Blockbuster Schrems decision to impact nearly every business

Court in effect ruled that personal data is not, as US companies generally view it, an asset

 

Thursday’s European Court of Justice (CJEU) decision on the second case brought by Austrian privacy activist Max Schrems was always going to be huge. The only question was the degree of enormity.

This morning, the justices gave a blockbuster opinion that will impact nearly every business, small to large.

At the heart of this decision lie Edward Snowden’s 2013 disclosures about secretive US surveillance agency programmes that access user data from a roster of huge US social media and internet companies.

Disclosures

Those disclosures in turn structured the important CJEU Digital Rights Ireland decision in 2014, which invalidated the EU’s Data Retention Directive and set out required protections for data gathered by state authorities.

That decision then shaped the CJEU’s first ‘Schrems 1’ ruling in 2015, that Schrems’ Facebook data was not given adequate protection under the former Safe Harbour EU/US data transfer agreement.

Both of those decisions were incorporated into the the EU’s 2018 General Data Protection Regulation (GDPR), under which all EU data must be given EU-equivalent safeguards when transferred to the US.

The European Commission and the US government argued that Safe Harbour’s replacement, the 2016 Privacy Shield data transfer agreement, offered such protections.

But as the CJEU ruled today, given the continued existence of those surveillance programmes and the lack of adequate redress for Europeans in the US, Privacy Shield did not.

In effect, the court ruled that personal data is not, as US companies generally view it, an asset to be monetised. Instead, it is our personal possession, with strong and specific human rights protections.

This does not mean data transfers must be halted, because the court also ruled that companies can use an alternative mechanism of private agreements, called Standard Contractual Clauses.

Decision

These are already widely used by large multinationals, and Facebook’s use of them was central to the original grounds for this case. But the decision means smaller businesses, which don’t have in-house legal teams to draft agreements, must also use them.

Some of that headache will be eased by the commission, which has been preparing SCC templates for general use.

However, all companies now must make their own determination as to whether other countries adequately protect data to EU standards.

This potentially opens up significant legal liabilities, and immediately raises problems with all data transfers to the US. Sending data to Brexit UK, a country with equally secretive mass data-gathering state programmes, will also be in question.

Today’s decision places new work burdens on EU data protection authorities, tasked with determining the data protection adequacy of other states, and of individual SCCs.

In particular, this will increase the load of the Irish DPC office, given Ireland’s concentration of US data-gathering multinationals.

In the near term, many companies will likely shift to holding data in the EU. The big multinationals have been preparing for this eventuality for years – one reason for the explosion in data centres in Ireland.

But ultimately, this decision poses a shattering challenge to the data-centric business models of many companies, from social media platforms to advertising giants, which make their money by exploiting users’ personal data.

Business Today

Get the latest business news and commentarySIGN UP HERE
The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.