As many had expected, the preliminary opinion in the Schrems v Facebook case indicates the European Court of Justice (ECJ) is likely to throw a big wrench straight into the workings of businesses – and rightly so.
The case, which originated in Ireland but will have global implications for commerce, focuses on the (in)adequacy of privacy protections afforded European citizens under Safe Harbour principles. Agreed in 2000 between the United States and European Union, these govern how data is transferred between Europe and the US.
The court is considering broader issues at the heart of a complaint taken by Austrian law student Max Schrems against former Irish data protection commissioner (DPC) Billy Hawkes.
Schrems had argued that the DPC had taken the wrong decision in refusing to investigate whether Schrems’s Facebook data was given adequate protection in the US under Safe Harbour.
Schrems’s case turns on the fact that, as revealed by whistleblower Edward Snowden, Facebook and other companies gave data under the Prism surveillance scheme to the US National Security Agency, a violation of Safe Harbour.
Yesterday, Yves Bot, advocate general (AG) at the ECJ, Europe’s highest court, issued a sinewy opinion in the case, signalling the ECJ’s potential to go beyond the actual question before the court – a view on Safe Harbour – and take drastic action.
“It is apparent from the findings of the High Court of Ireland and of the commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection,” Bot wrote.
He also wrote that he believes the commission should have suspended Safe Harbour in the wake of Snowden’s disclosures.
Business chaos
The role of the AG is to analyse the evidence brought before the court and then offer the ECJ justices a view on how to rule. The AG’s opinion is followed in most cases. Bot suggests the ECJ can and should require the commission throw out Safe Harbour.
And indeed it should. The weak argument from the commission – that doing so would cause business chaos – is, quite frankly, a problem the EU and US authorities have brought upon themselves.
Ever since the Snowden leaks, Safe Harbour has been under attack amidst serious concern about whether it is fit for purpose. The EU and US have been negotiating to fix it ever since, for two years now, with no result.
Bot’s opinion indicates the court may well take the view that the lack of a fix is not adequate reason to continue to allow EU citizens’ data to be handled without full compliance with European data-protection law.
Certainly, recent ECJ decisions giving an online right to be forgotten and throwing out the EU’s data-retention directive indicate it will act forcefully to back privacy rights.
Axing Safe Harbour would be tough for businesses, but European and US businesses and their professional bodies are also squarely to blame here for paying scant attention to data-protection and privacy rights that are not aspirational doctrines but binding laws across the EU.
And come on: Safe Harbour is little more than window dressing with no real oversight or enforcement.
Final decision
“Compliance” with Safe Harbour involves a business going to a website, filling in a form and stating compliance. That’s it. There are no audits, no inspections, no further evidence required, no governance.
Safe Harbour is, and always has been, a joke. It needs to be replaced. But a fixed agreement must come very quickly, with the clock ticking now on the ECJ final decision. It is due within three months, and insiders feel it may well come much earlier.
If there’s no fix by then, data transfers between the EU and US could be halted with immediate effect.
Think about that. Few US or European companies really comprehend that transatlantic business could be shut down within hours of an ECJ decision. US firms just don’t get that the ECJ is the Supreme Court of Europe. There is no court of appeal.
Options
What can individual companies do? There are other options. They can design IT systems to handle data in an auditable way that complies with EU law. Safe Harbour is simply one shorthand way of indicating company compliance, the one that most companies use.
However, few companies, especially SMEs, have the ability to have fresh IT systems in place within months. So we are back to fixing Safe Harbour.
If that is to be done, businesses had better make their governments and professional bodies know they want this done and fast.
Blindly hoping the ECJ will not decisively – and correctly – back the rights of European citizens is no way to do business.