On April 12th, the Irish High Court elevated a series of questions to the European Court of Justice (ECJ, the Supreme Court of the European Union) regarding the validity of key legal instruments used by American tech companies to process Europeans’ personal data. Judge Caroline Costello of the Irish High Court is concerned about the national surveillance practices of the United States and the level of privacy rights observed there.
The ECJ’s answers to these questions will probably disrupt transatlantic data flows in the near future, oblige American companies to re-evaluate their international data transfer practices if they wish to participate in the European market, and manifest (once again) that the U.S. needs to radically reform its approach to privacy protection. It has become increasingly obvious that passing privacy legislation in America is not only the right thing to do, but is also the business-smart thing to do.
The Irish High Court questions to the ECJ deal with three very important issues. First, the validity of Privacy Shield itself. Privacy Shield is a legal scheme that allows American companies to transfer personal data from the European Union to the United States. The European Commission has always considered the American privacy framework as not equivalent to European protections and therefore not immediately adequate for data transfers. However, because blocking data transfers between the EU and the U.S. would be highly disruptive for social and economic reasons, the EU and the U.S. have until now found ways to accommodate each other. Privacy Shield now, like Safe Harbor before, is essentially an accommodation mechanism between two very different privacy approaches. The U.S. government promises to protect Europeans’ personal data by making some tweaks to its privacy and surveillance framework, and the EU allows transatlantic data flows. Most tech companies participate in Privacy Shield.
It is very unlikely that the ECJ will be able to pretend that Privacy Shield solved the problems previously identified by the same ECJ when it declaredSafe Harbor invalid after discovering the U.S. National Security Agency surveillance apparatus. Therefore, it is very likely that Privacy Shield will be declared invalid.
The second issue is the validity of the specific legal instrument that many companies use to transfer data to the U.S., the Standard Contractual Clauses (SCCs). SCCs are model contractual clauses approved by the European Commission (the closest equivalent to an executive power that the the EU has) as providing “adequate” safeguards to allow the transfer of Europeans’ personal data outside the EU to a country without an “adequate” level of personal data protection, like the U.S. Google, Facebook, and others use SCCs.
SSCs also look fragile. Judge Costello finds that there are “well-founded” grounds for believing SSCs are not an adequate instrument for protecting European privacy rights. If the ECJ declares Privacy Shield invalid, it would be logical for the ECJ to also declare the SSCs invalid.
Third, the ECJ is also asked to decide the extent of a national or subnational European Data Protection Authority power to suspend data flows if it believes a third country is subject to surveillance laws which conflict with EU law. Depending on the ruling of the ECJ, tech companies might be exposed to the enforcement of privacy laws of the most stringent European Data Protection Authorities regardless of the location of their headquarters. This might be problematic for U.S. companies, since it might expose them to a fragmentation of the enforcement of EU privacy rules.
While a priori it might seem that such a ruling would conflict with the one stop shop principle of the General Data Protection Regulation (GDPR), considering the EU has no national security competences, it could be logical for the ECJ to determine that it is within the mandate of national Data Protection Authorities to suspend data flows to third countries with surveillance laws contrary to EU law.
This may be bad news for the American private sector. Europe is the second most important market for most American tech companies. Transatlantic data flows are vital for many organizations.
These developments also reveal that patching the American privacy framework as it breaks is fraught with dangers. The Safe Harbor agreement lasted 15 years, from 2000 to 2015. Privacy Shield is less than two years old and it’s already seriously problematic.
Businesses prefer regulatory clarity. For that, and to protect the rights of American consumers, we need legislation. Congress can best defend the American economy from the disruption of interrupted data flows across the Atlantic by passing comprehensive privacy legislation that offers adequate protection to the personal data of Americans, and also the personal data of foreigners being processed in the U.S. Inaction in privacy protection has become a liability that endangers everyone, including American businesses.