How an Austrian student sent the tech sector into a tailspin
Can a team of 42 really be expected to police Europe’s data privacy?
Max Schrems: The European Court of Justice ruling followed legal action brought by the Austrian privacy campaigner over whether his Facebook data was subject to NSA surveillance. Photograph: Julien Warnand/EPA
The legal minefield of data privacy returned to the Irish courts this week, putting Ireland and its regulatory authorities at the forefront of what has become a momentous legal row, with implications for technology giants and global trade.
It’s hardly surprising, given the scope of this issue, that Ireland’s Data Protection Commissioner is facing a major headache when it comes to implementing this month’s European Court of Justice ruling on data protection. Can it really be expected to police Europe’s data privacy from its head office in Portalington?
Leading EU privacy figures say that the scale of US surveillance of EU citizens’ data could force the regulator to halt all transatlantic data transfers from Dublin – not just those via the Safe Harbour arrangement, ruled invalid by the European Court of Justice.
Europe’s highest court issued two overlapping but separate rulings this month, with massive ramifications for transatlantic relations, global trade and, in particular, technology companies based in Ireland.
First, the European Court of Justice issued its second privacy slap-down in a year to the European Commission, dismissing as a dead letter the 15 year-old Safe Harbour agreement.
That instrument allowed US companies export EU citizens’ data to the US on the mere promise that they would be stored there with adequate privacy standards. The European Court of Justice said this meant a level of protection of fundamental rights and freedoms “essentially equivalent to that guaranteed within the European Union”.
With zero EU oversight, and Edward Snowden claims that the US National Security Agency viewed EU citizen data as an all-you-can-eat intelligence buffet, judges said Safe Harbour breached EU citizens’ fundamental rights to privacy and protection of personal data.
The case was a referral from the Irish High Court following judicial review. It originated in a complaint by Austrian privacy campaigner Max Schrems, asking Ireland’s Data Protection Commissioner to investigate if his Facebook data was subject to NSA surveillance.
In its answer to the High Court, the Luxembourg court effectively ordered the commissioner to reverse its original refusal and examine the Schrems complaint.
Following the ruling, the commissioner pulled down the shutters this week and refused interview requests, a pattern repeated at data protection authorities across Europe.
Their initial reticence was understandable because the European Court of Justice had effectively instructed the commissioner and other regulators that along with regulating tech giants such as Facebook and LinkedIn, they have another organisation to police: the European Commission.
But following a meeting last Thursday, the Article 29 Working Party – the group of all EU member states’ data protection authorities – stated baldly that data transfers are still taking place to the US under the Safe Harbour decision after the ruling are “unlawful”.
The body, which includes the European Commission and the European Data Protection Supervisor in its membership, said it insisted on “the shared responsibilities between data protection authorities, EU institutions, member states and businesses to find sustainable solutions to implement the court’s judgment”.
Businesses, it said, should reflect on the risks they take when transferring data and “should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis [the accumulated legislation that constitutes EU law]”.
Facebook, which wasn’t party to the original proceedings in the Schrems case, asked on Tuesday to be allowed join them.
The company said it believed it was critical that it join the proceedings “so that we can provide accurate information about our procedures and processes, as well as to correct inaccuracies that already exist”.
One year into the job, Ireland’s commissioner Helen Dixon has seen her office’s budget more than double to about €4.7 million. She has recruited two solicitors, a barrister, a security technologist, an ICT expert, audit and communications specialists as well as policy and administrative staff now based at a new Dublin office. She has a total staff of 42.
But those additional resources may now dwindle into insignificance given the looming challenge, and growing expectations around Europe. And given the prominence of the Facebook case, one could be forgiven for thinking the commissioner is only responsible for regulating the social media giant and other multinationals.
Dixon is charged with regulating all data controllers, including one of the largest, the State itself, with its ever-mushrooming number of databases of citizens’ personal information. Following another significant ruling this month, she may also face having to open investigations into the activities of data controllers who subsequently turn out to be established in another member state.
The commissioner opens about 1,000 complaints a year from “data subjects” – citizens who feel their rights have been breached – and deals with about 13,000 email queries a year.
In 2014, the office carried out nearly 40 audits of organisations including the Citizens Information Board, a slimming company, a large college, a motor tax office, the Irish Farmers’ Association, a park-by-text company and the National Gallery.
Dixon has signalled plans to scrutinise the insurance sector and other financial institutions who use private investigators, and her office has also targeted apps and websites for compliance.
Her office said last week the implementation of the forthcoming General Data Protection Regulation will require additional resources for all data protection authorities in Europe, and she welcomed the Government’s commitment to keep staffing levels under review.
But for now, Tuesday’s High Court hearing has bounced Safe Harbour back to the top of her agenda.
“I expect the Irish DPC to look at this [Schrems] ruling, compare it to EU data protection law, and come to the conclusion that things cannot continue as they have done,” said Konstantin von Notz, data protection spokesman for Germany’s Green Party.
The White House wasted no time in making its concerns felt following the European Court of Justice judgment.
“There is concern about the economic consequences of this particular ruling,” said Josh Earnest, White House spokesman in Washington.
In Brussels, privacy lobbyists hit back at US attempts to blame Europe for possible economic fallout. For them, blame for the risks and costs of this ruling lie with the US, for abusing a data-transfer privilege extended to them by the EU.
“US tech giants, in particularly the cloud industry, have already said they are suffering from the domestic mass surveillance, so no one in the US should be surprised,” said Joe McNamee, chief executive of the Brussels-based European Digital Rights lobby group.
Facebook insisted this week that the ruling did not affect its other data flows to the US alongside Safe Harbour.
The EU’S 1995 data protection directive lists half-a-dozen other legal channels for data transfers, from user consent to contractual options.
“But if Safe Harbour wasn’t safe because of indiscriminate surveillance, why would other methods be safe all things being equal?” asked McNamee.
As the Schrems ruling returned to the High Court, there was considerable sympathy among leading EU data figures for the difficult task now facing Dixon.
“If I were her,” said one figure, who asked not to be named, “I would say that, if Safe Harbour data transfers are not permitted, then nothing is permitted. Hot-potato the issue onto politicians for a solution. Time is of the essence.”