On Thursday, Europe’s highest court will make a judgement that could see the controversial Privacy Shield accord between the EU and the U.S. struck down.
Privacy Shield is the “gentlemen’s agreement” that allows for data transfers between the two blocs. Essentially, it is a self-certification scheme that is necessary because the U.S. does not meet the EU’s stringent standards for privacy and data protection. It’s predecessor, Safe Harbor, was deemed not-so-safe by the European Court of Justice (ECJ) in 2015 following a case brought by Austrian privacy rights campaigner, Max Schrems.
This week’s ruling also stems – via a long, circuitous route — from a legal challenge by Schrems. In his original case, Schrems charged that Facebook was not adequately protecting his personal data by transferring it to the U.S. where it could be intercepted by intelligence services. Although that case resulted in the abolition of Safe Harbor, it transpired that Facebook was using a different mechanism to validate the transfer of data, namely, Standard Contractual Clauses (SCCs).
This week the ECJ will decide whether these SCCs are a legitimate way of transferring data to legal regimes outside of the EU while respecting EU data protection law, but the ruling is likely to have further implications, that could see a repeat of 2016 and Privacy Shield invalidated.
Speaking in June, European Justice Commissioner, Didier Reynders hinted at such a possibility when he said the Commission was conducting “preparatory works about the different possibilities that will result from the decision of the court.”
The latest case, dubbed “Schrems II” – Case C-311/18 — was in fact brought by the Irish Data Protection Commissioner against both Facebook Ireland Limited and Maximillian Schrems. Facebook’s European headquarters is in Ireland making the Irish DPC the relevant authority.
There is a provision in EU law – so-called Article 4 – that allows individual data protection authorities to suspend data transfers to other countries if there is evidence of data protection rights being breached. Schrems says the onus was on the Irish DPC to do this, and it was negligent in failing to act. Hence the case by the Irish Data Protection Commission was referred to the ECJ via the Irish High Court.
In typically colourful language, Schrems said the DPC was “complaining about a dumpster fire she created,” when DPC Helen Dixon said it would be a “doomsday scenario” if the court invalidates both SCCs and the Privacy Shield.
The court’s advocate general (AG), Henrik Saugmandsgaard Øe, gave an opinion last year saying: “(There) is an obligation — placed on the controllers … and, where the latter fail to act, on the supervisory authorities … — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.”
Although not legally binding, the court usually follows the AG’s advice.
Predictably there have been arguments for and against all possible outcomes. Estelle Masse, Global Data Protection Lead at digital rights NG, Access Now, said: “We must lay the EU-US Privacy Shield to rest once and for all. We have seen debate around this ill-conceived and heavily-flawed arrangement year after year, and we hope the Court of Justice will come to the conclusion that the Privacy Shield does not work in conjunction with European and international human rights laws.”
Industry bodies disagree. Alexa Lee, Senior Manager of Policy at ITI said: “The implications of this ruling will also have impacts beyond the realm of data protection. A negative ruling would create enormous legal uncertainty, negatively affecting trade and the economy during the most significant health crisis of this century. It would also erode trust in the EU’s landmark GDPR, which legally codified several different mechanisms for the predictable outbound transfer of data. Among those, SCCs are surely relied on by more companies globally than any other. Overall, if SCCs are invalidated, very limited alternatives remain for international data transfers, and the decision would potentially hit small and medium-sized enterprises (SMEs) the hardest.”
Whatever the outcome, it may not be the final word on the matter of EU-U.S. data transfers and the Privacy Shield – a forthcoming case, T-738/16, La Quadrature Du Net and Others v Commission, will rule directly on the validity of Privacy Shield.