Wishful thinking guiding privacy policies after Schrems ruling

Many of the 4,500 companies that relied on Safe Harbour are left a in a legal quandary

“As bizarre as it seems, existing evidence in the wake of Schrems suggests that only a handful of legal and business experts in the US or Europe, and very few companies, really understand EU privacy law.” Illustration: Thinkstock
“As bizarre as it seems, existing evidence in the wake of Schrems suggests that only a handful of legal and business experts in the US or Europe, and very few companies, really understand EU privacy law.” Illustration: Thinkstock

Is there a contractual way for companies to get around last week’s European Court of Justice ruling on Max Schrems’s case against the Irish Data Protection Commissioner, which effectively invalidated the Safe Harbour principles?

The answer is no.

Understandably, many of the 4,500 companies which relied on Safe Harbour – a tickbox of principles companies could check, without any real oversight, to say they complied with EU data protection and privacy laws when transferring EU data to the US – are in a business and legal quandary.

In an epidemic of corporate wishful thinking, an alarming number of such companies, particularly the large multinational internet-based companies, seem to think – or hope – they can get around the ruling using various legal contracts.

READ MORE

But no more than Safe Harbour itself, these so-called model contracts and similar legal vehicles cannot get around the core of the judgement.

That’s because, in looking at the broader context of the Irish case, the European Court of Justice made very clear that the problem with Safe Harbour, and by implication any transfer of data to the US, was not merely one of a company addressing its own basic data protection and transfer mechanisms, but of incompatibility between fundamental EU rights and protections, and US security laws that allow access to EU data held in the US.

Thus, the ruling has vast implications for transatlantic business, and as things stand, can only be satisfied at the moment by keeping EU data within the EU. Yet companies that surely know better – Facebook, Google, Amazon, Salesforce – are busy reassuring clients that there is no need to worry about data transfers because, despite the Schrems ruling, they have – rinse, repeat – model contracts in place.

This raises the interesting question of whether companies are deluding themselves these contracts offer some sort of remedy to the ruling.

Or maybe they truly are ignorant of privacy law and the weight a European Court of Justice ruling carries. I know, after years of attending security events in the US, that the general corporate attitude and that of many so-called US privacy professionals – I prefer to call them “privacy” professionals – is utterly dismissive of EU privacy laws and rights.

As bizarre as it seems, existing evidence in the wake of Schrems suggests that only a handful of legal and business experts in the US or Europe, and very few companies, really understand EU privacy law.

Legal fig leaf

The ones that do, know that model contracts won’t work. Contracts might be used by companies as a nearly transparent legal fig leaf, short term – just to look like they are doing something rather than nothing – but they cannot be a solution.

London School of Economics assistant law professor Orla Lynskey states in a blog post: "[I]t is difficult to see how these alternative transfer mechanisms could withhold judicial scrutiny."

And a multiple-part discussion blog on lawfareblog.com, by legal scholar and former White House adviser Timothy Edgar, explores the legal angles from numerous perspectives. Edgar concludes that either US surveillance needs reform or a new Safe Harbour agreement has to be far more precise, and that contracts currently won't satisfy the European Court of Justice's concerns. (He also, rightly, notes EU hypocrisy given that many EU states also carry out surveillance and therefore, handle EU citizen data improperly.)

"The best that can be said for model clauses is that they haven't been struck down by the [European Court of Justice/EU]. Yet," notes security and privacy consultant Daragh O Brien of Dublin-based Castlebridge Associates, who uses the analogy of a chocolate teapot for the durability of model contracts.

He also notes that a German data protection authority has already ruled model contracts invalid for transfers.

Cost and inconvenience

Businesses and trade officials need to find ways of aligning business and better privacy. And sorry businesses, but cost and inconvenience is not a valid argument for compromising people’s privacy and its legal protections in the EU. The European Court of Justice’s new president

Koen Lenaerts

told the

Wall Street Journal

this week that the decision indicated “the rule of law is not up for sale.”

He added: “We are not judging the US system here; we are judging the requirements of EU law in terms of the conditions to transfer data to third countries, whatever they may be.” Not just Safe Harbour conditions, but “conditions”, full stop.

EU data is, for now, safe if held in data centres run by EU companies and, likely, also safe if held in EU-based data centres run by US companies. This is because the basic issue of US access awaits a final decision on the case involving the US government’s demand for emails held in Microsoft’s Dublin data centre.

Certainly, a transfer-firewalled, EU-based data centre run by a US company is a better bet than nonsensical private contracts, until either the Microsoft case is decided or the EU and US negotiate meaningful and enforceable transfer principles.