Ireland’s High Court has asked the European Court of Justice to rule on the legality of Facebook and other U.S.-based technology companies’ transfer of EU citizens’ data to the United States. The case, called The Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, has huge implications for data privacy and E.U.-U.S. relations.
Schrems I – Safe Harbor
In June 2003, Austrian law student Max Schrems filed a formal complaint against “Facebook Ireland LTD,” Facebook’s Ireland subsidiary, before Ireland’s national data protection authority. Schrems, a Facebook user, alleged that Facebook Ireland LTD was violating the Irish Data Protect Act by outsourcing the processing of his data to “Facebook Inc.,” the social media giant’s U.S. headquarters. Section 11 of the Irish DPA states:
The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data.
Schrems argued that, following the Snowden revelations that identified “Facebook Inc.” as a voluntary participant in the NSA’s PRISM mass surveillance program, the Ireland DPC could not guarantee that Schrems’s data was subject to “an adequate level of protection” upon transfer to the United States.
Initially, the DPC declined to take Schrems’s case, citing the 2000 Safe Harbor Decision, under which the European Commission determined that companies participating in the U.S.-E.U. Safe Harbor Framework provided “an adequate level of protection” with regards to data privacy. But an appeal from Schrems eventually brought the case before the High Court, which in 2014 agreed to refer several questions to the CJEU. In a landmark ruling, the CJEU invalidated the U.S.-E.U. Safe Harbor Agreement, finding that the framework did not adequately guard against “interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States.”
Schrems II—Standard Contractual Clauses
The case made its way back to the Irish High Court, which in turn remitted the complaint back to the DPC. The DPC started an investigation into the case, and invited Schrems to reformulate his complaint in light of the ECJ ruling on the Safe Harbor Agreement.
For his reformulated complaint, Schrems contacted Facebook, requesting that the company identify all of the legal bases upon which it relies to transfer user data to the United States. Facebook referred to a data transfer and processing agreement dated November 2015, which relied on the European Commission’s standard contractual clauses decision of 2010. Standard Contractual Clauses (SCCs, also called “Model Clauses” or “Model Contracts”) are sets of clauses issued by the Commission in order to provide adequate data privacy safeguards during the transfer of personal data from the E.U. to third countries who do not guarantee “adequate” protection per E.U. standards. Companies based in third countries, including the United States, can employ the clauses verbatim to ensure timely approval of their data transfer protocols.
In his reformulated complaint, Schrems attacks the legitimacy and binding status of the SCCs. In particular, he argues that the DPC is not bound to respect Facebook’s cited SCC because U.S. surveillance programs, namely PRISM, violate Article 7 and 47 of the Charter of Fundamental Rights of the European Union as well as the Irish Constitution, and, further, that all SCCs, including the cited SCC, provide an “emergency clause” that “takes account of a situation where national laws of a third country override these clauses and allows [data protection authorities] to suspend data flows in the situation.”
In May 2016, the Irish DPC’s office announced that, after conducting its investigation into the matter, it did not find that SCCs could adequately address the data protection deficiencies of U.S. law. Since the SCCs were established by the European Commission, however, the DPC acknowledged that it did not have the authority to unilaterally declare them invalid. It thus brought the case back before the Irish High Court, seeking a referral to the CJEU. Last Tuesday, the High Court agreed to refer the case to Europe’s highest court.
Implications for U.S.-EU Trade
The E.U.-U.S. trade relationship is the most robust trade relationship in the world, accounting for 30-40% of global trade in goods and services. The transatlantic flow of data underpins and sustains this relationship. Multinational companies in the U.S. and E.U. regularly send data to and receive data from their subsidiaries across the Atlantic for communications, human resources, and research and development purposes. Furthermore, many goods and services, such as online banking, telecommunications, and advertising are now primarily delivered over the Internet. According to a Brooking Institution report, these “digitally-deliverable services” constitute over 60 percent of exports for the U.S. and over 55 percent of exports for the European Union.
Cases such as Schrems I and Schrems II risk disrupting the free flow of data between the United States and the European Union. By creating legal and regulatory uncertainty about proper data transfer protocol, these cases raise the costs and risks to U.S. companies of doing business in Europe. These increased costs and risks in turn discourage U.S. companies from engaging with European businesses and consumers. Legal and regulatory barriers to transatlantic data flows prove particularly costly for small businesses, which often lack both the financial and human capital required to navigate cumbersome regulations.
Implications for Transatlantic Law Enforcement and Intelligence Cooperation
While the potential implications of the E.U.’s fervent data protectionism on trade and the global economy have been extensively discussed, the potential effects on another area of strong E.U.-U.S. cooperation – law enforcement and intelligence sharing – have thus far been largely neglected.
U.S. intelligence capabilities, especially with regards to signals intelligence (SIGINT), dwarf those of E.U. member states, and the E.U. has heavily relied on U.S. intelligence for decades. Washington and London have had a long-standing intelligence sharing pact called the UKUSA Agreement since 1946. Both are key members of the Anglo-American intelligence sharing group known as Five Eyes, alongside Canada, Australia, and New Zealand. Furthermore, documents leaked by Edward Snowden reveal several tiers of intelligence-sharing alliances that count both the United States and several European countries as members, among them Denmark, Germany, Italy, Sweden, Spain, and Switzerland. Following the November 13, 2015 terror attacks in France, Washington also agreed to boost its sharing of raw operational and military intelligence with Paris.
In short, if Brussels continues to erect barriers to data flows to and from Washington, many E.U. member states may have to forfeit some of their VIP access to American intelligence as well.