The fate of the so-called Privacy Shield may have come one step closer to being sealed with the decision today to refer transatlantic data transfer practices to the same European Union court that shut down its predecessor, Safe Harbor.
What’s triggered the latest development is the ongoing complaint from Austrian law student and privacy activist Max Schrems about Facebook's handling of his data in the United States. He made his complaint in Dublin, where it was taken up the Irish Data Protection Commissioner Helen Dixon. (Facebook’s European HQ is in Ireland).
Irish High Court Judge Caroline Costello ruled on Tuesday that the Commissioner had raised:
well-founded concerns that there is an absence of an effective remedy in US law compatible with the requirements of Article 47 of the Charter (of Fundamental Rights).
As a result, she said she had decided to ask the European Union Court of Justice (CJEU) for a preliminary ruling in the case:
European Union law guarantees a high level of protection to EU citizens...they are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area.
While the Schrems case specifically cites Facebook, the stakes are considerably higher for the entire US cloud and internet industry. Privacy Shield was hastily cobbled together as a fudge by the EU and US authorities after Safe Harbor was struck down by the CJEU two years ago.
But the self-styled Shield has been heavily criticised as little more than lipstick on a pig by legal and privacy experts, as well as by the European Commission’s own data protection working party.
One major point of concern is that an Ombudsman who was supposed to be put in place by the US government to safeguard non-US complainants interests, has not been appointed - and there’s no sign that the Trump administrations intends to make this a priority.
Justice Costello made clear reference to the role of an independent Ombudsman in her ruling, noting that EU citizens have a right guaranteed by the Charter of Fundamental Rights of the European Union to an effective remedy before an independent tribunal if their rights or freedoms are violated or compromised.
Facebook said in a statement that there’s no reason for users to be concerned:
Standard Contract Clauses (SCCs) provide critical safeguards to ensure that Europeans' data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.
In fact, it’s the use of SCCs that forms a large part of Schrems complaint as he argues that they provide no redress in the event of US intelligence agencies seeking access to data. For her part, Justice Costello stated:
Only a decision of CJEU can resolve the potential for inconsistent applications of the directive which will arise if the validity of transfers of personal data outside the EEA pursuant to the SCC decisions depends on the exercise by individual national supervisory authorities of their independent discretion in individual cases.
The Irish Data Protection Commissioner’s Office welcomed Costello’s decision, but noted:
It is important to note that today's decision does not invalidate the SCCs (nor the Privacy Shield); neither does it prohibit their continued use for the purpose of data transfers to the US or elsewhere. Rather, it invites the CJEU to consider whether, under EU law, SCCs in their present form can and should be retained as a basis for the transfer of personal data from the EU to the US.
Nonetheless, if the CJEU sides with Schrems, it’s increasingly likely that Privacy Shield’s days will be numbered. Justice Costello made a point of saying that Privacy Shield did not provide a reason for her not to refer the case to the CJEU:
Neither the introduction of the Privacy Shield Ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well-founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal date is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States.
Nicky Stewart, Commercial Director at UK cloud services firm UKCloud, said that the continuation for now of both SCCs as a mechanism and Privacy Shield itself will mean nothing changes for the likes of Facebook in the short term, but questioned the longer term implications, particularly in the current US political climate:
US companies could conceivably flip-flop between the mechanisms until such time as the underlying privacy issues which blight both - despite Privacy Shield “passing” its first annual review - have political and legal resolution. Huge amounts of time, money and effort will continue to be expended.
Many will already be second guessing the outcome of the CJEU’s deliberations given that Safe Harbor’s demise was predicated on indiscriminate mass surveillance by the US. It's hard to see what has changed in the meantime, and all the indicators are that the US is toughening its position in this respect.
Costello will hear submissions at a later date on specific questions to be put to the CJEU. For its part, Facebook argued:
It is essential that the CJEU now considers the extensive evidence demonstrating the robust protections in place under standard contractual clauses and US law before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.
As for Schrems himself, this is a mixed victory. He’d originally pushed for the Irish court to make a ruling itself rather than push up to the CJEU. But Costello stated that it was not the function of her court to pronounce on the relative merits of the laws of the US and the EU.
That said, Schrems says he is happy with the referral to the CJEU:
I welcome the judgement by the Irish High Court. It is important that a neutral court outside of the US has summarised the facts on US surveillance in a judgement, after diving through more than 45,000 pages of documents in a five-week hearing.
Last month I said that European Commission officials en route for Washington to spout platitudes about Privacy Shield should pop into Duty Free on route for more lipstick to smear on the pig. I hope they didn’t waste their money. Let’s just get a big frying pan - it’s nearly bacon time!!!!