“You were only supposed to blow the bloody doors off!”: Schrems II the day after

Home / Uncategorized / “You were only supposed to blow the bloody doors off!”: Schrems II the day after

The EU Court of Justice opines on the Privacy Shield

 

BY:

Alexis de Hahn
Avocat Reporteur
PROJECT COUNSEL MEDIA

 

17 July 2020 (Paris, France) – So, the EU Court of Justice (ECJ) has struck down the so-called Privacy Shield data protection arrangements between the political bloc and the U.S., triggering a fresh wave of legal confusion and gnashing of teeth over the transfer of EU subjects’ data to America.

As we have chronicled in a long series of posts, Austrian privacy activist Max Schrems brought the latest edition of the long-running case (informally known as “Schrems II”) in 2015, complaining that Ireland’s data protection agency wasn’t preventing Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from beaming his data to the US. He was focused on “standard contractual clauses” (SCCs) which are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to, aimed at protecting personal data leaving the EU. Following the outcome of “Schrems I” he reformulated his complaint to protest the Privacy Shield.

Once his data was in the US, Schrems argued, no EU-style data privacy controls … neither through SCCs or through the Privacy Shield … were legally enforceable by him or anyone else in that situation. America’s plethora of three-letter spy agencies could then help themselves to it in various legal and not-so-legal ways, at least under EU rules. 

Yesterday, the ECJ ruled that the now-dead Privacy Shield arrangement – itself a replacement of Safe Harbor – “does not grant data subjects actionable rights before the courts against the US authorities,” meaning EU citizens could not challenge a breach of the arrangement by a company in the US handling EU personal data.

To many, the opinion was a bit of a surprise. The Court’s Advocate General, Henrik Saugmandsgaard (who was also the Advocate General on “Schrems I” and just about every other data protection case that the Court has considered) suggested to the Court that Ireland’s SCC decision was valid; the problem was the context in which it operated. He took the view that the Privacy Shield’s validity should be considered separately. The Court took a slightly different approach. It agreed with its Advocate General that the SCC decision was valid, but it struck down the Privacy Shield.

NOTE: the most important work performed by the Advocates General (there are 8) is to deliver a written Opinion, named “reasoned submission”. The role of the Advocate General is to propose an independent legal solution. It is important to note that the Court is not obligated to follow the Opinion delivered by the Advocate General. Even though the Opinion does not bind the Court it has an impact on the decision in many cases, and in fact, in most cases (77%) the ECJ follows it.

And if you want a deep analysis of this case … in fact a deep analysis of any EU law case or issue … the only person to read is Lorna Woods, Professor of Internet Law at the University of Essex. Everything else you read about “Schrems II” is pure fluff or a paid announcement. You can read her trenchant analysis of “Schrems II” by clicking here. She provides scores of links, too. And she let me nick her post’s title 🙂 

I was in Luxembourg for the announcement of the decision and I had an opportunity to interview a number of attendees (including Max himself) and the chats were interesting.

My view … I want to get this out front … is simple. I was not surprised by this decision at all. The  Privacy Shield is a fiction invented by the EU and U.S. governments. Its role is to keep trans-Atlantic trade, investment and business partnerships going at the request of the many European companies who want access to the U.S. market, continuing vital U.S. corporate investment in the EU and placating the U.S. government so it continues its security and intelligence cooperation with various EU members. All this while making it look as if the EU is still doing something to protect it’s citizens’ data. The merry game of monetization of privacy must proceed, full speed ahead. The legal industry and the e-discovery / e-disclosure / information governance industry are all part of the same hypocrisy. It’s how they make money. Every data protection lawyer and data protection service provider knows this. 

So it’s no surprise at all that the European Commission (which is subject to immense political pressure from member states) gave this their seal of approval (those annual reviews of the Privacy Shield which always find it “functioning properly” are hilarious) while the courts (which work to a different standard based on law) put the Privacy Shield out of its misery. The EU position was – and still is – that it was sufficient that the injured party had recourse to law in the country (the U.S.) to which the data was exported irrespective of whether such a theoretical right was practically (including financially) possible to enforce. The ECJ seems to be saying enforcement in the EU is essential.

And I was not surprised by the Commission’s immediate spin. At its “post-Schrems II” press conference, Vera Jourová (the current Vice President of the European Commission for Values and Transparency who, as the previous European Commissioner for Justice, negotiated the Privacy Shield) said all was well – SCCs are totally valid. I interviewed Max Schrems on that point and he said:

I watched the EU press conference it. What a spin job!! Vera Jourová didn’t tell the truth. SCCs are NOT valid where the U.S. government by US law gets to see the data traffic. That’s the reason the court killed the shield!! She’s simply ignoring the court a second time here. The Court judgement is quite clear: you can’t just use the SCCs again without verification. There is no “toolbox” to be used when a US company falls under FISA.

And frankly, I did find it strange that the SCCs were not also struck down. Although as I reread the judgement I think what it says is SCCs are fine – just that, as applied to the U.S., they’re not worth the shrivelled fig-leaf they’re written on. Applied elsewhere – they’re fine. As one attendee told me:

Surely, any data transferred under the SCCs is also subject to U.S. government snooping in the same way as under Privacy Shield. It’s not as if Mr. Joe Q. Public has any say in what “standard contractual clauses” their bank / anti-social hangout / on-line supermarket / whatever signs up to.

Two U.S. lawyers at the Court just shrugged their shoulders. One said:

Most larger companies will now be completely pissed off after previously having gone through Safe Harbor being struck down. Most have been reluctant to do Binding Corporate Rules because it is lengthy and expensive. But that option that will now look much more attractive than relying on standard contractual clauses and having those torpedoed in the future. And, quite frankly, that may well overload many EU regulators’ work capacity.

The other noted:

I need to disagree. BCRs [Binding corporate rules] apply only for each arm of a multinational, or each company in a conglomorate. You can’t have a BCR with a supplier, or customer. BCRs are a complete PITA to do – expensive and can take years to complete. They have to be done in conjunction with the local data authority. I have been involved with them and to my knowledge no more than maybe a couple of hundred firms have gone through the pain.

And the problem I now have is most of my U.S. company clients refuse to use standard contract clauses – they almost all relied upon Privacy Shield – meaning that now we have to go back to them, and renegotiate.

A UK lawyer offered this:

This kind of puts us in a very interesting position. It’s arguable existing UK data security laws aren’t adequate for EU purposes – we only got to play because we were EU members and our laws were in principle subject to EU courts.

We may find ourselves caught between being obliged to strengthen our laws to continue data exchanges with the EU and being obliged to weaken them in the interests of securing a US trade deal. And that’s important if you follow UK politics. With all those “magic” trade deals with China now scuppered, I am sure Johnson is praying that the US will ride to the rescue. Past governments (of both colours) have put all of their eggs in the financial services basket, so technology is just an irrelevance to them.

Fortunately, we’ve “taken back control” so we can invent our own social media: writing abusive messages on scraps of paper and chucking them out of car windows at passing strangers should be an adequate Twitter substitute, for example.

And said another UK lawyer:

Privacy shield and its predecessors have always relied on suspension of disbelief to make it as far as the basis of a legal framework for exchanging data by not asking about activities that the other party might violate carry out which would violate the agreement. We all know that. It’s the old Monty Python “wink, wink, nudge, nudge” sketch. The challenge is that the scope of this decision is far wider than just Facebook and other US data slurping countries – it affects all business. Does the EU actually implement their privacy laws and reinvent all services they currently use from non-EU countries or do we all gasp as the magician takes off his hat and pulls out the Super Privacy Safe Harbour Act and business continues as normal? You need a workable solution? Hand me your beer mat. I’ll show you one.

And said another U.S. attorney:

So the EU court (and Max Schrems) said in effect “American spies had too much free rein to harvest EU citizens’ data from US companies.” Pardon my scepticism, but who says the NSA (or their poodle in Cheltenham) isn’t hacking European databases every day of the week. Never mind data transfers “from U.S companies”. All this stuff really does is maybe affect the passing of private data used in a court case, where it may matter how the evidence was obtained, partly in the legal admissibility sense, partly because the method used to obtain may have to be disclosed. 

But data privacy issues? Has everybody forgotten the words of that sage, Scott McNealy? [Readers: he was referring to Scott McNealy, the former CEO of Sun Microsystems, who in 1999 said consumer privacy issues are a “red herring” and that “you have zero privacy and will continue to have zero privacy. Don’t you get the arc of all this technology development? Get over it.”]

 Said another:

Ok, so we discovered, in the post-Snowden brouhaha, that there was a thriving cottage industry within the intelligence communities for fabricating plausible “sources and methods” narratives, so that information that had been gathered through dodgy channels would not reveal that the channels had been compromised, which served double-duty by allowing law enforcement to pretend that the information had not been collected with a warrant but just “a hunch”.

I was a U.S. District Attorney. I saw all this accessed stuff. We did not ask a lot of questions if we were merely fact-finding, building a case. We used to pass info onto local cops all the time. It would help them with their “vision”. Like, the “vision” that the merchandise (or missing felon) was hidden sixteen paces to the north of the old oak tree, four feet from the hydrant, in Apartment 303. They did not need to attribute the “source” to anybody. Just old-fashioned shoe leather work, of course. 

 

Based on a few chats I had this morning and this afternoon with both U.S. and EU corporate representatives, nobody has stopped moving personal data across the Atlantic. It’s fully expected the EU Commission will try to hold off enforcing the “Schrems II” ruling for a grace period, like they did after Safe Harbor was struck down.

One last point. As Lorna Woods notes in her deep analysis of the case (here is the link again), the Court quotes and weaves the General Data Protection Regulation (GDPR) throughout its opinion. Even the EU Commission in its press conference said the GDPR offers a “broad toolbox for international transfers” to protect EU data. But Lorna is skeptical.

As our regular readers know, we are a cynical bunch when it comes to the GDPR. Even more so when, last month, we reported on a very funny feature on Norwegian TV News which showed how little actual privacy is provided in a fully compliant GDPR legal framework.

The reporter bought a bunch of datasets (14,000+) from several data brokers and through them was able to discover the owners of hundreds of cell phones. With tracking software, he was able to plot their daily routine: where they lived, where they worked, etc. And the search turned up a bunch of people who worked in very sensitive Norwegian government jobs – and there it was, their online mobile viewing habits, and more. How embarrassing. 

But, that’s how much privacy protection the GDPR actually gives in the real world. None. And we’re worried about the Americans?

Related Posts