In a nutshell
On Tuesday, the European Court of Justice (ECJ) issued the long-awaited ruling on the case of Max Schrems, which investigated whether his right of privacy on his personal Facebook data was breached.
According to the EU’s data protection framework currently in force, exports of personal data to third countries is only allowed if the receiving country can provide a level of protection that is considered equivalent to the EU’s legislation. Alternatively, these transfers are also allowed if privacy rules in the receiving country are deemed adequate, which eventually came to mean “equivalent” to the European model for privacy law on paper – it matters less whether the privacy rules are effectively enforced or not.
The United States, with a vast majority of non-European jurisdictions, is not recognised as adequate/equivalent. Thus, the Safe Harbor agreement between the EU and the US enables American businesses to self-certify that they would abide by EU standards, allowing them to transfer data freely across the Atlantic.
The daily operations of approximately 4,400 firms which are today a part of the Safe Harbor agreement, and which are mostly non-tech SMEs in retail and various services, are now effectively shut. The ECJ’s ruling is based on the fundamental right to respect private life, and how the US law enforcement agencies (and in extension, the European Commission) have failed to live up to them.
The ruling does not question the free flow of data as such, but merely establishes that Member States’ data privacy authorities have the power to investigate complaints from their citizens regardless of Brussels decisions, and only the ECJ has the right to declare Brussels decisions as invalid.
To say the least, the ruling raise more questions and concerns than it provides legal certainty.
What the ECJ did not answer
To begin, the ruling examines the specific case of Facebook and US intelligence services. However, the EU citizens are still under surveillance of their home governments’ and other EU members states’ intelligence agencies. For instance, in late July, France’s highest authority on constitutional matters has approved a controversial bill (labelled the French “Big Brother” by critics) to give the French state extensive powers to spy on its citizens. Similar initiatives are already implemented or discussed in other European countries. No pun intended, but intelligence is not a union competence. By the logics of the ruling, the ECJ may be forced to strike down on free flow of information within Europe if intelligence practices in some Member States were challenged as a privacy violation.
Second, the ruling leads to a situation where Europe applies de facto (but not necessarily de jure) data localisation towards US business as a general rule. Any exceptions to that principle can be revoked. Data localisation, however, increases the risk of security breaches by intelligence agencies and hackers alike. Such measures do not only make data more vulnerable, but increase also the scale of the damage that hackers can cause.
The third issue concerns the economics of the ruling. Building a digital wall between the world’s most intensive economic relationship, i.e. the transatlantic one, would not only cause a disproportionate burden for businesses, it would also pose a serious threat to Europe’s long-term competitiveness. Blocking transfer of data impedes technological progress, competition and the capability of countries to adopt innovative technologies and new business models. These factors are the main drivers of long-run economic growth. This is especially true if we consider that it is practically impossible to disentangle personal data from other business-related data. The ECJ ruling related only to personal data, but will automatically affect our entire economy.
Given the economic importance of data, it leads to the final question: Was the ECJ ruling proportionate? While ECJ questions the proportionality of the PRISM program, the same question of can be raised against the ECJ ruling. To what extent was the data under the Safe Harbor really compromised by foreign law enforcement agencies, and to what extent was it proportionate to declare the entire agreement as invalid?
The ECJ has not offered a grace period for companies to conform to the ruling. Although some fall back options to the Safe Harbor exists, these mechanisms seem to be costly or infeasible in practice. The first alternative would be to collect consent requirement, which requires the approval of every individual for transfer of data that was previously allowed under Safe Harbor. Revising services contracts on individual basis, would be costly and impossible to maintain in practice.
Another alternative is the use of binding corporate rules and model contract clauses, where the signatories agree to assume the liability of its third parties, or to restrict their access to data. However, such instruments are not fit for complex supply chains and subcontractors based in multiple jurisdictions. It would be particularly burdensome for SMEs, which often use cost-effective business services provided by global players, as well as multinationals which frequently send their data between multiple affiliates around the globe.
The common feature of these alternatives is that they are poorly fit for the globalised structures of today’s trade, especially for the overwhelming number of more than 4,000 companies in the Safe Harbor program that are SMEs in non-tech sectors. These options are simply not commercially viable.
Hence, we are in uncharted territory. The ruling, in all its orthodoxy, is about competences and fundamental rights rather than just a specific treaty. One plausible interpretation is that any contractual agreement and arrangement between the EU and the US would be declared invalid, if it was challenged by a Member State. Therefore, the only legally certain options available would be to localise data within European borders, or to collect explicit consent from the European users – or to shut all European users off from the services.
In one way or another, the demanding regulatory and technical structure of all options on the table shows that firms will be faced with higher costs of business. As our recent study concluded, this would have an impact on our economy’s performance which will ultimately be paid by consumers. In a scenario where no personal data can flow in or out of Europe, the European economy would lose a 1.1 percent in GDP. Revocation of Safe Harbor did not bring about full extent of that loss, but is a step towards that direction.
The EU is currently in a controversial process to update its own data privacy regulation (GDPR), which is seen as highly protectionist on international transfers; the European Commission and Department of Commerce are also negotiating a revamped Safe Harbour – the question is what are the merits of such agreement, if it can be challenged by each member state, and revoked by an activist court. As a result, the ruling has made the possibility for a mutually beneficial solution between the EU and the US less likely.