EU needs to start enforcing data protection laws properly

Schrems ruling: Subset of smaller groups in adtech industry may also be affected

After the European Court of Justice (CJEU) handed down another major judgement two weeks ago in the "Schrems 2.0" data protection case, discussion has focused primarily on its potential impact on the well-known companies that gather data and transfer it between the European Union and United States.

Top of the list is Facebook, the company at the centre of both of Max Schrems' Irish-originating complaints that have now produced decisive and far-reaching judgements from Europe's highest court.

But there’s a mostly-unseen, sub-universe of companies in the internet-pervasive adtech industry whose existing business model should lie in a smouldering heap after the Schrems ruling. And that’s a double-whammy for the whole structure of what author Shoshana Zuboff has called surveillance capitalism, a debilitating and surreptitious data harvesting structure that fuels the operations of so many companies.

All these pieces interlock. The CJEU ruling is a crowbar that starts to tear them apart.


Last week, I argued that the true sweep and enormous global impact of this latest decision has yet to be fully recognised.

Much response, especially in the US, still centres on the court’s invalidation of the Privacy Shield transatlantic data transfer agreement, and if and how private data transfer contracts between parties might suffice. But the judgement makes clear that most data transfers to the US are invalid as long as the US maintains its security laws allowing security and law enforcement access to data.

It's difficult to imagine the US, or the UK (soon to be in need of a post-Brexit EU data transfer agreement) modifying laws to ameliorate the pervasive surveillance programmes and policies revealed by Edward Snowden. Those disclosures, and the failure of the US to offer the greater transparency required in the EU, fundamentally shaped the judges' response in both Schrems cases.

Last week I noted that this decision doesn’t just invalidate a single treaty, but surveillance capitalism itself. And it does so, not just because companies are going to be stuck without any way to move most data to the US, where Silicon Valley remains the data-devouring centre of the internet universe. The decision also invalidates adtech.

Surveillance capitalism is underpinned by the value of our commoditised, collected, collated and analysed data, sold in marketing databases, gathered and shared internally by data giants across their own multiple-market platforms and properties, and externally to third parties. Your data, sifted and sorted into minute categories, is also traded in microsecond auctions between huge advertising entities in order to instantly serve you a specific targeted ad in the eyeblink between when a web page’s cookies know it’s you, and that page’s many parts congeal on the screen.

What appears to you as just another ad – maybe eerily related to something you might have searched for or purchased recently – is the fleeting end result of these vast adtech data-gathering and marketing machinations.

Transatlantic data transfers

And, as I noted last week, these juicy databases with infinite detail about you, are why surveillance capitalism is so closely coupled to state surveillance.

Many have argued the EU's General Data Protection Regulation should have put paid to much of how the conjoined adtech and online industries operate. It should have removed the data of 700 million EU residents from the machine, just as it should have removed our data from most transatlantic data transfers.

But it has taken two challenges by Schrems to have this asserted at CJEU level, even if companies continue to seek some other interpretation.

"The judgement affirms that the law is indeed the law, whatever inconvenience this may cause businesses that have not taken account of it so far. If the law is indeed the law, then many other things follow – one of which is that most of surveillance adtech is unlawful," says Johnny Ryan, chief policy officer at Brave, a company that offers a privacy-focused web browser.

Deep-pocketed multinationals

The problem is a lack of any decisive action on these central issues by EU national data protection authorities (DPAs), although the Schrems decision, resulting from a referral request to the CJEU by Ireland’s Data Protection Commission, can be seen as one, drawn-out, first step. Meanwhile, Ryan’s formal complaints last year to both Irish and UK DPAs about Google’s lucrative and far-reaching adtech operations have yet to be addressed.

“There is a strange disparity,” he says. “We have a confident European Court of Justice that repeatedly asserts the fundamentals of data protection law. But we also have national enforcers across the EU that lack the confidence to enforce the law, particularly against big tech companies.”

Which suggests that we probably have further long, privacy-debilitating waits before national DPAs use the powerful Schrems decisions.

Or the EU needs to centralise and accelerate these ultimately globally-significant actions involving multinationals to the larger EU stage, to a new or repurposed pan-EU DPA entity, and leave nationals DPAs to deal with domestic data protection issues, not powerful, deep-pocketed, well-lawyered multinationals.

On all evidence so far, the latter option would serve the GDPR, and EU citizens, better.