The 14 May rejection by the Irish High Court of an appeal by Facebook against the proposals by the Irish Data Protection Commissioner (IDPC) spells trouble for Facebook and poses real challenges for the EU, writes Dick Roche.
Dick Roche is a former Fianna Fáil politician. He was the minister of state for European affairs when Ireland conducted the two referendums on the Treaty of Lisbon of the European Union, in 2008 and 2009.
Finding a way to defend the privacy standards set out in the GDPR while maintaining the data transfers which are of critical importance to EU- US trading relationships will not be easy.
There will inevitably be pressure from Washington to reach an accommodation within its legal framework.
If, however, Europe settles for a rehash of the transfer arrangements which have already been firmly ruled against by the Court of Justice of the European Union, it will not only be a step in the wrong direction but will, in all probability, be doomed to face and fail future legal challenges.
There is also a wide economic dimension – restricting data transfers between the EU and the US will have a very real economic impact beyond the social media giants: many thousands of companies could be impacted.
The appeal by Facebook arose from proposals prepared by the Irish Data Protection Commissioner (IDPC) in response to the Schrems II case.
The landmark judgement in Schrems II ruled that the ‘Privacy Shield’ arrangements governing data transfers between the EU and US are invalid, that surveillance practices operated under US law do not meet European privacy standards, and that there was a lack of redress in the US system for those targeted for surveillance.
The Court took the view that it was “impossible to conclude” that the EU-US Privacy Shield could ensure the level of protection guaranteed by the General Data Protection Regulation (GDPR).
The Court confirmed that the mechanisms for transferring data to third countries, Standard Contractual Clauses (SCCs), in effect pre-approved EU contractual arrangements, remained valid – with a very important caveat: the Court stipulated that those using SCCs must verify on a case-by-case basis that the data would be protected to the level guaranteed by the EU’s GDPR.
Given both the intrusive nature of US law and the cavalier approach by US surveillance agencies to compliance, that requirement will be all but impossible to meet without substantial movement from the US.
On foot of the Schrems II the IDPC notified Facebook that it had commenced an inquiry as to whether the company’s transfer of the personal data of European citizens to the US was lawful.
Critically, the Data Protection Commissioner indicated that a provisional order had been prepared which would mean that Standard Contractual Clauses “cannot in practice be used” for future data transfers to the US by Facebook.
This struck a blow to Facebook and other companies that had taken comfort from the fact that in Schrems II the CJEU had not struck SSCs down. The line taken by the IDPC – who has been subject to repeated calls to act decisively and criticism for being over-cautious – threatened that comfort blanket.
Facebook initiated proceedings in the Irish High Court requesting a halt to the actions proposed by the IDPC.
On 14 May, in a comprehensive 197-page judgement, the Irish High Court refused “all the reliefs sought by Facebook Ireland”.
Facebook has warned that the decision could have “devastating consequences” for the company and its 410 million active European users. The reference to potentially “devastating consequences” is no exaggeration. Processing the data that flows into it from users is central to Facebook’s business.
If Facebook exports European data without meeting the GDPR standard it risks a penalty of €20 million or 4% of its global turnover, an eye-watering $ 2.8 billion.
The impact of the Judgement in Schrems II and of the actions proposed by the IDPC have a much wider reach than Facebook. The privileged access enjoyed by all US companies to personal data from Europe stands to be removed.
The US tech giants that dominate the digital world on the same footing as companies from outside the EU and European Economic Area where GDPR applies. The impact will also be felt by European companies. A motion circulated on behalf of the LIBE Committee on 12 May flagged particular concerns about the potential impact on European SMEs.
The initial US response to the Schrems II was dismissive. The Department of Commerce issued a White Paper responding to what it, disparagingly, referred to as the issues “that appear to have concerned the ECJ”.
Suggesting that the “extensive US surveillance reforms since 2013” had been ignored by the Court, the White Paper argued that the “legal framework for foreign intelligence collection provides clear limits, stronger safeguards and more rigorous independent oversight than the equivalent laws in almost all other countries.”
In the weeks following Schrems II US Secretary of Commerce Wilbur Ross and US Secretary of State Mike Pompeo expressed their deep disappointment with the ruling. Speaking at an American – Irish business event Wilbur Ross suggested the judgement posed a danger to cross border data flows that “underpin the $7.1 trillion transatlantic relationship.”
The Biden administration has adopted a more nuanced tone. During US Senate confirmation hearings the incoming Secretary of Commerce, Gina Raimondo, said that a replacement for Privacy Shield would be a priority for the US.
A joint statement by Commissioner Didier Reynders and Commerce Secretary Raimondo issued on 25 March committed both sides to intensifying the negotiations on resolving the issues highlighted in the Schrems II judgement.
The reality that faces the negotiating teams is that US surveillance laws are based on an approach that is antithetical to the privacy structure that has been put in place in Europe. The privacy principles that have been put in place in Europe since the 1950s are not compatible with the surveillance approach that has developed in the US over the same period. [More]
Commissioner Reynders has made the point that complex issues related to sensitive areas of national security which Schrems II raises means there is no “quick fix”. The problem is that the time for talking is running out.
Last week’s decision by the Irish High Court while not immediately shutting the door on EU-US transfers brings the day when that could happen closer.
Finding a solution will not be easy. The gap that exists between the US and EU is too wide to be bridged by administrative arrangements. Without significant changes in its surveillance laws the US, as Max Schrems has put it, cannot be regarded as a “trusted cloud provider”.
The coming months could be a real test as to how firmly the EU is committed is to its privacy principles.