Schrems II will seriously stress test EU’s data privacy rules

Net Results: US has made wrong assumptions about European data protection laws

Austrian lawyer and privacy activist Max Schrems. The case before the Court of Justice of the European Union focuses on data transfer template agreements, known as standard contractual clauses (SCCs). Photograph: Joe Klamar/AFP/Getty Images

Austrian lawyer and privacy activist Max Schrems. The case before the Court of Justice of the European Union focuses on data transfer template agreements, known as standard contractual clauses (SCCs). Photograph: Joe Klamar/AFP/Getty Images

 

At long last, a critical Irish data privacy case this week wended its somewhat tortuous and costly way to the Court of Justice of the European Union (CJEU) in Luxembourg.

Justices heard arguments in a full-day hearing on Tuesday in the so-called Schrems II case, which questions whether data transfer template agreements, called standard contractual clauses (SCCs), adequately meet Europe’s data protection laws.

If CJEU justices believe they don’t, there’s every possibility the court could halt data flows from Europe to the US, and also between the EU and the UK if Britain finally brexits.

Unimaginable? Blame the lack of imagination on the US (government, agencies and companies), which has for years ignored the letter of European data protection law and data transfer framework Safe Harbour, on the assumption that, first, they didn’t really mean what they purported to say and could be flexibly interpreted, and second, that the EU never really enforced them anyway (which, in fairness, seems to be the case).

And then there was that third assumption laid bare by those awkward Snowden revelations: that EU protections didn’t apply to national security agencies conducting mass surveillance by indiscriminately sweeping up data from technology and social media companies.

Along came a young Austrian lawyer and campaigner, Max Schrems, with a complaint to the Irish Data Protection Commissioner (DPC). He asked whether his Facebook data could be adequately safeguarded, given Edward Snowden’s disclosures.

Vested interests

The CJEU, in its first Schrems decision in 2015, thought not. This shocked, but only because the majority of vested interests hadn’t been paying attention. In another Irish-originating case brought by Digital Rights Ireland, the same court had already found in 2014 that EU states couldn’t just grab data and hang on to it for random periods, for no explicit purpose, just in case it might be useful someday.

Schrems I invalidated Safe Harbour, and a new arrangement was needed. So we got the problematical Privacy Shield, which has not yet been tried in the CJEU’s crucible – though that, too, lies ahead, in a complementary case brought by three French data privacy groups.

Meanwhile, after the conclusion of the first Schrems case, the DPC disclosed that Facebook actually used SCCs as a bespoke data protection equivalent to Privacy Shield. Schrems filed another complaint, this time focusing on whether these contract clauses could be adequately enforced.

The DPC sought to get this referred to the CJEU. In doing so, the office decided on an approach that still baffles privacy specialists and lawyers: bringing the case to the commercial court, where cases can run up costs of about €1 million a week (a hefty bill for Irish taxpayers, when these observers feel other courts or possibly a direct referral should have worked); and making Max Schrems the defendant, alongside Facebook, in his own complaint, leaving him potentially exposed to those costs.

Alarming precedent

This sets an alarming precedent: if a complainant could be made a defendant, anyone filing a complaint with the Irish DPC – the regulator for just about every significant data-ingesting multinational – could risk liability for costs. Eventually, Schrems was indemnified against costs, but the DPC’s office has yet to justify a route that has introduced a financial chilling effect on anyone considering privacy complaints.

In the end, the CJEU referral was forthcoming, despite an Irish Supreme Court appeal by Facebook.

At Tuesday’s hearing, however, some participants questioned why the referral was made in the first place by a DPC who, they argued, could have taken a decision herself.

But, given ongoing uncertainty about the solidity of Privacy Shield or SCCs, the newness of the GDPR, and lack of procedural clarity, a referral in this important case was possibly a better route, as Castlebridge privacy consultant Daragh O Brien argued in a blog post.

These cases show how important an arbiter on privacy and human rights the European court has become. Its opinion in Schrems I helped shape Privacy Shield and the final drafts of the General Data Protection Regulation (GDPR). Schrems II will, in its turn, measure the intent and fitness of each.

Legal fog

That’s surely why justices took the French Privacy Shield hearing off the immediate agenda until the Schrems II decision clears away some of the legal fog.

As for the US, does it now take EU privacy seriously? Good question. This week, US state and business lawyers, including Facebook’s, still presented the usual circular argument that business shouldn’t be impeded by anti-surveillance privacy protections, because . . . they will impede business. As if the problem were the privacy safeguards, rather than the surveillance.

And though we’ve had Privacy Shield in place for 3½ years, only in June did the US finally fill the agreement’s critical ombudsman role to handle European complaints.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.