As a major case of international import opens in the Irish Commercial Court this week – that of the Irish Data Protection Commissioner against Facebook – the future of transatlantic data transfers, and of US/EU data transfer agreement Privacy Shield, are again under scrutiny.
Those data transfers, said to be worth more than $250 billion annually, are a ubiquitous part of doing business in every sector of every market. If halted, utter chaos would ensue – a kind of inverted Muslim ban for data, in which EU data would be refused entry to the US despite the US being more than eager to welcome it.
The Irish case questions whether special contracts known as model contracts, or standard contractual clauses, adequately protect EU citizen data in the US. Austrian Max Schrems is conjoined to the case, as he brought the original complaint against Facebook to the Irish DPC.
Irish DPC Helen Dixon has said she believes the contracts are inadequate, and wants the Commercial Court to refer the question to the European Court of Justice (ECJ). I know, it’s complicated.
Some companies, including Facebook, use the contracts as an alternative to signing up to broad EU/US data transfer agreements, the first of which, Safe Harbour, was rejected as inadequate by the ECJ in 2015. The ECJ ruling resulted from the court’s consideration of Schrems’ original complaint to the Irish DPC.
Safe Harbour was replaced last year with a new EU/US data transfer agreement called Privacy Shield, which immediately drew criticism from privacy advocates. Though the US government and the European Commission have remained outwardly optimistic in defending it (and it does contain notable improvements on the limp Safe Harbour), Privacy Shield can only be as adequate as the US and its surveillance agencies are open and transparent.
Foreign data
With Donald Trump in the White House, already declaring foreigners are not entitled to the (already weak) privacy protections afforded US citizens' data, who out there seriously believes the commission's reassurances that he doesn't mean EU data? Just how will it be specially protected separately from other foreign data, and to EU standards far superior to protections given US data?
Meanwhile, this week saw two surprising related developments. First, Google found itself refusing a US judge's order to hand over email held in the Google Cloud, outside of the US. Similarly, Microsoft had refused to surrender emails held on a Dublin server, a case it has won at federal level but which may be referred to the Supreme Court.
The Google case may well be headed for Supreme Court referral too, as resolving the question of lawful access to foreign-held data is pivotal to the whole cloud model now widely embraced across businesses (and cloud services are themselves, as big business, worth billions annually). If a government is deemed to have access to electronic data held on foreign servers – ignoring the mandate of treaties that require a formal request be made to a foreign state for release of evidence held on its soil – the security and privacy of data anywhere in the cloud then comes into question, and thus the whole cloud model.
At the very least, the new case will likely push cloud providers to cover all bases by creating more regionally-managed data centres, especially in Europe, so that data control remains within given jurisdictions.
Obvious implications
The Google case also has obvious implications for Privacy Shield. If governments – the US in these cases, but by implication, any other – can seize data held outside the state, then how can the privacy guarantees afforded to US-based EU data under Privacy Shield be upheld? With a multibillion euro sector at stake, both the possible Microsoft case appeal and the ongoing Google case will be closely, and nervously, watched internationally.
Google also announced this week that its own model contracts had been fully approved by – interestingly – the EU’s article 29 working party comprising national DPCs from Europe. Are Google’s contracts different from Facebook’s? Will this approval affect the outcome of the Irish DPC case against Facebook? Would it influence an ECJ decision if the Irish Facebook case is referred?
On top of all this, the adequacy of Privacy Shield may soon be directly tested if the ECJ accepts in coming weeks privacy advocate Digital Rights Ireland’s argument that it has standing to bring a direct challenge against the agreement.
Most businesses and governments fail to understand how high the economic stakes are here. If Privacy Shield and, possibly, model clauses too fall – with a US administration in office that is openly hostile to the EU and the notion of foreign data privacy – data transfers could screech to a halt.
At best, very difficult – and perhaps, impossible – negotiations would lie ahead.