Key transatlantic data flows under threat as US surveillance laws clash once more with EU privacy protections

Posted on Oct 9, 2017 by Glyn Moody

We wrote recently about clouds gathering over the Privacy Shield framework that governs transatlantic data flows for thousands of US companies. As that post explained, even if the Privacy Shield is struck down by the EU courts, as some believe it will be, there are alternative mechanisms that can ensure the legality of data transfers out of the EU to the US. The most important of these is the use of standard contractual clauses (SCCs), also known as “model clauses”. However, last week an Irish judge said she would make a formal request for the Court of Justice of the European Union (CJEU), the EU’s highest court, to rule whether SCCs for this purpose were invalid too. If the CJEU decides they are, that will make sending personal data of EU citizens across the Atlantic hard, or even impossible, for many top Internet companies like Google and Facebook.

Last week’s court decision is another victory for the Austrian privacy activist Max Schrems. He’s been questioning the legality of Facebook’s transfer of his personal data from Ireland, where Facebook has its European headquarters, to the US for many years. But a turning point in his campaign was the release by the whistleblower Edward Snowden of hitherto secret documents that showed the NSA had routine access to the personal data of Facebook users under the PRISM program. As a result of that revelation, and Schrems’ dogged perseverance through the Irish and EU courts, the CJEU ruled in 2015 that the Safe Harbor scheme used by Facebook at that time did not provide sufficient protection for EU citizens.

Although the Privacy Shield framework was hurriedly drawn up to replace Safe Harbor, Facebook decided to turn to SCCs as one of the ways to remain compliant with EU law. Specifically, Facebook Ireland drew up a contract with Facebook Inc. that specified how EU personal data would be transferred and protected.

However, in his revised complaint against Facebook made to the Irish Data Protection Commissioner (DPC) in 2015, Schrems pointed out that so far as we knew, Facebook was still part of the PRISM program, and that the SCCs did nothing to change the fact that the NSA could carry out surveillance on EU citizens using Facebook’s databases. On that basis, Schrems called on the DPC to suspend all data flows from Facebook Ireland to Facebook Inc.

The DPC was unwilling to do that, perhaps because of the huge political implications of shutting down data transfers from one of Ireland’s biggest foreign investors. Instead, she took both Facebook Ireland and Schrems to court on the issue. This unusual move was designed to allow the High Court of Ireland to refer the whole issue to the CJEU. This would spare the Irish DPC from taking the responsibility of shutting down Facebook’s dataflows, and would also allow the CJEU to consider the wider issues.

Last week, the Irish High Court judge decided that it would indeed be necessary to refer the matter to the CJEU, and along the way made some significant statements. As well as the full 153-page judgment, there is a more digestible five-page summary from the judge. Schrems too has written a useful explanation of what has been decided, and what will happen now.

The Irish judge examining the case has no doubt that the NSA is spying on EU citizens using data supplied by Facebook and others:

“The [Data Protection] Directive defines processing of personal data as including any operation or set of operations which is performed upon personal data such as collection… or otherwise making available the data. On the basis of this definition and the evidence in relation to the operation of the PRISM and Upstream programmes authorised under s.702 of FISA [the US Foreign Intelligence Surveillance Act of 1978], it is clear that there is mass indiscriminate processing of data by the Unites States government agencies, whether this is described as mass or targeted surveillance.”

Moreover, the judge found that the supposed remedies offered by the US to any EU citizen that felt they had suffered as a result of that surveillance were insufficient:

“In my opinion, despite the number of possible causes of action, it cannot be said that US law provides the right of every person to a judicial remedy for any breach of his data privacy by its intelligence agencies. On the contrary, the individual remedies are few and far between and certainly not complete or comprehensive.”

In addition, the judge agreed that the Irish DPC had “well-founded concerns” about the validity of the SCC mechanism, which required the CJEU’s definitive views. As Schrems points out, it takes around one and half years after referral for cases to be considered, so there won’t be any immediate consequences of the Irish court’s judgment. However, a ruling against Facebook’s use of SCCs by the CJEU is likely to be based on the NSA’s continued surveillance of EU citizens’ personal data. If that’s the case, it would apply equally to similar transfers made under the Safe Harbor framework. Taken together, that would make it hard, and maybe impossible, for companies like Facebook and Google to send EU data to the US. The obvious solution would be to use servers located in the EU to hold and process data relating to EU citizens.

As Schrems points out, a CJEU ruling against Facebook’s SCCs would not apply to every US company sending data across the Atlantic:

“Not all EU-US data flows are under challenge. The situation is specifically problematic regarding US companies that are ‘electronic communication service providers’, because the relevant law (FISA 702) only applies to them. Most ‘normal’ businesses (like trade in goods and services and alike) do not fall under such US surveillance laws and there is therefore no direct conflict with EU laws. The problem is however similar for most other large US technology providers that provide IT outsourcing services (e.g. “cloud services”) to the EU.”

That’s an important point. It means that transatlantic data flows in general are not at risk, even if they certainly are for many of the top names in the online world.

Featured image by Catkin.