Landmark Safe Harbour case might affect US-European trade

Trade between companies in the United States and Europe could end up a casualty of a Facebook data lawsuit referred by the Irish High Court to the European Court of Justice in late June.

The original complaint, taken by Austrian law student Max Schrems against Irish Data Protection Commissioner Billy Hawkes, argues that the DPC took the wrong decision in refusing to investigate whether Schrems's Facebook data was given adequate protection in the US under existing "Safe Harbour" data safeguards agreed in 2000 between the US and EU.

Currently, if American companies state they are compliant with Safe Harbour, they are allowed to handle the data of EU citizens.

Schrems's case turns on the fact that, as revealed by whistleblower Edward Snowden, Facebook and other companies gave data under the Prism scheme to the US National Security Agency (NSA). Privacy advocates say this would violate the Safe Harbour agreement.

High Court Justice Gerard Hogan has referred the case to the ECJ to determine whether, in light of data protections offered to all Europeans under Article 8 the EU Charter of Fundamental Rights, Safe Harbour can be deemed to comply and offer sufficient protection.

"The referral is very interesting because it would mean the ECJ might have to overturn Safe Harbour," says John O'Connor, partner and head of the Technology and Commercial Contracts Group at Dublin legal firm Matheson.

‘Not fit for purpose’

Given the age of the Safe Harbour agreement and the explosion in internet commerce as well as all forms of trade dependent on data exchange, O’Connor notes Safe Harbour “is probably not fit for purpose” anyway. The old data protection regime where Safe Harbour might have fit in, “just doesn’t fit as well any longer”.

It was also drawn up before the EU Charter of Fundamental Rights was brought in as part of the Lisbon Treaty.

Justice Hogan indicated that a year of revelations on widespread data surveillance by the NSA raised critical concerns about data safeguards.

“It is very difficult to see how the mass and undifferentiated accessing by state authorities of personal data generated perhaps especially with the home . . . could survive [Irish] constitutional scrutiny,” or European privacy guarantees, he wrote in his referral.

"The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life with the home would be immune from potential state scrutiny." He compared such a situation to that in place in East Germany during the Cold War era.

Safe Harbour “may reflect a somewhat more innocent age in terms of data protection”.

Hogan noted that the DPC had acted rightly and within its limited powers under Irish data protection law. But he said that the case required the consideration by the ECJ of the larger issue of the adequacy of the existing European agreement, even though ostensibly, it is not the specific subject of Schrems’s complaint.

If Safe Harbour is thrown out, EU-US trade would be thrown into at the very least a short-term crisis, says O’Connor.

Data exchange that falls under the scheme “is fundamental to cloud computing and big data. How many service providers are basing their business on Safe Harbour? The potential impact is really, across all industries, even though the attention tends to fall on the tech sector. Big pharma, for example, would also be affected.”

‘Model clauses’

Facebook is perhaps being unfairly "demonised" because it is named in the case, he says, but many multinationals as well as smaller companies based or operating in Ireland and the EU would be involved in Safe Harbour data exchanges.

If Safe Harbour is rejected by the ECJ, companies would likely turn to what are termed “model clauses” – a set form of clauses which outline data protections in accord with EU law. If followed to the letter, then companies can send European data to the US.

Some companies already use mode clauses instead of Safe Harbour, says O’Connor.

But the clauses “are not the equivalent of Safe Harbour and impose their own technical and operational requirements. If Safe Harbour no longer applied, then a lot of companies would have to scramble to put these in place.”

Most likely, companies would be given several months of grace to do this but the process is involved and would carry costs to the businesses involved, he notes.

‘Right to be forgotten’

But, he says, even though the ECJ has taken several of what he terms "radical" decisions recently on data privacy – throwing out the 2006 EU Data Retention Directive on the basis of another Irish High Court referral last spring, followed by granting a modest "right to be forgotten" that requires Google and other search engines to remove links to some outdated or incorrect information on request – he thinks it unlikely they will dump Safe Harbour.

“I think instead, the Europeans and Americans will come up with a stronger version of what’s already in place.”

After the Snowden revelations, the EU had already undertaken to rework Safe Harbour with the US. That task was supposed to be completed this summer, a deadline O’Connor thinks is likely to be missed.

If they are successfully rewritten, it will be against a new backdrop – one where Europe’s highest court has shown that it will make strong pro-privacy and data protection rulings regardless of the impact on company business models.

As business privacy safeguards come under great scrutiny and carry greater expectations of strict international adherence, there is little room to fudge any new agreement, says O’Connor.