Europe’s top court may be about to deal a massive blow to American tech companies operating in Europe.
Tomorrow, the European Court of Justice will make its ruling on the Max Schrems-Facebook case — a lawsuit originally brought against the Californian company in Ireland, the outcome of which could have massive consequences for how companies handle Europeans’ data.
What is the Max Schrems case?
Schrems is a privacy activist who brought a case against Facebook in Ireland. He said his privacy had been violated by the NSA’s mass surveillance programs first revealed by whistleblower Edward Snowden. Schrems is Austrian, but brought the case against Facebook in Ireland because the company’s European headquarters are in Dublin.
The Data Protection Commissioner, Ireland’s data regulator, rejected his case because it was bound by a legal agreement called the Safe Harbour agreement — which Schrems subsequently appealed, resulting in the current European Court of Justice case.
Safe Harbour is an agreement drawn up between Europe and the US allowing the transfer of data on users between the two regions. There are different rules concerning data on either side of the Atlantic, but Safe Harbour harmonises them and allows for smooth transfers without worrying about differing legal frameworks.
It’s now in jeopardy.
There’s a big risk that the European Court of Justice will reject Safe Harbour altogether in the upcoming Schrems ruling. In September ECJ Advocate General, Yves Bots, one of several advisors to the ECJ, put out a legal opinion ahead of the ruling arguing that the safe harbour agreement is “invalid” because of US spying.
“The surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance,” Advocate General Yves Bots said. “In those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection.”
He argues that agreements such as the 2000 Safe Harbour law cannot supersede scrutiny at the national level. Such agreements “cannot eliminate or even reduce the national supervisory authorities’ powers … if the national supervisory authorities receive individual complaints, that does not in my view prevent them, by virtue of their investigative powers and their independence, from forming their own opinion on the general level of protection ensured by a third country and from drawing the appropriate conclusion when they determine individual cases.”
The ECJ doesn’t always follow such legal opinions — but it does so in most cases. This is huge: the Irish Minister of State for Data Protection Dara Murphy says that “half of the world’s data crosses the Atlantic,” Irish Times reports.
What would the consequences of the ECJ rejecting Safe Harbour be?
It would mean that the more than 4,500 companies that rely on Safe Harbour for the transfer of data — from tech giants like Google and Facebook to tiny startups — would be opened up to significantly more scrutiny from regulators within Europe.
“Many rely on it as the primary — or even only way to legalise — the transfer of data,” privacy lawyer Susan Foster from law firm Mintz Levin told Business Insider.
They would need to find an alternative legal framework for the transfer of data (some do exist), and could also face a far more fractured regulatory environment. Bots says that some local regulators would have the power to “[suspend] the transfer of that data,” meaning companies could be faced with a situation like is currently the case in Russia — a local government demanding that all data held about its citizens by stored within the country, rather than in the US.
When is the decision happening?
Tuesday, October 6, at 9.30AM CET. (8.30AM BST)
How likely is it to happen?
“I’m hoping there’s a solid chance they will kick it back to the Irish courts, rather than invalidate it completely,” Foster says. Why? “The Irish court didn’t actually refer the question of ‘Is Safe Harbour adequate?’ That is a question Bots took on himself in the opinion. It wasn’t briefed, it wasn’t argued by the party, and he went down that path regardless. That’s quite a big legal step and the [ECJ] might not follow him in that next step.”
She continues: “What they could do — and I think there’s a very high likelihood they will do this — is they will make a determination on the question that was actually asked. And that is: ‘Does the Irish court (and even before that, does the Irish ata protection office) have the legal ability to evaluate the adequacy of the safe harbour program, or are they bound by the year 2000 decision by the [European] Commission that safe harbour is adequate?”
If they answer this question (as opposed to Bots’) in the affirmative, this will give individual European countries the ability to make their own determinations about data transfer — risking fragmenting Europe. “If that does happen — they kick it back to Ireland — it’s also possible there will be a flood of complaints in all of the national data protection offices, and some of those countries which are adverse to Safe Harbour might suspend it immediately … there’s a very real risk … that we’ll have different approaches [to data transfer] throughout Europe very quickly — within days of the announcement of the decision.”
The Irish Times reported on Saturday that “the commission is understood to be preparing an emergency meeting on Tuesday to discuss the ruling once it is issued.”
Are there workarounds?
“[Safe Harbour] is not the only way you can legitimise the transfer of personal information but it is probably the most important method,” Foster says. One option is to directly seek the consent of the data subject, but it could be difficult to do so in cases where companies have previously relied exclusively on Safe Habor.
“Consent has to be explicit and freely given” — which causes a headache for another key use of Safe Habor, the transfer of employee data. “In many countries in Europe you can’t rely on consent from employees, because employees are understood not to have free choice.” An employee may feel pressured into consenting, so such a consent would not be a valid basis for the transfer. “A lot of multinational companies with employees in Europe rely on Safe Harbour because they don’t feel they can rely on consent, quite rightly.” Foster says.
Even in instances where consent can be freely given, there could be future hurdles as legal debate in Europe continues as to whether consent is an adequate mechanism (given how people tend to disregard terms and conditions). “At the moment we have consent as a valid basis of the transfer … I can foresee a world within the next 12 months where it’s not.”