Europe’s top court has finally stuck a pin in the controversial Privacy Shield transatlantic data sharing mechanism, striking down the guarantee by which firms transfer data between the European Union and the US - and the ruling can’t be appealed.
In a long-awaited decision, the Court of Justice of the European Union (CJEU) has determined that data transferred via Privacy Shield certification “are not limited to what is strictly necessary” when it comes to exposing EU citizens to surveillance in the US and "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law".
In other words, Privacy Shield’s ‘guarantees’ aren’t enough to prevent personal data being snooped on by US legislative and intelligence bodies. This means it doesn’t offer enough legal protection under EU privacy law for EU-based companies to transfer personal data to the US without risk.
The court also found that the US end of the agreement is not policed rigorously enough, with the ombudsman system set up to offer recourse for complaint not offering the same legal protection to EU citizens as it does to its own while its operating independence is called into question. The Ombudsman role itself was only filled full-time last year, three years late and indicative of how seriously its function was taken on the US-side.
But the CJEU didn’t come down against Standard Contractual Clauses (SCC), arguing that these can be used to transfer personal information from the EU to a third country, so long as that country “ensures an adequate level of data protection.” This essentially passes responsibility onto individual Data Protection Authorities (DPAs) to police and to companies transferring data to ensure that the destination country has an EU-compliant data regime. National Data Protection Controllers will have to suspend data transfers under SCCs if they determine that the recipient country does not provide sufficient privacy protection.
This has immediate implications for Ireland as today’s ruling results from a court case - C-311/18 Facebook Ireland and Schrems - which was brought when privacy activist Max Schrems challenged Facebook’s use of SCCs to transfer his data to the US for processing.
The Irish authorities passed the buck until it reached the stage of referral to the CJEU and brought down the whole house of cards. Schrems today said the Irish Data Protection Commissioner had brought today’s decision on herself:
The Court is not only telling the Irish DPC to do its job after seven years of inaction, but also telling all European DPAs that they have a duty to take action and cannot just look the other way. This is a fundamental shift going far beyond EU-US data transfers….In cases such as Facebook, where they don't take action, the DPC had the solution to this case in her own hands all along. She could have ordered Facebook to stop transfers years ago….It’s like screaming for the European fire brigade, because you don’t feel like blowing out a candle yourself.
How did it come to this?
Privacy Shield was the hastily-cobbled together replacement for the Safe Harbor data transfer arrangements which were themselves struck down by the CJEU back in 2015. While the demise of Safe Harbor had been long expected and the need for an upgraded mechanism acknowledged, EU and US authorities put off the necessary groundwork through a combination of grandstanding and indifference in varying measures.
When Safe Harbor was struck down, there was therefore an unseemly rush to throw together something that could be presented as a viable approach to allowing the continued flow of data across the Atlantic. But from day 1, there was great unhappiness about how robust Privacy Shield was, not least among the EU’s own data protection officers and officials.
Meanwhile the US administration under President Donald Trump placed no priority on meeting its obligations under the terms of the agreement, leading to much Euro-bluster and threats of walking away, threats that were inevitably never followed through on. There was too much at stake for anyone to admit that the Emperor was stark naked!
Where to now?
So what happens next? The decision on the validity of SCCs provides some breathing space. There isn’t about to be a sudden termination of data flows across the Pond. As Schrems noted:
The Court explicitly highlighted that the invalidation of the Privacy Shield will not create a 'legal vacuum' as crucially necessary data flows can be still undertaken. The US is now simply put back to an average country with no special access to EU data.
Looking further ahead, assuming that work on a better replacement gets started, then there will need to be some movement on the part of both sides. For its part, the EU seems ready to start again with Justice Commissioner Didier Reynders stating last week:
We don’t have one plan, but we have some ideas about the different ways to give an answer, following the scope of the decision of the court.
But change will be needed most notably in Washington. Global tech policy activist organization Access Now, a long time critic of Privacy Shield, has a three point plan for necessary legislative changes:
- The US must adopt comprehensive privacy and data protection framework that puts users at the center and provides meaningful avenues for redress and oversight.
- Non-US persons, including Europeans, must be granted greater right to redress in case of rights violations due to unlawful data processing in the US or by US authorities.
- The US must significantly reform its surveillance practices and take actions to protect the human rights of all people, no matter where they are from.
Eric Null, US Policy Manager at Access Now, says:
Unless the US passes meaningful, strong, and comprehensive privacy legislation and curtails the government’s surveillance authorities, we’ll just be here again in a few years.
Schrems own view tallies with that assessment:
The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.
Both men are perfectly correct. But whether that message gets heard in the right places in Washington in an election year in the middle of a pandemic and is taken on board by an administration that actively promotes the Fake News that the EU was set up to undermine the US is another matter entirely. What action the good and the great of Silicon Valley will take to change that remains to be seen.
At diginomica, we’ve been ferocious critics of Privacy Shield from the very start. Even so, today’s ruling gives us no pleasure as the stakes are too high here. The global digital economy depends on the free flow of data and with a post-pandemic recession on the horizon, we don’t need any more complications, least of all self-inflicted ones, putting hundreds of billions of dollars/euros/pounds at risk.
Sadly there’s little reason to assume that the current US administration will give priority to addressing this issue. It would mean, as Schrems and Access Now note, changes in US surveillance and intelligence gathering practices at a time when Trump is ramping up the ‘law and order’ rhetoric to support his own re-election chances. Being seen to put constraints on the NSA and others - especially to play more nicely with the Europeans - wouldn’t play well to the home crowd in Fox News-land.
This morning’s decision brings a welcome conclusion to part of this sorry saga, but it’s far from the end of the story. As ever, diginomica will be tracking developments closely and updating our analysis.