The findings of the Court of Justice of the EU (CJEU) in the two cases arising from complaints against Facebook by Austrian privacy campaigner Max Schrems highlight the fundamentally opposed approaches towards data and personal privacy in the EU and the US, writes Dick Roche.
Dick Roche is a former Fianna Fáil politician. He was the minister of state for European affairs when Ireland conducted the two referendums on the Treaty of Lisbon of the European Union, in 2008 and 2009.
The cases also shine a light on the extraordinary double standards of US policymakers who invoke concerns about data security in their efforts to push European countries in a direction that supports wider US geopolitical interests while applying lax standards domestically.
The unequivocal rulings of the Court of Justice in the two cases set a challenge for Europe’s Data Protection Commissioners and pose a conundrum as to how privacy protection arrangements in the US, which are honoured more in the breach than the observance, can be adjusted or augmented to satisfy EU data protection requirements.
When Edward Snowden released thousands of classified US National Security Agency documents to the Guardian and the Washington Post in May 2013, he revealed how US- based companies – notwithstanding the protections enshrined in the 4th Amendment of the US Constitution – had been forced to turn over personal data, including on European citizens, to American intelligence agencies.
On 25 June 2013, Max Schrems launched a complaint against Facebook arguing that his personal data, if transferred to Facebook Inc. US, would not be adequately protected. This he said contravened EU law which prohibits the transfer of EU citizen’s personal data to a third country without an “adequate level of protection.” Because Facebook’s European HQ is in Dublin, the complaint was lodged with the Irish Data Protection Commissioner (IDPC).
In 2013, European data exported to the US was, ostensibly, protected by the Safe Harbour arrangements agreed between the European Commission and the US authorities back in 2000. The arrangements depended on voluntary adherence and self-certification. A company transferring data from the EU to the United States was required to “ensure that the receiving entity provides adequate safeguards to protect such data against a number of mishaps”.
When his complaint was rejected by the IDPC, Schrems appealed to the Irish High Court, which referred the matter to the Court of Justice of the European Union (CJEU).
In its ruling, delivered on 6 October 2015, the CJEU did not mince words. In a scathing reference to well-publicised failures to protect personal data from intrusion by US intelligence agencies, the Court found: “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union, which is transferred under the Safe Harbour Scheme, without those citizens benefiting from effective judicial protection”.
The Court directed that EU Data Protection Commissioners should decide whether the “transfer of data of Facebook’s European subscribers to the US should be suspended on the grounds that that country does not afford an adequate level of protection of personal data”.
In an attempt to address the decision of the European Court, the US Department of Commerce and the European Commission agreed on a new policy; fancifully titled “Privacy Shield”.
When the Commission published a draft decision on the proposals, the reaction was lukewarm. Doubts were raised about individual provisions, while concerns were expressed about US agencies accessing bulk data. The EU Parliament voiced its concerns in a resolution on 26 May 2016. The Commission adopted its decision on 12 July 2016.
Prior to that, Schrems reactivated his complaint about Facebook. The Irish DPC took the view that whatever the legal mechanism by which EU-US data transfers were conducted, “the structure of the legal system in operation in the United States, [for] EU-US data transfers were inherently problematic”. It referred its concerns about Privacy Shield to the Irish High Court, which in turn referred the issue to the CJEU.
On 16 July 2020, the CJEU ruled that Privacy Shield was invalid, that surveillance practices by US intelligence agencies failed to meet European privacy standards, and that there was a lack of redress in the US system for those targeted for surveillance. It took the view that it was “impossible to conclude” that the EU-US Privacy Shield could ensure the level of protection guaranteed by the General Data Protection Regulation (GDPR).
While striking down Privacy Shield, the Court confirmed that Standard Contractual Clauses (SCCs) were appropriate mechanisms for transferring data to third countries, but stipulated that when using an SCC to transfer data the exporter must verify on a case-by-case basis that the data would be protected to the level guaranteed by the EU’s GDPR.
The judgement sets a very high bar for companies exporting data to the US. If data operators cannot provide that assurance they must suspend the transfer of personal data.
In August 2020, Facebook was notified by the IDPC that an order suspending data transfers to the US was in preparation and that SCCs cannot in practice be used for EU-US data transfers. Facebook immediately asked the Irish High Court to halt the proposed order.
The problem for Facebook will be establishing that the data exported can be protected to the level guaranteed by GDPR. It is difficult to see how the gulf between the highly intrusive nature of US surveillance laws and the standards guaranteed under EU fundamental rights can be bridged.
The same challenge faces EU Commission and US officials who are trying to find another workaround for the markers set out in the Schrems II judgement.
The EU 1995 Data Protection Directive and the 2016 General Data Protection Regulation set the global gold standard for the protection of the personal data of citizens. If the EU determines to maintain those standards for European citizens, change must come from the US side. That will require action from the US Congress.
The type of robust response needed to meet the CJEU’s concerns would be hard for Congress to swallow given its decades-long failure to protect US citizens’ privacy rights from the attention of Uncle Sam’s snoopers.