Here are my main observations on this week’s European Court of Justice ruling on Austrian law student Max Schrems’ case against the Irish Data Protection Commissioner (DPC).
The first is that the significance of this decision for business cannot be underestimated, or over-emphasised, and not for the decision on the core case itself. This was largely a matter of a useful clarification on complaint process, which helpfully strengthens the hand of DPCs across Europe.
The original case was about whether the DPC should have further investigated whether a user’s data – Schrems’ – on a social network – Facebook – were handled in compliance with EU data protection and privacy law, given Edward Snowden’s revelations about the US National Security Agency’s large-scale surveillance and data-gathering.
In question were existing so-called Safe Harbour principles for the safe handling of data. Those have been around for 15 years and mean a company transferring EU data to the US can go and tick some boxes on a website to say they are in compliance with EU data law.
I know from talking to plenty of insiders that, very likely, most of the 4,500 companies signed up for Safe Harbour would not be able to demonstrate any auditable proof that they actually comply.
Anyway: the Irish case was referred to the ECJ by a perceptive Irish High Court judge, Mr Justice Gerard Hogan, because he rightly believed the case needed scrutiny from the ECJ. Not over the process issue of whether Ireland’s DPC should have investigated further, but to nudge the ECJ towards determining whether it thought Safe Harbour itself was fit for purpose (critically, something the original case had not directly challenged).
Thus, the really important piece of Tuesday’s ruling is the macro-context for the – let’s be honest – micro-issue of whether a national data protection commissioner can go bang on the doors of a foreign government and ask for some explanations. Happily, we now know from the ruling that, yes, a commissioner can. But alas, any important finding by a DPC is likely to have to go back through the process of being considered by the ECJ, as the ruling also made clear.
The crux of the ruling – and why it is such a huge decision with far-reaching business and privacy implications – is the court’s damning commentary on Safe Harbour itself, which effectively deemed it invalid. In paragraph after paragraph of its three-page press summary and the lengthy full judgment, the court notes the dysfunctional lack of alignment between US and EU laws on data protection and privacy.
Three crucial points arise from this. First, that any new agreement between the EU and US must address all the ECJ’s detailed concerns or it will simply be challenged again down the line. Second, it would appear impossible to find any agreement without changing the foundation of current secretive US national security laws and processes, developed around the post-9/11 Patriot Act – very unlikely. And third, what about British agency GCHQ’s spying and bulk data collection? Surely this, too, violates EU law and must be addressed.
The only current way to comply with EU law, the judgment indicates, is to keep EU data within the EU. Whether those data can be safely managed within facilities run by US companies will not be determined until the US rules on an ongoing Microsoft case.
Microsoft stands in contempt of court right now for refusing to hand over to US authorities, emails held in its Irish data centre. This case will surely go to the Supreme Court and will be an extremely important determination for the cloud business, and any company or individual using data centre storage. If Microsoft loses, US multinationals will be left scrambling to somehow, legally firewall off their EU-based data centres from US government reach.
A final observation is that this quite extraordinary ECJ, through a series of pivotal rulings in the past year or so, has done what officialdom in the EU has toothlessly failed to do for years: jolted the US government and businesses into taking seriously the EU’s stance on privacy.
So thank you, ECJ, for showing that EU privacy and data protection laws are – at last – not just nice thoughts on paper, but rights to be defended.