Top court hearing puts EU data transfers in jeopardy

Four years ago, Max Schrems brought a data-sharing deal worth billions of euros between Europe and the United States crashing down.

Now he could do it again.

On Tuesday, the Court of Justice of the European Union in Luxembourg will hear arguments in another case brought by Schrems over claims that the U.S. government does not sufficiently protect Europeans data when it is shipped across the Atlantic.

“There is fundamentally a clash between surveillance laws in the U.S. and privacy rules in Europe,” he said. “Were in a debate about who governs the internet. Europe governs privacy, but the U.S. governs surveillance.”

At stake is the legality of so-called standard contractual clauses, complex legal mechanisms that allow thousands of companies to move data freely from Europe to the U.S., Asia and elsewhere.

Tuesdays hearing marks the latest chapter in the standoff between Europes stance on privacy and the United States governments surveillance practices.

These agreements are used by companies from Google to General Electric to transfer digital information between their various hubs worldwide. They cover how peoples social media posts, firms payroll information and a litany of other sensitive data are handled by major corporations.

Schrems and his lawyers are expected to argue this data transfer mechanism runs against EU privacy rules because it allows U.S. national security agencies extensive access to Europeans digital information. Others, including the European Commission and industry groups, will says these agreements provide sufficient guarantees for EU citizens.

A final decision by Europes highest court is expected some time next year, following Tuesdays hearing in Luxembourg.

A general view on the hall at the Court of Justice of European Union | Julien Warnand/EPA-EFE

A lot is at stake.

While the case originally brought in Ireland focused on the standard contractual clauses used specifically by Facebook in the U.S., judges in Luxembourg could rule against the validity of those agreements in general. Their decision could potentially turn off data transfers from Europe to the U.S. and elsewhere overnight, pulling the plug on billions of euros of trade that underpinned by companies ability to readily shift data between trading blocs.

Privacy campaigners and industry groups are also worried the Luxembourg court may use the case to invalidate other legal mechanisms for moving data outside of Europe — including the EU-U.S. Privacy Shield mechanism — affecting wide swathes of the digital economy.

“The case is tremendously important,” said Omer Tene, vice president of the International Association of Privacy Professionals, a trade group. “If the carpet is pulled out from companies feet, it may cause massive disruption.”

The Commission, which oversees these complex data agreements, declined to comment on the upcoming hearing, but officials said the regions existing privacy rules offered individuals sufficient protections against misuse. Facebook said that current data transfer mechanisms protect EU data when it is transferred outside the bloc.

Schrems 2.0

Tuesdays hearing marks the latest chapter in the standoff between Europes stance on privacy and the United States governments surveillance practices.

As part of documents sent to participants ahead of Tuesdays hearing, the court asked a series of questions about the legality of the separate Privacy Shield agreement.

In 2013, Schrems filed a complaint with Irelands privacy regulator claiming Facebook violated the regions data protection standards by allowing U.S. authorities to have undue access to Europeans data.

His allegations were linked to revelations by Edward Snowden, a former contractor for the U.S. National Security Agency, who alleged Washington carried out mass surveillance on people worldwide by accessing data stored by some of Silicon Valleys biggest names, including Facebook and Google. The companies deny any wrongdoing.

After lengthy legal wrangling in Ireland, the countrys data protection watchdog, which oversees Facebooks privacy regime because the companys international headquarters are in Dublin, referred the case to Luxembourg because it said only Europes highest court could decide if the U.S. governments data collection practices were in line with Europeans privacy standards.

That decision ruffled feathers within the Commission, industry bodies and privacy groups, many of whom believed Dublin already had the legal right to decide on the legitimacy of these complex data transfer agreements. In response, the office of Irelands Data Protection Commissioner said it would not comment ahead of Tuesdays court hearing.

American officials defend how national security agencies collect, access and store peoples digital information. They say that existing rules offer individuals, including Europeans, the right to appeal; that independent oversight limits the governments unfettered access to data; and that the Commission — through its EU-U.S. Privacy Shield pact, a separate agreement on transatlantic data transfers — already established American privacy protections are “essentially equivalent” to those of Europe.

A general view on the hall at the CJEU | Julien Warnand/EPA-EFE

“U.S. law sets rigorous standards for government access to personal data,” Washington said in a filing to Irish courts. “These standards reflect a commitment to privacy that has been ingrained in the U.S. Constitution and laws since the founding of the republic.” A representative for the U.S. Department of State declined to comment on the upcoming Luxembourg hearing.

Not surprisingly, opponents disagree. They claim that existing U.S. law still allows for the bulk collection of reams of personal data on non-Americans, and that there are not sufficient legal protections in place for non-citizens to take Washington to court if they believe their data has been mishandled or collected illegally. That comes despite years-long transatlantic negotiations to give Europeans a greater say when their digital information is moved to the U.S.

“Current U.S. surveillance laws fail to adequately protect the privacy rights of people in the E.U.,” said Ashley Gorski, a national security lawyer at the American Civil Liberties Union, who testified when the case was in Irish courts.

Be careful what you ask for

Europes highest court must now decide who is correct — and if existing data transfer rules uphold European rights.

“No matter what transfer mechanism you use, you end up with a conflict. The U.S. laws allow espionage against EU citizens” – Max Schrems, lawyer and privacy activist

But privacy campaigners, industry groups and governmentRead More – Source

Related Articles

Back to top button