The European Union’s top court has struck down the EU-US Privacy Shield, an agreement designed to simplify compliance with European data protection rules when the personal data of EU citizens is processed by US organizations. Whilst the Privacy Shield is supposed to give US businesses the option of voluntarily signing up to an enforceable standard which is meant to be equivalent to the EU’s General Data Protection Regulation (GDPR), the Court of Justice of the EU (CJEU) concluded that US national security laws are incompatible with the requirements of GDPR because EU citizens are subject to US government snooping outlawed in the EU. This is yet another victory for privacy campaigner Max Schrems (pictured), the Austrian lawyer behind this case, who also made similar arguments that destroyed the EU-US Safe Harbor, the predecessor to the Privacy Shield. However, it seems likely that European authorities will respond in the same way they did when Safe Harbor collapsed in 2015: they will simply refuse to enforce their own laws.
Schrems has quietly and consistently argued there is an essential flaw in the European Commission’s desire to give US businesses a special status for data protection. GDPR would be rendered pointless if organizations could work around it by simply transferring data to foreign countries with more relaxed laws, so the EU also demands that contractual obligations equivalent to GDPR are imposed upon any foreign entity that handles data relating to EU citizens. However, many US businesses will simply ignore GDPR, whilst the EU cannot afford to cut themselves off from the US tech ecosystem, so the EU has always fudged reality by pretending US entities could somehow be trusted to comply with European standards despite US standards being much lower. Schrems keeps pointing out an obvious flaw with the EU’s wishful thinking: US security law mean US entities have to hand over personal data in ways that would be illegal in the EU, whilst EU citizens have no effective way of protecting their interests. As Schrems observed:
The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.
Schrems deserves admiration for his dogged pursuit of honesty in the ways data protection rules are written and enforced. The implications for international communications business are enormous – in theory.
This particular case, commonly referred to as Schrems II, is a battle within the context of a long-running legal war between Schrems and Facebook by way of the Irish Data Protection Commissioner. Schrems targets Facebook because of the way they use the data of EU citizens, whilst the Irish regulator is pivotal because Facebook maintains offices in Ireland, but Schrems’ arguments have general consequences relevant for any European business that collects a lot of data about its customers. Nor is he afraid to challenge traditional telecoms providers too, as shown with a different privacy complaint recently lodged against A1 Telekom Austria. However, Schrems ignores the reality of what happened following his CJEU victory in 2015. The authorities effectively decided to ignore EU law because enforcing it became inconvenient when the Safe Harbor collapsed. It is already clear they intend to do the same again.
The consequences of this judgment will be minimized because of another fudge: the authorities will give organizations unlimited time to put in place ‘standard contractual clauses’ (SCCs). In other words, they will encourage organizations to copy-and-paste various words into their contracts that will superficially meet the requirements of GDPR but without any serious attempt to verify if the clauses will be complied with. The CJEU has ruled that such clauses are valid, meaning that we have the absurdity of EU organizations pretending they are forcing US businesses to comply with requirements that neither party cares about, because the EU wants to pretend it can make US businesses do things that contradict what the US government orders them to do for the sake of national security.
It makes perfect sense for Schrems and his colleagues to argue that SSCs cannot overturn the reality of the obligations imposed by US national security law. A statement issued by noyb, the privacy group led by Schrems, argues:
The Court has also joined Mr. Schrems’ view that in a first step EU companies and non-EU recipients of data have to review the law in the respective third country. Only if there is no conflicting law, can they then use the SCCs. As a second layer of protection, the relevant Data Protection Authority (DPA) has to use the “emergency clause” built into the SCCs (Article 4 of the Standard Contractual Clauses Decision). In cases of US surveillance laws violating EU data protection principles, the companies did not take action. The [Irish Data Protection Commissioner] has fought this idea since 2016 with the false claim it had discretion to do nothing in the face of mass surveillance by foreign powers. In summary this means that Facebook may not use the SCCs for EU-US data transfers anymore and if they continue to violate the law, the DPC has to take urgent action – contrary to some claims made in the first reactions to the judgment.
Sadly, the practical realities are more accurately expressed by Phil Lee, Privacy Partner at legal firm Fieldfisher, in a widely-shared LinkedIn post:
Although everybody in the European Union should check if US law is incompatible with compliance with GDPR, with everybody presumably reaching the same conclusion as the CJEU reached in 2015, they will not check because they want to keep on sending data to US firms. The lawyers will just sign the paperwork. And if anything goes wrong, then the same lawyers will get paid a second time for sorting out the mess with yet more paperwork. This is because businesses do not choose to sue other businesses when nobody has anything to gain.
Meanwhile, the authorities in the EU will already be scrambling to put in place more wordy legal fudges to maintain the pretense that its citizens are protected to an unrealistic degree. This uncertainty would be terrible for business if it were not for the authorities repeatedly signaling they will not enforce the law. The uncertainty will instead manifest itself in situations where the authorities might seek to punish wrongdoing. Whilst GDPR states that violations may lead to fines of up to four percent of a company’s annual global turnover, does anyone expect this to happen in cases where the EU is actively encouraging firms to adopt SSCs as a way to resurrect transatlantic trade agreements that were themselves invalid in law?
Huawei and the Chinese government will be feeling some bruised irony over the EU’s hypocrisy. That the Chinese government could use Huawei for surveillance is the core argument for banning Huawei equipment from telecoms networks. Meanwhile, the US government has the legal right to appropriate the personal data of EU citizens from US businesses. The UK government has sided with the USA by ordering British telcos to strip Huawei tech from their networks in the long run, and to stop buying it by the end of the year. Now the EU will be under increasing pressure to decide whose side they are on. The EU will do this whilst simultaneously trying to pretend they enforce the toughest privacy obligations in the world, that this results in no additional cost to business, that overseas companies will willingly adopt a two-tier approach that gives preferential treatment to Europeans over their own citizens, and that both China and the USA will comply because they are run by people who can be trusted to keep their promises about surveillance.
If data protection was a game of cards, then the European Union has long overplayed its hand, and now holds a busted flush. The EU market is undoubtedly large, but American giants like Facebook and Chinese giants like Huawei show that you cannot impose your will on businesses owned by foreign interests if your own businesses struggle to compete with them. Surveillance is the pivotal national security interest in a world that does business on the internet, and multinational companies that manage communications and capture data will always be prime targets for governments that wish to monitor their enemies and steal intellectual property. European politicians wanted to buy cheap praise from voters by writing laws that were unrealistic when first drafted, and become even more ludicrous with every passing year. At one level they foster the most pointless compliance burdens that cost companies money without significantly improving the lives of European citizens. At another level they are rendered redundant, by both powerful businesses and foreign governments, but also by the inaction of European authorities. Privacy advocates like Max Schrems simply point out the obvious contradictions that should be apparent to all, like the story of the boy who observed the Emperor was wearing no clothes. All this self-delusion results in a gap between theory and reality that leaves nobody certain of what the law actually demands, or how seriously to take it.