Transatlantic data transfers once again in the dock

Karlin Lillington: ECJ highly unlikely to accept US claim of adequate protection of data

Privacy activist Max Schrems: Only the most myopic could argue the Trump administration has provided any ironclad assurances on protection for EU data. Photograph: Nick Bradshaw

Privacy activist Max Schrems: Only the most myopic could argue the Trump administration has provided any ironclad assurances on protection for EU data. Photograph: Nick Bradshaw

 

A week from Thursday, the European Court of Justice (ECJ) will hand down a decision in a critical, Irish-originating case that could potentially upend – even, immediately halt – the way in which European and US businesses currently handle transatlantic data transfers.

 The case is a continuation of an already-groundbreaking privacy and data protection case taken by Austrian privacy activist Max Schrems against a former Irish data protection commissioner. Both cases have gone to the ECJ, and both involve Schrems’s complaint about the way in which Facebook handled his data when it was transferred to the US.

 In the first case, Schrems argued that the existing transatlantic data transfer mechanism, an agreement called Safe Harbour, was inadequate, failing to offer the equal level of protection required for European data when transferred to other jurisdictions.

 The ECJ largely sided with Schrems, in a major 2015 decision that invalidated Safe Harbour, shaped the then in-development General Data Protection Regulation (GDPR) and forced new EU/US data transfer negotiations (resulting in the replacement Privacy Shield agreement).

 Facebook then argued that actually it wasn’t using Safe Harbour or Privacy Shield when doing transfers, but instead utilising an accepted equivalent mechanism called standard contractual clauses (SCCs). These are standardised private legal agreements drawn up directly between companies.

 Schrems, and the privacy advocacy organisation he set up, None Of Your Business (NOYB), have argued the same concerns also apply to SCCs. Schrems challenged the validity of SCCs in a case the Data Protection Commission here asked to be referred to the ECJ, albeit in what privacy advocates here have seen as an unnecessarily complicated and expensive way, via the Commercial Court. Notably, the DPC had found that “standard contractual clauses provide insufficient protection to EU citizens”.

 It is the ECJ’s judgment in this second, referred case – widely known as Schrems 2.0 – that will be delivered on Thursday.

Privacy battleground

An important aside here: Ireland has unfortunate form as the battleground for far-reaching critical data protection and privacy rights cases. The so-called Schrems 1 decision was in turn largely premised on another earlier groundbreaking case taken by Digital Rights Ireland against the State over its data retention policies (the gathering and storage of Irish citizens’ communications data). That case resulted in the ECJ invalidating the entire EU data retention directive in 2014, creating a legal hole still unaddressed in Irish legislation. We really don’t seem to learn.

 For businesses, EU states and privacy advocates, it’s been a nailbiting time waiting for next Thursday’s decision. An advisory preliminary opinion issued in December from the court’s advocate general offered observers succour, or worry, depending on how it was parsed.

 Disagreeing with the Irish DPC, the advocate general said he believed SCCs themselves were valid, but indicated that companies would need to determine whether the countries to which they sent data offered adequate protections. He also indicated that Privacy Shield’s validity should be considered separately. The court usually follows the advocate general’s opinion, but not always.

 As companies and the European Commission accept, the court could invalidate SCCs, meaning companies would have to scramble over to using Privacy Shield. Or, the court could invalidate both SCCs and Privacy Shield in one go. Or, it could say SCCs are fine but not Privacy Shield. Or that both are fine. Or that SCCs are okay, or not okay, but Privacy Shield needs to be considered separately.

‘Destination country’

Many companies seem only to have read the “SCCs are okay” bit of the advocate general opinion, without really thinking about the consequences of the “companies need to determine the adequacy of the destination country” part. This will require companies to make difficult national data protection assessments, over which they might be taken to court.

 But, as many have argued with Privacy Shield, how can anyone determine whether data is adequately protected given the secrecy and exemptions under which US surveillance agencies operate? A key element of Schrems’s original complaint – which the ECJ agreed with – was Schrems’ contention that Edward Snowden’s 2013 revelations about hidden US surveillance schemes such as Prism, which intake data from users of US-based internet and social media platforms, meant the US could not comply with EU data protection standards.

 In the years since Schrems 1 and the subsequent arrival of Privacy Shield, the US was supposed to prove that it is offering that standard of protection for EU data. Only the most myopic could argue the Trump administration has provided any ironclad assurances.

 That’s why the ECJ may well invalidate all forms of data transfer in a swoop on Thursday. Or, dump SCCs. Or Privacy Shield. Having been caught out by Schrems 1, the EU – and the big US multinationals – have been been quietly preparing for such eventualities. The EU has been restructuring SCCs in its own version of “Here’s one we prepared earlier.”

 Which may, or may not, be enough. The bottom line is, it’s very difficult to see the ECJ accepting US assertions on data protection adequacy. So get ready: anything could happen Thursday.

Business Today

Get the latest business news and commentarySIGN UP HERE
The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.