nmann77 - stock.adobe.com
Businesses that transfer personal data of their customers from Europe to the US could face new difficulties following a decision pending in the European Court of Justice (ECJ).
The ECJ’s Advocate General, Henrik Saugmandsgaard Øe, is due to give an opinion on the legality of data transfers between the European Union (EU) and US at the European court tomorrow (19 December 2019).
Saugmandsgaard Øe is expected to recommend, at a minimum, adding new conditions to the standard contractual clauses (SCCs) widely used by tens of thousands of businesses to transfer data to the US and other countries.
Privacy Shield, the data protection agreement between the European Commission and the US which allows US companies to self-certify they are compliant with US law, is also in the firing line.
US surveillance ‘could be used against national interests of EU’
The decision is the latest round of a long-running legal challenge brought by Austrian lawyer Max Schrems against Facebook Ireland, who questions the legality of the social media company’s transfer of personal data of its European customers to the US.
Schrems argues that many large internet companies, including Facebook, have a duty to allow the US government to access data about European citizens on a mass scale for “foreign intelligence purposes” in a way that could be used against the national interests of the EU and breaches EU privacy laws.
“In simple terms, EU law requires privacy while US law requires mass surveillance. The question is, what happens when an EU company follows US rather than EU law?” Schrems said in a briefing document published on his website before the hearing.
The Irish High Court referred 11 questions over the legality of standard contractual clauses and the US-EU Privacy Shield to the ECJ following legal action by Irish data protection commissioner Helen Dixon, who has questioned the legality of SCCs in the light of US surveillance.
Ireland’s Data Protection Commission accused of unnecessary delays
Schrems argues that the referral to the European court is unnecessary and that Dixon already has the powers to order Facebook to suspend data transfers to the US. Facebook has also opposed the intervention by the ECJ, while the US government, also party to the case, argues that the US offers sufficient safeguards to meet EU privacy law.
Solicitor Gerald Rudden, who represents Schrems, said the Data Protection Commission (DPC) Ireland could have made a decision on the matter years ago rather than bring additional court action.
“My client asked for a targeted solution for companies that fall under mass surveillance laws. The DPC could have issued such a decision long ago. Instead, after seven years and two referrals to the European court, we still have no formal decision from the DPC,” he said.
Does the US give adequate protection to private data of EU citizens?
One of the key questions before the Advocate General and the ECJ is whether the US government provides adequate protection for the private data of European citizens from the arbitrary bulk collection and analysis by the US intelligence agencies.
Also at issue is whether European citizens have adequate rights of redress if they believe the US government has misused their private data under an ombudsman scheme introduced by the US government as part of the Privacy Shield agreement with the EU.
In June 2014, the Irish High Court found that Facebook Ireland transfers personal data on Facebook’s European customers to the US. The court found that Facebook’s data is capable of being accessed by the US National Security Agency (NSA) in the course of “mass and indiscriminate” surveillance of internet and social media traffic.
The European Court of Justice is expected to reach its own decision with a formal ruling within six months that could send the European Commission back to the drawing board with standard contractual clauses and Privacy Shield.
Large tech companies and other businesses that transfer data to the US will be severely affected if the court decides to strike out standard contractual clauses or rules that they cannot legally be used to transfer data between Europe and the US.
SCCs are used by more than 100,000 organisations as a mechanism to transfer data from the EU to the US and other countries under EU data protection law.
Anthony Lee, head of commercial law at city law firm Rosenblatt, said: “It’s frightening to even think about what businesses would do because most organisations rely on the standard contractual clauses. It would difficult for them to continue to operate.”
Privacy Shield at risk?
People who are familiar with the case suggest there is a chance that the Advocate General may find that the US-EU Privacy Shield agreement fails to adequately protect the privacy of European citizens from the US government’s bulk surveillance programmes.
If that opinion is upheld by the Court of Justice, it would mark the second occasion that Schrems has forced the EU to rewrite its data protection agreement with the US.
The first time was in 2015, when the ECJ struck down Safe Harbour, the predecessor agreement to Privacy Shield.
Then the court found that Safe Harbour was unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe, and therefore did not provide an adequate level of data protection.
However, Saugmandsgaard Øe has other less drastic options available. They include issuing a framework governing how SCCs should be used in practice.
Issuing a framework could ultimately put the onus back on the Irish Data Protection Commission to decide whether to take enforcement action against Facebook over its use of SCCs.
Advocate General and Court of Justice expected to take differing views
The European Court of Justice normally follows the opinion of the Advocate General when it comes to making a final ruling.
This case is unusual, however, according to people familiar with the proceedings, because there are signs that the Saugmandsgaard Øe and the court are leaning in different directions.
During oral submissions in July 2019, the judge presiding over the final decision appeared to take the view that the court could not rule on standard contractual clauses without also ruling on the validity of Privacy Shield and was more critical of US law. The Advocate General appeared to take a more pragmatic approach.
Speaking before the Advocate General’s opinion, Schrems said he expected the court’s final judgment may provide stricter privacy controls than tomorrow’s opinion.
“This case has 11 interconnected questions. It is very unlikely that we will get a single, clear ‘yes’ or ‘no’ answer from the Advocate General. Given the many options, it is even less likely that the judges will approach these 11 questions in the same way in their final judgment,” he said.
Privacy Shield under fire in second legal action
Privacy Shield faces a separate legal challenge from the French online privacy and anti-censorship group, La Quadrature Du Net (LQDN) and others, in the General Court of the EU, a lower court than the Court of Justice.
They argue that Privacy Shield breaches the fundamental rights to privacy under the Charter of Fundamental Rights of the European Union, that Privacy Shield fails to assure European citizens effective remedies against misuse of their data in the US, and that it does not offer equivalent protection to EU data laws.
The General Court of the EU was due to make a decision on LQDN in July, but has postponed the hearing until after the Max Schrems case tomorrow.
In other words, the Court of Justice finding in Schrems’ case is likely to have a knock-on effect on the LQDN case in the General Court.
People familiar with the case suggest that the Advocate General is unlikely to strike down SCCs, but is likely to introduce a framework that will impose tougher tests on how they can be used.
Possibilities include, at the most extreme, restricting the use of SCCs between Europe and the US but permitting their use to transfer data to other countries. Another possible outcome will be restricting companies that are involved in the US Prism surveillance program, which include Facebook, from using SCCs to transfer data to the US.
Facebook claims exemption from GDPR
Whether such a move would have any impact on Facebook is a moot point. The standard contractual clauses will need to be updated soon to make them compatible with the General Data Protection Regulation (GDPR) which became law in May 2018.
In November 2019, Facebook told a court in Vienna that it did not need consent from users of Facebook under GDPR to collect and process their data.
It claimed that under terms and conditions introduced in May 2018 it had an “advertising contract” with its customers to supply them with “personal advertising”, and was therefore exempt from GDPR.
Data protection commissioner faces difficult politics in Ireland
One likely outcome is that the European Court of Justice will deliver new guidelines on standard contractual clauses and bat them back to the Irish data protection commissioner, Helen Dixon, to enforce.
If that is the case, Dixon will need to negotiate some tricky politics.
Facebook is an important employer in Dublin and has garnered support from successive Irish prime ministers, including Enda Kenny, who used Ireland’s presidency of the EU to lobby on Facebook’s behalf, according to a leaked Facebook memo.
The Data Protection Commission Ireland is the sole agency responsible for regulating Facebook in the European Union. But by its own admission, it lacks the financial resources it needs.
It may not have been a coincidence that Facebook chose to announce plans to create 1,000 jobs in Dublin on the morning it began an appeal at Ireland’s Supreme Court in an attempt to overturn DPC Ireland’s referral of SCCs to the European Court of Justice.
Schrems said there was a fundamental clash between EU privacy laws and US surveillance laws that was unlikely to be resolved in the current case.
“If the US wants to process the data of foreigners, it will have to give foreigners at least some baseline privacy protections,” he said.
Max Schrems’ battle with the EU and the US
26 July 2000: The European Commission makes a decision to allow data transfers between the EU and the US between organisations that self-certify as being compliant under Safe Harbour. European regulators have the right to suspend data transfers if the principles of Safe Harbour are breached.
2008: Austrian lawyer Max Schrems starts using Facebook.
1 December 2009: The EU Charter of Fundamental Human Rights is given legal status. Article 7 provides for the respect for private and family life. Article 8 requires the protection of personal data.
January 2013: Facebook’s chief operating officer, Sheryl Sandberg, lobbies world leaders in a series of one-on-one meetings to water down proposals for the law that ultimately became the General Data Protection Regulation (GDPR).
May 2013: Edward Snowden reveals the interception and surveillance of telecommunications and internet by the US National Security Agency (NSA) on a massive global scale.
6 June 2013: The Washington Post reveals the existence of the Prism program which enables the NSA to collect personal data, including emails, photographs and videos, from internet providers, including Microsoft, Google and Facebook.
25 June 2013: Max Schrems makes a formal complaint to the Irish Data Protection Commission against Facebook Ireland. He cites probable cause that Facebook is breaking the Irish Data Protection Act and the European Data Protection Directive by providing “mass access” to data on European citizens to the NSA.
25 July 2013: The Data Protection Commission Ireland rejects Schrems’ complaint, arguing it is frivolous and vexatious.
31 July 2013: The Guardian newspaper reports the existence of a top secret NSA program, X Keyscore, that enables it to collect nearly everything an internet user does online.
18 June 2014: In the Irish High Court, judge Desmond Hogan asks the European Court of Justice to determine whether the Irish Data Protection Commission is bound by the Safe Harbour Agreement. The judgment found that the US routinely accesses personal data on a “mass and undifferentiated basis”.
25 March 2015: The European Court of Justice begins considering the privacy case brought by Max Schrems. The case has implications for the legality of Safe Harbour, which permits data transfers between the EU and the US.
6 October 2015: The Court of Justice rules that the Safe Harbour agreement that allowed EU-US data transfers is invalid, following Schrems’ complaint.
20 November 2015: Facebook Ireland signs an agreement with Facebook Inc to transfer data on Facebook’s European customers to the US using standard contractual clauses (SCCs), as an alternative to Privacy Shield.
1 December 2015: Schrems files an updated complaint with the Irish DPC. He asks the Irish data protection commissioner to make a ruling prohibiting transfers of data between Facebook Ireland and Facebook Inc in the US on the grounds that Facebook Inc is illegally making his data available to US intelligence through the Prism collection program.
2016: The Irish Data Protection Commissioner files a law suit against Schrems and Facebook in the Irish High Court to refer further questions to the European Court of Justice.
28 June 2016: The US Department of Justice argues that the legal case brought by the Irish Data Protection Commission against Facebook and Max Schrems raises issues of national security.
8 July 2016: Facebook and Irish business claim in court that a legal challenge to SCCs could cut 1% from Europe’s GDP if it succeeds.
19 July 2016: In an unusual move, the Irish Court joins the US government to the case. The European Privacy Information Centre, a non-government organisation, the Business Software Alliance and Digital Europe are also joined to the case.
26 July 2016: The Irish High Court agrees a date for a three-week hearing into the legality of data transfers between the EU and the US.
7 February 2017: The Data Protection Commission Ireland begins legal action in the commercial court in Dublin against Facebook and Schrems. Helen Dixon argues that the court should require the European Court of Justice to decide if transatlantic data transfer channels breach privacy rights of EU citizens. The US government argues that the case could have sweeping commercial ramifications.
3 October 2017: The Irish High Court decides to ask the ECJ to rule over the validity of data transfers between the EU and the US. The court’s ruling over the safeguards to protect EU data against collection by the US NSA under its Prism and Upstream programs.
11 October 2017: Lawyers for the US government argue that it is “critically important” that its views are heard when a Dublin court raises questions over the legality of data transfers between the EU and the US with the ECJ.
January 2018: Justice Caroline Costello announces that the court will take its time to formulate questions to put to the ECJ, following four days of legal argument. Facebook makes an application to correct “certain factual errors” made in an earlier ruling in October 2017.
2 May 2018: Facebook fails a belated attempt to delay Dublin’s High Court by referring key questions that could decide the lawfulness of data transfers between Europe and the US to the European Union’s Court of Justice.
12 April 2018: The Irish High Court proposes 11 questions for determination by the European Court of Justice that will test whether companies can legally transfer data to the US in the light of disclosures by Edward Snowden that the US is engaged in large-scale surveillance of EU citizens.
9 May 2018: The Irish High Court refers 11 questions over the validity of SCCs and Privacy Shield to the ECJ.
1 November 2018: Facebook makes an unprecedented appeal to the Irish Supreme Court in an attempt to halt the Irish High Court referring questions over the validity of EU-US data transfer agreements to the European Court of Justice.
21-23 January 2019: The Supreme Court in Dublin hears a three-day appeal from Facebook against a decision by the Irish High Court to refer 11 questions about the legality of data transfers between Europe and the US to the ECJ, in which the US government gives evidence. The Irish Data Protection Commission argues that Facebook is attempting to head off an adverse finding by the European court that SCCs are illegal.
12 December 2019: The Advocate General Henrik Saugmandsgaard Øe is due to give an opinion on the questions referred by the Irish Court.
Read more on Network security strategy
Irish High Court dismisses legal bid by Facebook over EU-US data transfers
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Facebook takes legal action against Irish privacy watchdog
Irish privacy watchdog orders Facebook to stop sending user data to the US