It has been a long journey, but what may prove to be a crucial data privacy case from Ireland has finally made its way to Luxembourg’s Court of Justice of the European Union (CJEU).
On Tuesday the court heard arguments in what has become referred to as the Schrems II case. The case questions whether or not data transfer template agreements, commonly named standard contractual clauses (SCCs), are compliant with the EU’s data protection laws.
Should the European court rule that SCCs are not compliant, their judgement could very possibly stop data flows between the USA and EU member states. Given the current uncertainty as to how, when, (or even ‘if‘) Brexit will be effected, the ruling could also cause similar difficulties in the near future between the UK and the European Union.
As shocking as that may sound, the potential for such a case to arise has long been foreseeable. Unimaginable? American authorities have failed to take the necessary steps to ensure compliance with EU data protection law and the data transfer framework Safe Harbour. This appears to have been on the (incorrect) assumption that, firstly, the regulations could be interpreted somewhat flexibly, and secondly, that the European Union had previously never fully enforced them.
Thirdly, as revealed by Edward Snowden: there was an assumption that EU protections did not apply to the US national security agencies’ mass surveillance practices in which the swept up data from technology and social media giants indiscriminately.
The legal process began when Austrian lawyer Max Schrems, lodged a complaint with Ireland’s Data Protection Commissioner (DPC). In the light of the Snowden disclosures, Schrems wanted to know if his personal Facebook data could be properly safeguarded.
In its 2015 decision, now usually referred to as Schrems I, the CJEU thought not. Some were shocked by this decision, however only because many of those who were concerned by the ruling had not been paying sufficient attention to development. The European court had previously ruled, in a 2014 case brought by Digital Rights Ireland, that European Union member states could not simply gather up data and retain it for arbitrary periods, with no express purpose, on the belief that it may prove to be useful at some point in the future.
The Safe Harbour transfer network was made invalid by the Schrems I judgement, so a new arrangement was required. Privacy Shield, which followed, has been called problematic by critics and while it has not yet been challenged in the EU court, it soon will be in a complementary case being brought by several data privacy groups based in France.
Following the conclusion of the original Schrems case, the DPC revealed that Facebook had in fact employed SCCs as a custom-made data protection comparable to Privacy Shield. Max Schrems proceeded to file a further complaint, which concentrates on whether or not contract clauses can be appropriately enforced.
The DPC’s goal was to refer the matter to the CJEU. The method they employed surprised IT privacy specialist and the legal profession alike: the case was brought to the more expensive commercial court and named Schrems as the defendant (which exposes him to the legal costs), together with Facebook.
Experts feel that this sets quite a worrying precedent: in circumstances where a complainant can be named a defendant, any person who files a complaint with the DPC in Ireland risks being liable for legal costs. Ultimately, Schrems himself was indemnified against the legal costs, involved. It remains unclear for the moment, however, as to whether others who consider making such a privacy complaint will be similarly indemnified.
The Irish referred the case to the CJEU, but at Tuesday’s hearing, some of the parties involved questioned why the referral was made at all by the Irish Data Protection Commissioner on the grounds that she could have made a decision on the matter herself.
Experts however, including Castlebridge privacy consultant Daragh O’Brien, argued that in the light of the present uncertainty concerning the solidity of Privacy Shield or SCCs, the fact that the GDPR has been in force for just over a year, the lack of clarity with respect to correct procedure, the referral was possibly the most prudent route.
Cases such as these illustrate the powerful role the European Court now plays as an arbiter on the right to privacy. The Schrems I judgement was instrumental in shaping Privacy Shield and the text of the General Data Protection Regulation. The Schrems II judgement will, no doubt, serve to evaluate each. It is, almost certainly, for this reason why justices opted to remove the French Privacy Shield hearing from its immediate agenda. It would appear that they expect the Schrems II decision to clarify some of the present legal confusion.