Facebook: Legality of EU-US data sharing to be decided by Court of Justice

US surveillance ‘could be used against national interests of EU’

The decision is the latest round of a long-running legal challenge brought by Austrian lawyer Max Schrems against Facebook Ireland, who questions the legality of the social media company’s transfer of personal data of its European customers to the US.

“In simple terms, EU law requires privacy while US law requires mass surveillance. The question is, what happens when an EU company follows US rather than EU law?”

Schrems argues that many large internet companies, including Facebook, have a duty to allow the US government to access data about European citizens on a mass scale for “foreign intelligence purposes” in a way that could be used against the national interests of the EU and breaches EU privacy laws.

“In simple terms, EU law requires privacy while US law requires mass surveillance. The question is, what happens when an EU company follows US rather than EU law?” Schrems said in a briefing document published on his website before the hearing.

The Irish High Court referred 11 questions over the legality of standard contractual clauses and the US-EU Privacy Shield to the ECJ following legal action by Irish data protection commissioner Helen Dixon, who has questioned the legality of SCCs in the light of US surveillance.

Ireland’s Data Protection Commission accused of unnecessary delays

Schrems argues that the referral to the European court is unnecessary and that Dixon already has the powers to order Facebook to suspend data transfers to the US. Facebook has also opposed the intervention by the ECJ, while the US government, also party to the case, argues that the US offers sufficient safeguards to meet EU privacy law.

Solicitor Gerald Rudden, who represents Schrems, said the Data Protection Commission (DPC) Ireland could have made a decision on the matter years ago rather than bring additional court action.

“My client asked for a targeted solution for companies that fall under mass surveillance laws. The DPC could have issued such a decision long ago. Instead, after seven years and two referrals to the European court, we still have no formal decision from the DPC,” he said.

Does the US give adequate protection to private data of EU citizens?

One of the key questions before the Advocate General and the ECJ is whether the US government provides adequate protection for the private data of European citizens from the arbitrary bulk collection and analysis by the US intelligence agencies.

Also at issue is whether European citizens have adequate rights of redress if they believe the US government has misused their private data under an ombudsman scheme introduced by the US government as part of the Privacy Shield agreement with the EU.

Large tech companies and other businesses that transfer data to the US will be severely affected if the court decides to strike out SCCs

In June 2014, the Irish High Court found that Facebook Ireland transfers personal data on Facebook’s European customers to the US. The court found that Facebook’s data is capable of being accessed by the US National Security Agency (NSA) in the course of “mass and indiscriminate” surveillance of internet and social media traffic.

The European Court of Justice is expected to reach its own decision with a formal ruling within six months that could send the European Commission back to the drawing board with standard contractual clauses and Privacy Shield.

Large tech companies and other businesses that transfer data to the US will be severely affected if the court decides to strike out standard contractual clauses or rules that they cannot legally be used to transfer data between Europe and the US.

SCCs are used by more than 100,000 organisations as a mechanism to transfer data from the EU to the US and other countries under EU data protection law.

Anthony Lee, head of commercial law at city law firm Rosenblatt, said: “It’s frightening to even think about what businesses would do because most organisations rely on the standard contractual clauses. It would difficult for them to continue to operate.”

Privacy Shield at risk?

People who are familiar with the case suggest there is a chance that the Advocate General may find that the US-EU Privacy Shield agreement fails to adequately protect the privacy of European citizens from the US government’s bulk surveillance programmes.

If that opinion is upheld by the Court of Justice, it would mark the second occasion that Schrems has forced the EU to rewrite its data protection agreement with the US.

The first time was in 2015, when the ECJ struck down Safe Harbour, the predecessor agreement to Privacy Shield.

Then the court found that Safe Harbour was unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe, and therefore did not provide an adequate level of data protection.

However, Saugmandsgaard Øe has other less drastic options available. They include issuing a framework governing how SCCs should be used in practice.

Issuing a framework could ultimately put the onus back on the Irish Data Protection Commission to decide whether to take enforcement action against Facebook over its use of SCCs.

Advocate General and Court of Justice expected to take differing views

The European Court of Justice normally follows the opinion of the Advocate General when it comes to making a final ruling.

This case is unusual, however, according to people familiar with the proceedings, because there are signs that the Saugmandsgaard Øe and the court are leaning in different directions.

During oral submissions in July 2019, the judge presiding over the final decision appeared to take the view that the court could not rule on standard contractual clauses without also ruling on the validity of Privacy Shield and was more critical of US law. The Advocate General appeared to take a more pragmatic approach.

Speaking before the Advocate General’s opinion, Schrems said he expected the court’s final judgment may provide stricter privacy controls than tomorrow’s opinion.

“This case has 11 interconnected questions. It is very unlikely that we will get a single, clear ‘yes’ or ‘no’ answer from the Advocate General. Given the many options, it is even less likely that the judges will approach these 11 questions in the same way in their final judgment,” he said.

Privacy Shield under fire in second legal action

Privacy Shield faces a separate legal challenge from the French online privacy and anti-censorship group, La Quadrature Du Net (LQDN) and others, in the General Court of the EU, a lower court than the Court of Justice.

They argue that Privacy Shield breaches the fundamental rights to privacy under the Charter of Fundamental Rights of the European Union, that Privacy Shield fails to assure European citizens effective remedies against misuse of their data in the US, and that it does not offer equivalent protection to EU data laws.

The General Court of the EU was due to make a decision on LQDN in July, but has postponed the hearing until after the Max Schrems case tomorrow.

In other words, the Court of Justice finding in Schrems’ case is likely to have a knock-on effect on the LQDN case in the General Court.

People familiar with the case suggest that the Advocate General is unlikely to strike down SCCs, but is likely to introduce a framework that will impose tougher tests on how they can be used.

Possibilities include, at the most extreme, restricting the use of SCCs between Europe and the US but permitting their use to transfer data to other countries. Another possible outcome will be restricting companies that are involved in the US Prism surveillance program, which include Facebook, from using SCCs to transfer data to the US.

Facebook claims exemption from GDPR

Whether such a move would have any impact on Facebook is a moot point. The standard contractual clauses will need to be updated soon to make them compatible with the General Data Protection Regulation (GDPR) which became law in May 2018.

In November 2019, Facebook told a court in Vienna that it did not need consent from users of Facebook under GDPR to collect and process their data.

It claimed that under terms and conditions introduced in May 2018 it had an “advertising contract” with its customers to supply them with “personal advertising”, and was therefore exempt from GDPR.

Data protection commissioner faces difficult politics in Ireland

One likely outcome is that the European Court of Justice will deliver new guidelines on standard contractual clauses and bat them back to the Irish data protection commissioner, Helen Dixon, to enforce.

If that is the case, Dixon will need to negotiate some tricky politics.

“If the US wants to process the data of foreigners, it will have to give foreigners at least some baseline privacy protections”

Facebook is an important employer in Dublin and has garnered support from successive Irish prime ministers, including Enda Kenny, who used Ireland’s presidency of the EU to lobby on Facebook’s behalf, according to a leaked Facebook memo.

The Data Protection Commission Ireland is the sole agency responsible for regulating Facebook in the European Union. But by its own admission, it lacks the financial resources it needs.

It may not have been a coincidence that Facebook chose to announce plans to create 1,000 jobs in Dublin on the morning it began an appeal at Ireland’s Supreme Court in an attempt to overturn DPC Ireland’s referral of SCCs to the European Court of Justice.

Schrems said there was a fundamental clash between EU privacy laws and US surveillance laws that was unlikely to be resolved in the current case.

“If the US wants to process the data of foreigners, it will have to give foreigners at least some baseline privacy protections,” he said.