Score one for Facebook! Europe’s top court looks set to validate an opinion from one of its top advisors that personal data transfers from tech firms in the European Union to the US are “valid”.
Assuming the court backs up the non-binding opinion of Advocate General Henrik Saugmandsgaard Øe - and it usually does convert such advisements into formal rulings several months down the line - then it’s a big boost for cause of so-called Standard Contractual Clauses (SCC), the legal mechanism agreed to enable data transfer from EU to non-EU countries.
The opinion was issued in relation to a specific case relating to Facebook user data which is transferred from Ireland to the US where the information is then processed. In 2013, privacy activist Max Schrems complained to Irish data protection authorities that this was unsafe, a complaint that was rejected, but which found its way before the Court of Justice of the European Union (CJEU) after the Irish Data Protection Commissioner passed the buck and asked the court to decide if SCCs were valid.
According to the Advocate General, SCCs do provide:
a general mechanism applicable to transfers irrespective of the third country of destination and the level of protection guaranteed there.
That said, he did provide some encouragement for opponents of the controversial Privacy Shield data transfer arrangement between the EU and the US, noting concerns “ in the light of the right to respect for private life and the right to an effective remedy” and questioning how seriously the role of Ombudsperson - a critical component of the arrangement - is taken by the US authorities.
For his part, Schrems is taking some comfort from the opinion:
I am generally happy about the opinion of the Advocate General. The opinion is in line with our legal arguments. This is a total blow to the Irish DPC and Facebook as well as a very important step for users’ privacy. What is a problem is that the Advocate General is proposing a lower level or privacy protections for “national security” under the ECHR, not the EU’s Charter of Fundamental Rights.
He said the burden was now on the Irish Data Protection Commissioner to put a stop to Facebook’s sending of data to the US as the Advocate General’s opinion is partly based on the assumption that national regulators can take action to halt data flows if there’s a conflict with a third country’s law:
The Advocate General is now telling the Irish Data Protection Authority again to just do its job…The opinion makes clear that DPC has the solution to this case in her own hands: She can order Facebook to stop transfers tomorrow. Instead, she turned to the CJEU to invalidate the whole system. It’s like screaming for the European fire brigade, because you don’t know how to blow out a candle yourself.
He added that if the opinion is read in a certain way, the end result would be greater privacy levels for EU citizens and more burdens for US tech firms:
Everyone will still be able to have all necessary data flows with the US, like sending emails or booking a hotel in the US. Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA. This is also an economic problem for the US, because foreign revenue will go elsewhere. It is really upon the United States to ensure baseline privacy protections for foreigners. Otherwise no one will trust US companies with their data.
Facebook meanwhile is keeping its powder dry, saying in a statement:
We are grateful for the advocate general’s opinion on these complex questions. Standard Contractual Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide. We look forward to the final decision from the CJEU.
Call it a score draw with a rematch to follow. It’s certainly not the end of the matter. Privacy Shield remains unfit for purpose and a PR-sop to keep the essential global data flows of the digital economy up and running. The CJEU doesn’t have to accept the Advocate General’s opinion, but it would be startling in the extreme if it doesn’t.
On one point at least Schrems is completely correct - it’s down to national data protection authorities to step up to the mark and do their jobs when it comes to protecting their citizens rights. Ireland kicked the can down the road to get out having to make a tough decision. Cynics might point to all the inward investment that the country’s picked up from US tech firms over the years as a possible factor here. I’ll leave others to reach their own conclusions on that.
But if I’ve one hope for 2020 when it comes to data privacy battles it’s that the problem is tackled properly at last. Privacy Shield was born out of desperation and panic. It’s time to sit down and get a robust, tenable framework in place that protects individual rights, but - all importantly - facilitates and empowers a booming digital economy.