Privacy Shield now facing questions via legal challenge to Facebook data flows

The Irish High Court has referred for a second time a legal challenge to Facebook’s EU-US data transfers to Europe’s top court, seeking a preliminary ruling on a series of fundamental questions pertaining to the clash between US mass surveillance law and EU citizens’ fundamental privacy rights.

The sustainability of the EU-US Privacy Shield mechanism — which thousands of companies rely on to expedite transfers of personal data across the Atlantic — looks to be at stake.

The case is based on a 2013 complaint by lawyer and privacy campaigner Max Schrems against Facebook (and other tech giants) related to US surveillance law. Schrems drew on information about US intelligence agency practices and systems for sucking up data that had been revealed by NSA whistleblower, Edward Snowden.

In 2015, a landmark ECJ judgement overturned a long-standing EU-US data transfer mechanism, called Safe Harbor, as a result of his legal action.

Schrems then updated his complaint, this time focusing exclusively on Facebook and addressing a secondary EU-US data transfer mechanism that’s still being used, called Standard Contractual Contracts (SCCs).

SCCs are used by Facebook to transfer data between its European entity, Facebook Ireland, and Facebook USA — essentially via a contract in which Facebook USA pledges to follow EU privacy principles.

The Irish High Court court issued an underlying judgement on the updated complaint last October, deciding to refer legal questions over this EU-US data transfer mechanism to Europe’s top court, as it had with Schrems’ original complaint.

The court has backed the view that US government surveillance practices involve a mass processing of personal data.

It’s a finding that clashes with fundamental European privacy rights. And this core legal clash is the Gordian knot that US tech giants — including Facebook — are now bound up with as a consequence of domestic surveillance law granting their government swingeing rights to suck up personal data from “electronic communication service providers”.

Incompatibility between two separate and distinct legal regimes and data priorities (in simple terms, EU vs US law on data boils down to protection for privacy vs retention for security) was the reason for the 2015 strike down of the 15-year-old Safe Harbor arrangement, following Schrems’ original complaint.

It’s also why the replacement EU-US Privacy Shield mechanism, which only started operating in August 2016, remains precariously placed — with the Trump administration doing nothing to enhance privacy protections as EU lawmakers want.

On the contrary; earlier this year president Trump signed into law another six years of the controversial warrantless surveillance law — aka Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Yet last fall year EU lawmakers were still lobbying publicly for a sympathetic reform of FISA 702 — i.e. which would include privacy provisions for foreigners’ data.

In the event US lawmakers failed to reform surveillance law even where domestic targets are concerned, renewing a controversial legal loophole that provides U.S. intelligence agencies with a means for the warrantless surveillance of American citizens.

Privacy reforms that consider the rights of foreigners don’t even appear to register as a debate-worthy concept on the floor of the US Senate and House — which spells big trouble for the sustainability of EU-US transatlantic data flows. And means this issue will inexorably continue to be brought before EU judges — as has happened again here.

The court that invalidated Safe Harbor will now have to consider how its follow up meshes with several similar points of law vis-a-vis US mass surveillance practices. And whether a targeted application of EU law might be possible.

It’s even possible the entire Privacy Shield mechanism could come unstuck — if so it would be years sooner than its predecessor, given it’s not even reached its second birthday yet.

In all the Irish court has referred 11 questions to the ECJ for a judgement — seeking guidance on a range of fine-grained points around whether rights afforded to EU citizens are being adequately protected by the current data transfer mechanisms and regimes, including Privacy Shield and SCCs; how to determine which rules and regulations take precedence across borders and/or where legal priorities clash and overlap; and whether, in cases of rights violations caused by surveillance law, data protection authorities have to suspend data flows or whether they can use discretion to not do so.

Schrems’ original hope with the 2015 complaint was that the Irish Data Protection Commissioner would suspend only Facebook’s use of SCCs. And he continues to advocate for targeted suspension of data flows if a company falls under US mass surveillance laws — i.e. rather than a blanket strike down of underlying mechanisms.

However the DPC took the unusual move of deciding to go to court — raising concerns about the validity of the entire SCCs mechanism.

Here are the last three points the court has referred to the ECJ, including where it references Privacy Shield:

9.      (1) For the purposes of Article 25(6) of the Directive, does Decision (EU) 2016/1250 (“the Privacy Shield Decision”) constitute a finding of general application binding on data protection authorities and the courts of the member states to the effect that the US ensures an adequate level of protection within the meaning of Article 25(2) of the Directive by reason of its domestic law or of the international commitments it has entered into?

(2) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the SCC Decision?

10. Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III of the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter?

11. Does the SCC Decision violate Articles 7, 8, and/or 47 of the Charter?

In a statement on the court’s reference to the ECJ, Schrems said: “While I was of the view that the Irish Data Protection Authority could have decided over this case itself… I welcome that the issue will hopefully be dealt with once and forever by the Court of Justice. What is remarkable, is that the High Court also included questions on the ‘Privacy Shield’, which has the potential for a full review of all EU-US data transfer instruments in this case.”

Without a legal solution to the clash, Schrems suggests it might be required for US companies to entirely split their US and global services and ensure no data is passed.

An incoming update to the EU’s data protection rules, called GDPR, steps up privacy enforcement potential significantly — with far higher fines possible for data violations when it comes into force on May 25.

“In the long run the only reasonable solution is to cut back on mass surveillance laws,” he said. “If there is no such political solution between the EU and the US, Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation. Previously such a technical solution was done for financial data in the SWIFT case, where European data is now solely stored in Europe.”

“Given the case law, the question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-US data transfers and which approach they will take to remedy the conflict of EU privacy protections and US surveillance,” Schrems added.

A Facebook spokeswoman told us the company has nothing to add to its prior statement on the Irish High Court judgement from October, when it said:

Standard Contract Clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.

This ruling will have no immediate impact on the people or businesses who use our services. However it is essential that the CJEU now considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.

How long the ECJ will take to deliver its preliminary judgement on the referral remains to be seen — and it’s possible the process could take multiple years — but in the case of the original Schrems complaint the judges only took a little over a year to return their landmark verdict striking down Safe Harbor. So they have shown they are willing to move quickly to defend EU privacy rights against the threat of mass surveillance.