Schrems II will seriously stress test EU’s data privacy rules
Net Results: US has made wrong assumptions about European data protection laws
Austrian lawyer and privacy activist Max Schrems. The case before the Court of Justice of the European Union focuses on data transfer template agreements, known as standard contractual clauses (SCCs). Photograph: Joe Klamar/AFP/Getty Images
At long last, a critical Irish data privacy case this week wended its somewhat tortuous and costly way to the Court of Justice of the European Union (CJEU) in Luxembourg.
Justices heard arguments in a full-day hearing on Tuesday in the so-called Schrems II case, which questions whether data transfer template agreements, called standard contractual clauses (SCCs), adequately meet Europe’s data protection laws.
If CJEU justices believe they don’t, there’s every possibility the court could halt data flows from Europe to the US, and also between the EU and the UK if Britain finally brexits.
Unimaginable? Blame the lack of imagination on the US (government, agencies and companies), which has for years ignored the letter of European data protection law and data transfer framework Safe Harbour, on the assumption that, first, they didn’t really mean what they purported to say and could be flexibly interpreted, and second, that the EU never really enforced them anyway (which, in fairness, seems to be the case).
And then there was that third assumption laid bare by those awkward Snowden revelations: that EU protections didn’t apply to national security agencies conducting mass surveillance by indiscriminately sweeping up data from technology and social media companies.
Along came a young Austrian lawyer and campaigner, Max Schrems, with a complaint to the Irish Data Protection Commissioner (DPC). He asked whether his Facebook data could be adequately safeguarded, given Edward Snowden’s disclosures.
The CJEU, in its first Schrems decision in 2015, thought not. This shocked, but only because the majority of vested interests hadn’t been paying attention. In another Irish-originating case brought by Digital Rights Ireland, the same court had already found in 2014 that EU states couldn’t just grab data and hang on to it for random periods, for no explicit purpose, just in case it might be useful someday.
Schrems I invalidated Safe Harbour, and a new arrangement was needed. So we got the problematical Privacy Shield, which has not yet been tried in the CJEU’s crucible – though that, too, lies ahead, in a complementary case brought by three French data privacy groups.
Meanwhile, after the conclusion of the first Schrems case, the DPC disclosed that Facebook actually used SCCs as a bespoke data protection equivalent to Privacy Shield. Schrems filed another complaint, this time focusing on whether these contract clauses could be adequately enforced.
The DPC sought to get this referred to the CJEU. In doing so, the office decided on an approach that still baffles privacy specialists and lawyers: bringing the case to the commercial court, where cases can run up costs of about €1 million a week (a hefty bill for Irish taxpayers, when these observers feel other courts or possibly a direct referral should have worked); and making Max Schrems the defendant, alongside Facebook, in his own complaint, leaving him potentially exposed to those costs.
This sets an alarming precedent: if a complainant could be made a defendant, anyone filing a complaint with the Irish DPC – the regulator for just about every significant data-ingesting multinational – could risk liability for costs. Eventually, Schrems was indemnified against costs, but the DPC’s office has yet to justify a route that has introduced a financial chilling effect on anyone considering privacy complaints.
In the end, the CJEU referral was forthcoming, despite an Irish Supreme Court appeal by Facebook.
At Tuesday’s hearing, however, some participants questioned why the referral was made in the first place by a DPC who, they argued, could have taken a decision herself.
But, given ongoing uncertainty about the solidity of Privacy Shield or SCCs, the newness of the GDPR, and lack of procedural clarity, a referral in this important case was possibly a better route, as Castlebridge privacy consultant Daragh O Brien argued in a blog post.
These cases show how important an arbiter on privacy and human rights the European court has become. Its opinion in Schrems I helped shape Privacy Shield and the final drafts of the General Data Protection Regulation (GDPR). Schrems II will, in its turn, measure the intent and fitness of each.
That’s surely why justices took the French Privacy Shield hearing off the immediate agenda until the Schrems II decision clears away some of the legal fog.
As for the US, does it now take EU privacy seriously? Good question. This week, US state and business lawyers, including Facebook’s, still presented the usual circular argument that business shouldn’t be impeded by anti-surveillance privacy protections, because . . . they will impede business. As if the problem were the privacy safeguards, rather than the surveillance.
And though we’ve had Privacy Shield in place for 3½ years, only in June did the US finally fill the agreement’s critical ombudsman role to handle European complaints.