A slow-motion train wreck has been unfolding over the past half-decade in the wonkish but fundamental field of data privacy, as one Facebook user’s crusade against U.S. surveillance practices has slowly closed off the American tech industry’s legal options for importing European users’ personal information.
Now it looks like the moment of impact is finally about to arrive, leaving Big Tech unable to process European users’ data in the U.S.
Facebook said Wednesday that the Irish privacy regulator (which governs all of Facebook’s European activities) has “suggested” it will no longer be able to use the legal mechanism it currently uses to make Europe-to-U.S. transfers of personal data—that is, any data that can be connected with an identifiable person in Europe, from names and email addresses to photos and comments.
This followed a Wall Street Journal report that said the watchdog had hit Facebook with “a preliminary order to suspend data transfers to the U.S. about its EU users.”
The EU’s top court ruled a couple of months ago that the legal mechanism, known as “standard contractual clauses” or SCCs, is in principle legally valid. However, it said the use of SCCs can be invalidated by privacy regulators in cases where Europeans’ data is made vulnerable by sending it to a country without good privacy protections.
It was always clear that this was likely to affect transfers to the U.S., because the same ruling—by the Court of Justice of the EU (CJEU)—struck down a separate, specifically U.S.-EU arrangement called Privacy Shield, which gave companies a simpler and cheaper way to keep their transatlantic transfers legal.
The court’s reasoning was that U.S. surveillance laws make it impossible for Big Tech to keep Europeans’ data out of the hands of U.S. intelligence agencies. The same problem applies whatever legal mechanism companies are using for those transfers.
“Far-reaching effect”
“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-U.S. data transfers, and has suggested that SCCs cannot in practice be used for EU-U.S. data transfers,” Facebook’s chief lobbyist, the former U.K. deputy prime minister Nick Clegg, wrote in a Wednesday blog post. “While this approach is subject to further process, if followed, it could have a far-reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”
Clegg argued that “a lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU,” because they will no longer be able to use U.S.-based cloud providers to process their customers’ data.
He even suggested the end of U.S.-oriented SCCs would impact email platforms that service European universities and hospitals. This is a questionable claim, because EU privacy law allows data transfers to anywhere as long as they are “necessary” to fulfill the contract between the user and provider—and the processing of emails is pretty fundamental for an email service.
The dilemma for a company such as Facebook is that its users want to socialize with one another online, but the tracking of their online activities and compilation of their marketing profiles are arguably not strictly necessary for making that happen—crucial as they may be for Facebook’s ad-fueled bottom line.
However, that doesn’t mean Facebook isn’t at least trying to invoke “necessity” as yet another legal basis for its EU-U.S. personal-data transfers (the fourth, after its current use of SCCs and its previous reliance on Privacy Shield and its also-struck-down predecessor agreement, Safe Harbor).
Max Schrems, the young Austrian lawyer whose legal quest to protect his Facebook data from U.S. spies led to the CJEU’s cancellation of Safe Harbor and Privacy Shield, revealed Facebook’s invocation of “necessity” on Thursday, when he published legal correspondence between his lawyers and Facebook’s.
In an emailed statement, Schrems noted that the Irish watchdog’s long-running investigation into Facebook’s processing of his data is currently focusing only on the validity of Facebook’s SCCs. He said this meant the regulator was “again only investigating one slice of the problem.”
“Facebook seems to want the DPC to only focus on the SCCs as well, so that they can just pull out the next legal basis at the end of this third round of the procedure. This legal edition of ‘whac-a-mole’ has been ongoing for seven years now,” Schrems said. “I therefore suspect that the alleged order against Facebook is another useless step that will not solve the issue fully.”
Fortune has reached out to the Irish Data Protection Commission for comment, but has so far received none.
“Privacy Shield Plus”
Whether or not Facebook manages to drag out its own investigation for another few years, if the Irish Data Protection Commission has “suggested that SCCs cannot in practice be used for EU-U.S. data transfers” (Clegg’s words) then that really would be a blow for Big Tech.
The “necessity” argument may be clutching at straws for companies that, as many do, use their customers’ data for other purposes than the core services they provide. Facebook’s (and its peers’) one remaining hope would be the striking of a third U.S.-EU data-sharing deal, to replace Privacy Shield.
In his Wednesday post, Clegg welcomed the fact that the EU and U.S. sides are both trying to make a “Privacy Shield Plus” (again, his words) happen. “These efforts will need to recognize that EU Member States and the U.S. are both democracies that share common values and the rule of law, are deeply culturally, socially and commercially interconnected, and have very similar data surveillance powers and practices,” he wrote.
But the two trading partners don’t have similar data-protection laws. If they did, the European Commission could easily decide the U.S. privacy regime is “adequate” (as it has with Canada and Japan) and American companies wouldn’t need to be scrambling for other legal bases to underpin their data transfers.
The fact remains that the U.S. has no federal data-privacy law outside of the medical arena; its intelligence agencies retain broad discretion to spy on the communications of foreigners; and Europeans have no meaningful way to complain about that spying in the U.S.
Unless all this changes, it’s deeply unlikely that a “Privacy Shield Plus” could fly—and, after two humiliations at the CJEU over Privacy Shield and Safe Harbor, the Commission is unlikely to support a deal that isn’t legally watertight. As EU Justice Commissioner Didier Reynders said less than a week ago, there will be “no quick fix” on this front.
All of which suggests that the moment of truth is finally almost here—and not only for U.S. tech firms, but also for those in countries such as China, which are keen to use Europeans’ personal data but have invasive surveillance practices to contend with back home.
