:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/WVX4ZNOSXH2NFZSPNFY74YUYQQ.jpg)
Once again, Austrian data protection and privacy campaigner Max Schrems has shaken the international business and political worlds. For the second time, a Facebook-related complaint that Schrems initially took to the Irish Data Protection Commissioner has been adjudicated with sweeping effect in Europe's highest court, the European Court of Justice (CJEU). In both a previous 2015 case (Schrems 1), and in the CJEU ruling yesterday (Schrems 2.0), he had questioned whether his personal data could be protected to EU standard once sent to the US by Facebook.
Yesterday, the judges gave a mixed answer. Momentously, they ruled invalid the Privacy Shield, a data transfer agreement between the United States and European Union, primarily due to concerns about opaque US state surveillance powers first disclosed by whistleblower Edward Snowden in 2013. The decision will affect thousands of organisations that transfer data as an everyday part of doing business.
In the political realm, the demolition of the Privacy Shield is a frustrating and embarrassing blow to the US and the European Commission.
The State must fund and maintain a strong, transparent regulator
Critically, the court did not entirely shut down transatlantic data flows. Instead, the CJEU offered companies the lifeline of using a type of legal agreement called Standard Contractual Clauses (SCCs). Many multinationals and large Irish companies already use SCCs drawn up by their internal legal teams, some having moved to them as one way of hedging bets in advance of this week’s decision. Smaller Irish companies with fewer resources will likely find SCCs a more costly and complex route. A huge caveat is that companies (and national data protection authorities) must determine if the countries they send data to via SCCs offer adequate EU-level protection. This would seem to rule out both the US, and the Brexiting UK, which has similar, data-driven surveillance programmes.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/HOCV4MROMBT5HPMXZ3RDTXSO6M.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/77WAKQSZGOOMUNKYZPD52P5F4A.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/YHICQJIOD3ILZBJNOQ7ZODFHFA.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/WBYBTZ6GGREUJR3H7SWUQJGD2M.jpg)
Ireland, the EU base for so many multinational technology companies and internet platforms, faces a particular regulatory burden, as most cases involving such companies will be referred here. This means the State must fund and maintain a strong, transparent regulator, with the legal expertise to take on the multinationals.
As a legal marker, this case demonstrates the CJEU’s intent to continue to build strongly on earlier ground-breaking decisions of global impact in the area of business, data protection and human rights. In particular, global businesses built on surveillance capitalism – a data-fueled, advertising-driven formula in which personal data is seen as a lucrative corporate asset – must contend with the CJEU’s defiant legal counter that it is instead, our own personal asset, protected by the CJEU’s affirmation of data privacy and protection as a fundamental human right.