Facebook tried to block the referral but today an influential advisor to Europe's top court has issued a legal opinion that could have major implications for the future of the EU-US Privacy Shield personal data transfer mechanism.
It's a complex opinion, dealing with a fundamental clash of legal priorities around personal data in the EU and US, which does not resolve question marks hanging over the legality of Privacy Shield .
The headline take-away is that a different data transfer mechanism which is also widely used by businesses to transfer personal data out of the EU -- so called Standard Contractual Clauses (SCCs) -- has been deemed legally valid by the court advisor.
However the advocate general to the Court of Justice of the European Union (CJEU) is also at pains to emphasize the "obligation" of data protection authorities to step in and suspend such data transfers if they are being used to send EU citizens' data to a place where their information cannot be adequately protected.
So while SCCs look safe -- as a data transfer mechanism -- per this opinion, it's a reminder that EU data protection agencies have a duty to be on top of regulating how such tools are used.
The reason the case was referred to the CJEU was a result of Ireland's Data Protection Commission not acting on a complaint to suspend Facebook's use of SCCs. So one view that flows from the opinion is the DPC should have done so -- instead of spending years on an expensive legal fight.
The backstory to the legal referral is long and convoluted, involving a reformulated data protection complaint filed with the Irish DPC by privacy campaigner and lawyer Max Schrems challenging Facebook's use of SCCs. His earlier legal action, in the wake of the 2013 disclosures of US government mass surveillance programs by NSA whistleblower Edward Snowden, led to Privacy Shield's predecessor, Safe Harbor, being struck down by the CJEU in 2015.
On the SCCs complaint Schrems prevailed in the Irish courts but instead of acting on his request to order Facebook to suspend its SCC data flows, Ireland's data protection watchdog took the unusual step of filing a lawsuit pertaining to the validity of the entire mechanism.
Irish courts then referred a number of legal questions to the CJEU -- including looping in the wider issue of the legality of Privacy Shield. It's on those questions that the AG has now opined.
It's worth noting that the advocate general's opinion is not binding on the CJEU -- which will issue a ruling on the case next year. Although the court does tend to follow such opinions so it's a strong indicator of the likely direction of travel.
The opinion, by advocate general Henrik Saugmandsgaard Øe, takes the view that the use of SCCs for the transfer of personal data to a third country -- i.e. a country outside the EU that does not have a bilateral trade agreement with the bloc -- is valid.
However, as noted above, the AG puts the onus on data authorities to act in instances where obligations to protect EU citizens' data under the mechanism come into conflict with privacy-hostile laws outside the EU, such as government mass surveillance programs.
"[T[here is an obligation — placed on the data controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses
cannot be complied with," the CJEU writes in a press release on the opinion.
In a first reaction, Schrems highlights this point -- writing: “The advocate general is now telling the Irish Data Protection Authority again to just do its job... After all the Irish taxpayer may have to pay up to €10M in legal costs, for the DPC delaying this case in the interest of Facebook.
“The opinion makes clear that DPC has the solution to this case in her own hands: She [Helen Dixon] can order Facebook to stop transfers tomorrow. Instead, she turned to the CJEU to invalidate the whole system. It’s like screaming for the European fire brigade, because you don’t know how to blow out a candle yourself.”
We've reached out to the Irish DPC and to Facebook for comment on the AG's opinion.
“At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints. This is a huge step for the enforcement of the GDPR [the General Data Protection Regulation]," Schrems also argues.
Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo, suggests that the likelihood of EU DPAs suspending SCC personal data transfers to the US will "depend on the Court’s ultimate take on the safeguards surrounding the access to the transferred data by the United States intelligence authorities and the judicial protection available to the persons whose data are transferred".
"The disruptive effect of a suspension of SCCs, even if partial and just for the U.S., is likely to be substantial," he argues. "SCCs are widely used for the transfer of personal data outside the EU. They are probably the most used data transfer mechanism, including for transfers to the U.S. Thus, even a partial suspension of the SCCs would force a significant number of organizations to explore alternative mechanisms for their transfers to the U.S.
"However, the alternatives are limited and often difficult to apply to large-scale transfers, the main ones being the derogations allowing transfers with the consent of the data subject or necessary for the performance of a contract. These are unlikely to be suitable for all transfers currently taking place in accordance with SCCs."
"In practice, the degree of disruption is likely to depend on the timing and duration of the suspension," he adds. "Any suspension or other finding that data transfers to the U.S. are problematic is likely to speed up the modernization of SCCs that the European Commission is already working on but it is unclear how long it would take for the Commission to issue new SCCs.
"When the Court invalidated the Safe Harbor, it took several months for the Commission to adopt the Privacy Shield and amend the existing SCCs to take into account the Court’s judgment."
On Privacy Shield -- a newer data transfer mechanism which the European Commission claims fixes the legal issues with its predecessor -- Saugmandsgaard Øe's opinion includes some lengthy reasoning that suggests otherwise and certainly does not clear up questions around the mechanism's legality which arise as a result of US laws that allow the state to harvest personal data for national security purposes, thereby conflicting with EU privacy rights.
Per the CJEU press release, the AG's opinion sets out a number of reasons which it says "lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy".
The flagship mechanism is now used by more than 5,000 entities to authorize EU-US personal data transfers.
Should it be judged invalid by the court there would be a massive scramble for businesses to find alternatives.
It remains to be seen how the court will handle these questions. But Privacy Shield remains subject to direct legal challenge -- so there are other opportunities for it to weigh in, even if CJEU judges avoids doing so in this case.
Schrems clearly hopes they will weigh in soon, skewering Privacy Shield in his statement -- where he writes: “After the ‘Safe Harbor’ judgment the European Commission deliberately passed an invalid decision again -- knowing that it will take two or three years until the Court will have a chance to invalidate it a second time. It will be very interesting to see if the Court will take this issue on board in the final decision or wait for another case to reach the court."
“I am also extremely happy that the AG has taken a clear view on the Privacy Shield Ombudsperson. A mere ‘postbox’ at the foreign ministry of the US cannot possibly replace a court, as required under the first judgement by the Court," he adds.
He does take issue with the AG's opinion in one respect -- specifically its reference to what he dubs "surveillance friendly case law" under the European Convention on Human Rights -- instead of what he couches as "the clear case law of the Court of Justice".
"This is against any logic... I am doubtful that the [CJEU] judges will join that view," he suggests.
The court typically hands down a judgement between three and six months after an AG opinion -- so privacy watchers will be readying their popcorn in 2020.
Meanwhile, for thousands of businesses, the legal uncertainty and risk of future disruption should Privacy Shield come unstuck goes on.
Update: The Irish DPC has now responded to the opinion saying it welcomes the "clarity and analysis".
Head of communications, Graham Doyle, sent us this statement:
The DPC welcomes the publication of the AG’s opinion. The opinion illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries, to include the laws of the United States. Equally, the opening section of the opinion recognises the significant tensions that arise between, on the one hand, the need to show pragmatism, and on the other, “the need to assert the fundamental values recognised in the legal orders of the Union and its member states, and in particular, the Charter".
Some of the points of complexity engaged here go to matters of substance. To take just three examples: does EU law apply at all when data subject’s personal data is processed by public authorities in a third country (the AG believes it does); do US laws and practices facilitate interferences with the data protection rights of individuals that are incompatible with EU law (they do, in the view of the AG); and are those problems cured by Privacy Shield (no, in the opinion of the AG).
Separately, the opinion notes that, in individual cases, the standard contractual clauses likewise may not provide an answer to the problems that arise when data transfers bring EU citizens’ data within the remit of US public authorities. At this point, procedural complexities also come into view. Specifically, who should intervene when, in the context of an individual transfer, the level of protection demanded by EU law cannot be maintained? Here, whilst acknowledging its imperfections, and the practical difficulties it presents, and notwithstanding the risk of fragmentation amongst supervisory authorities within the member states, the AG concludes that the approach settled upon by the EU in the context of the SCCs strikes an appropriate balance between pragmatism and principle. That approach is one in which responsibility for ensuring the protection of the data protection rights of EU citizens rests with controllers in the first instance and, in the view of the AG, with national supervisory authorities where a controller fails to discharge its obligations.
Whilst noting that these issues are yet to be determined by the Court, the DPC welcomes the clarity of the analysis contained in the AG’s opinion.
Facebook has also now sent us a statement, attributed to associate general counsel, Jack Gilbert:
We are grateful for the Advocate General’s opinion on these complex questions. Standard Contractual Clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas. SCCs have been designed and endorsed by the European Commission and enable thousands of Europeans to do business worldwide. We look forward to the final decision from the CJEU.