The transfer of personal data lies at the heart of much of online activity. Since many of the leading online companies were founded and have their headquarters in the US, that typically means that huge quantities of personal data cross the Atlantic every day. If information concerns EU citizens, those data flows are governed by a variety of privacy laws, most notably the GDPR. Under EU law, for data transfers outside the region to be legal, they must be to locations that offer “adequate” privacy protection. “Adequacy” is decided by the European Commission, which tends to take a fairly lenient view of things in order to facilitate international data transfers.
Privacy activists naturally take a more stringent approach, and have turned to the courts in order to challenge the Commission’s adequacy decisions. This happened most famously to the Safe Harbor framework, which had been agreed between the US and EU in order to provide what the European Commission considered to be adequate protection. In 2015, the EU’s top court, the Court of Justice of the European Union (CJEU) ruled that the “adequacy” ruling was “invalid”. To prevent most transatlantic data transfers becoming illegal as a result, the US and EU hurriedly drew up a replacement scheme, Privacy Shield, which was designed to address the concerns of the CJEU.
Since the latter has not yet ruled on the validity of Privacy Shield, many companies have decided to take an alternative route that would be unaffected if the CJEU strikes down Privacy Shield too. It involves the use of “standard contractual clauses” (SCCs), which are effectively a formal promise by companies that EU personal data will be protected in the US (or elsewhere) according to EU standards. Notably, Facebook has chosen the SCC route, rather than take a chance on the validity of Privacy Shield. A long-running legal action is looking at whether SCCs are acceptable as a way of handling the transfer of personal data from the EU to the US. It was instigated by Max Schrems, the Austrian privacy activist who was also responsible for Safe Harbor being struck down. His organization, noyb.eu (“none of your business”) has put together a useful explanation of the complicated background to the latest legal challenge.
The key part is that the CJEU has been asked to rule on whether SCCs are compliant with EU privacy law. That’s a hugely important issue. If SCCs are ruled invalid, it would take away an important option for companies wishing to to make legal transfers of personal data from the EU. So a lot is hanging on this court decision. As is usual for cases brought to the top court, before the CJEU itself rules, a special advisor, called the Advocate General, offers an opinion. It’s not binding, but often provides an indication of how things are likely to go. In the opinion of the Advocate General, SCCs are valid.
However, there are a couple of stings in the tail of his opinion. First, the Advocate General says that SCCs can be revoked at any time if it is found that the companies involved have not kept their side of the bargain. That means that SCCs are provisional, and not cast-iron guarantees of legality. Moreover, the court advisor says the data protection authorities in the EU must block personal data flows if problems do arise with SCCs. As Schrems points out in his press release on the advisor’s opinion, that’s big because:
according to the AG [Advocate General] the DPC [data protection commissioner in Ireland] must stop the EU-US data transfers of Facebook, once it took the view that US law violates EU fundamental rights. The DPC has already taken that view in 2016. This means that under the AG opinion, the DPC would have had to suspend the data flows between Facebook Ireland and Facebook USA already in 2016
That is, if the CJEU agrees with the Advocate General, the Irish data protection commissioner will have to stop flows of personal data from the EU to Facebook in the US. There’s another important detail in the opinion. It concerns the Privacy Shield framework. Even though it’s not a principal focus of the court case, and the CJEU may not rule on it, the advisor offered his views on what he thinks it should say if it does:
the resolution of the dispute in the main proceedings does not require the Court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87 [regarding SCCs]. Nevertheless, the Advocate General sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.
Throwing out Privacy Shield would be huge, and leave SCCs as the main way of transferring data across the Atlantic from the EU to the US. However, others are more sanguine. Peter Swire is the Elizabeth and Tommy Holder Chair of Law and Ethics at the Georgia Tech Scheller College of Business, and has written an interesting analysis of the Advocate General’s opinion that sees grounds for optimism about transatlantic data flows continuing largely untouched. He concludes:
The AG’s opinion offers heartening news for continued global data flows. The opinion gives a basis for believing that standard contractual clauses will continue to be a lawful basis for transfer, avoiding the enormous practical problems that would otherwise result. The opinion recommends leaving the Privacy Shield in place and offers some interesting new jurisprudential support for foreign intelligence surveillance, at least where sufficient safeguards are in place.
The CJEU should hand down its definitive opinion on these and possibly other, related matters, in the next few months. Whichever way the decision goes, it is likely to be an important one for privacy in 2020 and beyond.
Featured image by katarina_dzurekova.