You can’t have it both ways. That was the stark message delivered to Facebook, the European Commission and to Ireland yesterday by Yves Bot, advocate general of the European Court of Justice.
In a closely-watched preliminary ruling, with far-reaching consequences for EU-US relations, Mr Bot hung out to dry Europe’s privacy paper tiger, the “Safe Harbour” provisions that streamlined transatlantic data flows.
To Facebook and other US companies collecting user data within the EU, the ruling was clear: you can either operate in Europe or you can collaborate with NSA surveillance, not both.
To the European Commission, an equally stark message: you are betraying the fundamental rights of EU citizens by continuing the “Safe Harbour” data sharing regime. Worse: Brussels is renegotiating a new data-sharing deal while refusing to use the leverage offered by striking down the current deal.
Should the court follow its advocate general - and it is not obliged to do so - the consequences for EU-US relations could be considerable: diplomatically, commercially and in the ongoing TTIP trade talks.
US implications
From a Washington perspective, a final ruling that follows yesterday’s line would only accentuate the feeling that the EU is regulatory nightmare for business, determined to frustrate free trade in general and innovative US companies in particular.
For US tech giants with legal headquarters in Europe, like Facebook, it exacerbates an already tricky situation. User data is their lifeblood, their currency and their profit but they are now caught between two legal stools: the US is saying ‘give us all your data’ for intelligence purposes, while the EU, according to this ruling, should be saying, ‘don’t give them our citizens’ data’. Microsoft is already facing such difficulties, in a row with US authorities over its refusal to hand over emails of a suspected drug trafficker. Should the ECJ follow yesterday’s argument, it could force a political agreement on this lingering standoff.
Despite the far-reaching consequences of any final ruling, data protection advocates dismiss as overblown the dire warnings from the US that striking down Safe Harbour would somehow break the internet.
Safe Harbour, it should be remembered, is a privilege but not a right.
It is an agreement enjoyed by around 4,000 US companies operating in Europe that allows them export user data back to the US once it promises that, once there, the data will continue to be subjected to EU privacy standards. In the advocate general’s view, we now know what many long suspected: this privilege had no satisfactory legal basis.
Firstly: once the data left the EU, he argued, “Safe Harbour” offered the European Commission no means of oversight, beyond promises, that its standards were applied to EU data on US servers. Worse, Edward Snowden’s revelations about the Prism programme, whereby US tech companies allowed NSA access to its user data, suggest that vast breaches of EU privacy law is now commonplace across the Atlantic.
Secondly: EU citizens are discriminated against in their efforts to rectify the matter, he wrote, as protection under US privacy law applies only to US citizens and foreign nationals resident in the US.
Given these concerns, the advocate general argued that the European Commission not only could, but should have halted the data transfers under Safe Harbour.
This is a major slap-down for the Brussels executive, exposing transatlantic data transfer provisions as less a safe harbour but a black hole for fundamental rights.
Ireland’s data protection commissioner (DPC) doesn’t escape the advocate general’s gaze in his ruling, either. It told Austrian privacy campaigner Max Schrems that it had no means to investigate his complaint that Facebook was sharing his private data with US intelligence. It was bound by the Safe Harbour rules, the DPC said, dismissing Mr Schrems’s case was “frivolous and vexatious” and thus bound to fail.
He disagreed, took a judicial review at the High Court and landed in Luxembourg. During March oral hearings, the ECJ judges described it as a “case of great principle”, a line followed by Wednesday’s preliminary ruling that blows the Irish DPC out of the water.
Ireland’s regulator could very well have intervened in the case, the advocate general ruled. It will be interesting to see if the court agrees in its final judgment, in particular if it says the DPC not only can intervene in such cases, but that it must.
What started out as a running battle between an Irish body and an Austrian law student has sent a clear warning to the Government. It likes to crow about how, by attracting Facebook and other tech giants, Ireland has become a hub of the digital economy. But if Ireland wants to be a world-class player in the tech scene, it should regulate like one. You can’t have it both ways.