ODPC refers Facebook data sharing arrangements to the European Court of Justice
The aftermath of the Max Schrems v. Facebook case, which resulted in the end of the EU-US Safe Harbor data-sharing agreement in October, took an unexpected turn last week. The Office of the Irish Data Protection Commissioner (ODPC), which has since been investigating Facebook’s practice of transferring EU citizens’ data to the United States, has referred the matter to the European Court of Justice (CJEU) for definitive clarification. Facebook, like many other tech companies, has its European headquarters in Ireland and is therefore regulated by the ODPC.
The ODPC has stated that it intends to ask the CJEU to determine the validity of Facebook's ‘model contracts’ - common legal agreements used by firms to transfer EU citizens' personal data to countries outside the EU. These transfers to the U.S. have been a contentious issue since the 2013 Edward Snowden revelations about mass U.S. government surveillance programmes which enable those authorities to access and evaluate private data directly from tech and social media giants such as Apple, Facebook, Twitter and Google.
The ODPC issued the following public statement:
“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”
‘Declaratory Relief’ or ‘Declaratory Judgment’ is where an individual, an organisation, or an official body, as is the case here, seeks a binding legal ruling in the case of a legal uncertainty, even if no actual laws have been officially broken.
‘Safe Harbor’ was an agreement that allowed the free transfer of data between the EU and the U.S. which was declared invalid following a complaint to the CJEU by Austrian privacy activist Schrems. Since its introduction in 2000, over 4,000 U.S. companies had signed up to the agreement which offered EU citizens the same level of protection for their data processed in the U.S. as it would receive when processed locally. In practice, however, Safe Harbor was far from ideal and was poorly regulated by authorities and participating organisations. In the interim period since its annulment, many companies have adopted model contracts as an alternative mechanism to legitimise the transfer of personal data outside the EU. However, one of the reasons why the CJEU abolished Safe Harbor is because the agreement did not offer EU citizens sufficient channels to complain about U.S. surveillance methods. Moreover, Schrems and other privacy campaigners now contend that the alternative arrangements to Safe Harbor, such as the aforementioned model clauses, do not offer European citizens any substantive form of protection and that the entire data-sharing landscape is not affording the necessary privacy rights to citizens.
Following the ODPC’s announcement, Max Schrems stated: “This is a very serious issue for the US tech industry and EU-US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental rights. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see now there could be a solution.”
Aside from the repercussions for the aforementioned tech giants, when one considers the commitment and dependency placed by many Irish businesses in model contracts as a tool to allow the free flow of data to the U.S., this reference to the CJEU by the ODPC is significantly important to operational business practices going forward. An abolition of this structure could result in the costly suspension of data flows in the absence of a worthwhile alternative arrangement. Watch this space…