Silicon Valley should seek to further distance itself from a culture of surveillance established by US law, Austrian privacy activist Max Schrems has said ahead of a key ruling on global data flows later this week.
In a much-anticipated case this Thursday (16 July), the European Court of Justice will rule on whether the EU’s Standard Contractual Clauses (SCCs) are a legitimate way of transferring data to legal regimes outside of the bloc.
The Irish Data Protection Commission brought the case following a complaint from Schrems, in which he calls into question the validity of SCCs.
In particular, Schrems states that the Irish DPC has failed to appropriately exercise Article 4 of the Commission’s decision on SCCs with regards to data transfers between Facebook Ireland and Facebook US, which can suspend the exchange of data in cases where data EU protection rights are not upheld.
Schrems’ concern is that Section 702 of the US Foreign Intelligence Surveillance Act (FISA), permits the National Security Agency to collect foreign intelligence belonging to non-Americans located outside the US, by way of obtaining their data stored with electronic communications services providers, such as Facebook.
Speaking to reporters on Monday (13 July), Schrems explained how he hopes the ruling could, in the long term, lead to US surveillance law reform as well as a general pushback against a US culture of surveillance.
“We hope that Silicon valley will realise the potential downfalls of US surveillance law,” he said, adding that there has however also been positive developments in this area over recent years, including Microsoft’s decision to publish transparency reports that detail requests for data from US law enforcement and foreign intelligence authorities.
“For the companies themselves, these surveillance laws are a burden,” Schrems added, citing also the fact that reform of FISA 702 would be to the benefit of US industry, which, in order to attract foreign data, should want to introduce baseline privacy protections.
Moreover, US concerns regarding American data outsourced to Beijing when citizens use Chinese technology services such as Huawei or TikTok follows “the same logic” as the worries raised in the complaint, the Austrian privacy activist said.
EU foreign affairs chief Josep Borrell said last week (7 July) that personal exchanges of data between the EU and China may only take place in full compliance with the GDPR. The comments came after US Secretary of State Mike Pompeo said that there could be privacy issues associated with the Chinese video-sharing platform TikTok.
On Thursday, the ECJ could also adopt a position on the validity of the Privacy Shield agreement, the mechanism used for transferring personal data between the EU and the US.
In his December opinion, ECJ Advocate General Henrik Saugmandsgaard Øe stated that the courts should not necessarily be required to rule on the validity of the accord, due to the fact that the dispute in question only concerns the Commission’s establishment of standard contractual clauses.
However, the Advocate General questioned the legitimacy of the agreement, stating that there are “reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”
In a previous 2015 case, Schrems successfully mounted a legal challenge over the EU’s ‘Safe Harbour’ privacy principles, developed to prevent private companies in the EU or the US from losing or accidentally revealing personal data belonging to citizens.
That year, ECJ Advocate General Yves Bot issued an opinion to the court that stated the Safe Harbour agreement should be rendered invalid, and added that individual data protection authorities could suspend data transfers to other countries should there be evidence of data protection rights being breached.
The ECJ ultimately upheld Bot’s opinion and the Safe Habour agreement was invalidated.
Should the Privacy Shield be invalidated, Schrems believes, a ‘third version’ of Safe Harbour would be insufficient in ensuring adequate data protection for EU citizens when their data is transferred to the US.
Such a rehashing of the EU-US data transfer regime essentially “could not overcome” the conflict between EU privacy law and US surveillance law, Schrems said.
[Edited by Sam Morgan]