data transfers from the EU to the US typically use contract law in the form of “Standard Contractual Clauses” (SCCs) to lay down the legal framework. Schrems says he is fine with that approach, because the Irish Data Protection Commissioner (DPC) can use an “emergency clause”, built in to SCCs, to halt dodgy data sharing in cases like Facebook. However:

The Irish Data Protection Commissioner took the view that there is a larger, systematic issue concerning SCCs. The DPC took the view, that as the validity of the SCCs is at stake the case should therefore be referred to the CJEU.

The danger with this decision to ask the CJEU to examine the validity of SCCs is that if it rules against them, it would affect every company using them, whether or not they were involved in NSA surveillance. Schrems has a theory as to why the DPC has taken this risky route:

I am of the view the Standard Contractual Clauses are perfectly valid, as they would allow the DPC to do its job and suspend individual problematic data flows, such as Facebook’s. It is still unclear to me why the DPC is taking the extreme position that the SCCs should be invalidated across the board, when a targeted solution is available. The only explanation that I have is that that they want to shift the responsibility back to Luxembourg [where the CJEU sits] instead of deciding themselves.

Given the massive knock-on effects that the ruling could have on digital flows across the Atlantic, including political consequences, the desire for the Irish DPC to give that responsibility to someone else is plausible. The CJEU is unlikely to feel intimidated in the same way, which means that US companies must now worry about the prospect of SCCs being struck down along with Privacy Shield.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: , , , , , , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bad News For 'Privacy Shield': As Expected, EU's Top Court Will Examine Legality Of Sending Personal Data To US”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Cloudy outlook indeed

Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities

Thanks to the recently enacted CLOUD Act, this is harder than it seemed a year ago. Where before it might have been sufficient for Facebook to commit to having EU data stored on servers in the EU, the CLOUD Act purports to give US authorities the ability to reach into such servers if it can find a US-based Facebook entity that can access those servers. If CJEU demands a split, it will need to be a pretty stark split to escape the intrusions of the CLOUD Act.

Anonymous Coward says:

"whether or not they were involved in NSA surveillance"?

What does "whether or not they were involved in NSA surveillance" mean? Isn’t everyone "involved" in some way, with the only question being whether they know they’re involved?

If some company doesn’t help the NSA, we have plenty of documentation showing that the NSA (or GCHQ) will help themselves.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...