Another day in court for EU-US data privacy tensions

Over in Washington DC, Alex Greenstein turned up for work on Monday morning in his new role as Director, Privacy Shield at the US Department of Commerce; meanwhile over in Luxembourg, European data protection officials this week called for Privacy Shield to be dismantled. Timing is everything…

So is Greenstein looking at a short term gig? Perhaps, but as with anything that relates to Europe’s data privacy relationship with the US, things are more complicated.

Yesterday, the European Court of Justice (CJEU) heard arguments in a case brought by Max Schrems, the Austrian privacy activist, the thrust of which were that Privacy Shield does not provide sufficient protection for European citizens when their data is transferred across the Atlantic.

This should come as no surprise to anyone. Privacy Shield was a hastily cobbled-together fudge between Europe and the US when the previous Safe Harbor arrangement collapsed after years of criticism. Both sides were well aware of the need to find a replacement, but both sides also wasted years on posturing and preening until the date passed when Safe Harbor no longer existed.

Something had to be done, Privacy Shield was something, so Privacy Shield was done. And as always when ‘something must be done, this is something’ is the main driver, the end result wasn’t properly thought through, was reactive in nature and essentially satisfied no-one, particularly Europe’s data protection authorities.

Add into the mix the fact that the Trump administration is openly keen on being able to access data from all over the world - the kind of thing that Privacy Shield is supposed to prevent - and apathy on the US side of deal  towards meeting its obligations has been the order of the day. Europe’s commissioners have huffed and puffed and threatened to pull the plug, but such threats have been (a) ignored and (b) backed down from.

A case in point has been the long-standing absence of a permanent Ombudsperson to be appointed in the US to safeguard citizens interests. This was a key requirement of the Privacy Shield arrangement, but with the Trump Whitehouse still unable to ratify hundreds of government positions, this wasn’t high up on anyone’s agenda. A choice was finally made in January in the form of Keith Krach, former CEO of Docusign and founder of Ariba, so he has tech credentials. He’s also going to have a lot of other responsibilities as his title will be Undersecretary of State for Economic Growth, Energy, and the Environment. Krach passed his confirmation hearings last month..

Court action

Back in Luxembourg, Max Schrems legal representatives told the CJEU:

When data is transferred by Facebook to the US, the protection is weakened by US law. That is true with any transfer mechanisms, including the Privacy Shield. It’s systemic…This court should find that Privacy Shield is invalid.

For its part, the US government hit back at surveillance concerns with Eileen Barrington SC, claiming that policy had been “mischaracterised” and not “mass, indiscriminate or generalised”. She argued:

The fundamental problem in our submission…is that it fails to take any adequate account of the national security context.

In practice, the hearing at the CJEU has ended up covering a lot of bases. Schrems originally complained to the Irish Data Protection Commissioner specifically in relation to Facebook’s use of Standard Contractual Clauses (SCC) to facilitate transatlantic data transfer.

Rather than make a decision the DPC kicked it to the ECJ. (In the process a separate hearing on Privacy Shield itself, triggered by French privacy organization La Quadrature du Net, has been postponed until a judgement is made on  the SCC concerns.)

Facebook’s legal counsel Paul Gallagher warned the CJEU that there would be negative consequences for the EU if SCCs are not allowed to continue:

“Were SCCs to be invalidated, the effect on trade would be immense. If data transfers were prohibited, the effect on EU service imports into the US per annum would be a decrease of between 16% and 24%.

It’s that prospect that has created a situation where the Irish DPC call to invalidate SCCs has met with opposition from all sides, including Schrems himself, whose legal rep told the court:

The solution is not for the court to invalidate standard contractual clauses but for the Data Protection Commissioner to enforce them.

That was also the message from the European Commission itself, whose representative told the court:

What the [Irish] Data Protection Commissioner should have done is to make a decision as to whether or not the SCCs are adequate.

The CJEU’s Advocate General will issue non-binding recommendations on December 12th with a ruling likely in early 2020.

My take

This is a battle that’s making for some strange bedfellows - and muddying the waters in the process. The Irish DPC’s position that it has no authority to prevent privacy violations without invalidating SCCs is one that’s got no support from ‘the usual suspects’ and sending this case to the CJEU has delayed the more focused Privacy Shield examination pursued by La Quadrature du Net. That said, the SCC ruling could be even more important as such clauses are used for data transfer facilitation all round the globe, not just between the EU and the US. As ever when it comes to EU-US data privacy regulations, the phrase ‘bugger’s muddle’ springs readily to mind. Something for Mr Greenstein to think about at any rate…