Transatlantic data transfers once again in the dock
Karlin Lillington: ECJ highly unlikely to accept US claim of adequate protection of data
Privacy activist Max Schrems: Only the most myopic could argue the Trump administration has provided any ironclad assurances on protection for EU data. Photograph: Nick Bradshaw
A week from Thursday, the European Court of Justice (ECJ) will hand down a decision in a critical, Irish-originating case that could potentially upend – even, immediately halt – the way in which European and US businesses currently handle transatlantic data transfers.
The case is a continuation of an already-groundbreaking privacy and data protection case taken by Austrian privacy activist Max Schrems against a former Irish data protection commissioner. Both cases have gone to the ECJ, and both involve Schrems’s complaint about the way in which Facebook handled his data when it was transferred to the US.
In the first case, Schrems argued that the existing transatlantic data transfer mechanism, an agreement called Safe Harbour, was inadequate, failing to offer the equal level of protection required for European data when transferred to other jurisdictions.
The ECJ largely sided with Schrems, in a major 2015 decision that invalidated Safe Harbour, shaped the then in-development General Data Protection Regulation (GDPR) and forced new EU/US data transfer negotiations (resulting in the replacement Privacy Shield agreement).
Facebook then argued that actually it wasn’t using Safe Harbour or Privacy Shield when doing transfers, but instead utilising an accepted equivalent mechanism called standard contractual clauses (SCCs). These are standardised private legal agreements drawn up directly between companies.
Schrems, and the privacy advocacy organisation he set up, None Of Your Business (NOYB), have argued the same concerns also apply to SCCs. Schrems challenged the validity of SCCs in a case the Data Protection Commission here asked to be referred to the ECJ, albeit in what privacy advocates here have seen as an unnecessarily complicated and expensive way, via the Commercial Court. Notably, the DPC had found that “standard contractual clauses provide insufficient protection to EU citizens”.
It is the ECJ’s judgment in this second, referred case – widely known as Schrems 2.0 – that will be delivered on Thursday.
An important aside here: Ireland has unfortunate form as the battleground for far-reaching critical data protection and privacy rights cases. The so-called Schrems 1 decision was in turn largely premised on another earlier groundbreaking case taken by Digital Rights Ireland against the State over its data retention policies (the gathering and storage of Irish citizens’ communications data). That case resulted in the ECJ invalidating the entire EU data retention directive in 2014, creating a legal hole still unaddressed in Irish legislation. We really don’t seem to learn.
For businesses, EU states and privacy advocates, it’s been a nailbiting time waiting for next Thursday’s decision. An advisory preliminary opinion issued in December from the court’s advocate general offered observers succour, or worry, depending on how it was parsed.
Disagreeing with the Irish DPC, the advocate general said he believed SCCs themselves were valid, but indicated that companies would need to determine whether the countries to which they sent data offered adequate protections. He also indicated that Privacy Shield’s validity should be considered separately. The court usually follows the advocate general’s opinion, but not always.
As companies and the European Commission accept, the court could invalidate SCCs, meaning companies would have to scramble over to using Privacy Shield. Or, the court could invalidate both SCCs and Privacy Shield in one go. Or, it could say SCCs are fine but not Privacy Shield. Or that both are fine. Or that SCCs are okay, or not okay, but Privacy Shield needs to be considered separately.
Many companies seem only to have read the “SCCs are okay” bit of the advocate general opinion, without really thinking about the consequences of the “companies need to determine the adequacy of the destination country” part. This will require companies to make difficult national data protection assessments, over which they might be taken to court.
But, as many have argued with Privacy Shield, how can anyone determine whether data is adequately protected given the secrecy and exemptions under which US surveillance agencies operate? A key element of Schrems’s original complaint – which the ECJ agreed with – was Schrems’ contention that Edward Snowden’s 2013 revelations about hidden US surveillance schemes such as Prism, which intake data from users of US-based internet and social media platforms, meant the US could not comply with EU data protection standards.
In the years since Schrems 1 and the subsequent arrival of Privacy Shield, the US was supposed to prove that it is offering that standard of protection for EU data. Only the most myopic could argue the Trump administration has provided any ironclad assurances.
That’s why the ECJ may well invalidate all forms of data transfer in a swoop on Thursday. Or, dump SCCs. Or Privacy Shield. Having been caught out by Schrems 1, the EU – and the big US multinationals – have been been quietly preparing for such eventualities. The EU has been restructuring SCCs in its own version of “Here’s one we prepared earlier.”
Which may, or may not, be enough. The bottom line is, it’s very difficult to see the ECJ accepting US assertions on data protection adequacy. So get ready: anything could happen Thursday.