Impending ECJ Schrems ruling will open can of worms

5 Oct 2015

The European Court of Justice (ECJ) is due to rule on a case that, no matter which way the court finds, will open up a can of worms all across the EU.

Tomorrow is the day that we will all find out just how successful Austrian Max Schrems’ pursuit to overhaul the current transatlantic data transfer climate proves to be.

The case of Schrems v Data Protection Commissioner of Ireland revolves around a dispute with how Facebook handles Schrems’ personal data, the Irish body’s reluctance to get involved, and a programme called Safe Harbour.

In the wake of Edward Snowden’s revelations, it has become abundantly clear that pretty much any data transferred into the US is monitored by the NSA, which Schrems understandably felt was very dodgy indeed.

Long-running battle

Under the Safe Harbour agreement, registered companies can send data out of the EU into the US. This brings it directly into the realm of the NSA, and outside of any ‘protection’ that an EU state commissioner can presumably ensure.

Schrems pursued the issue with Facebook, then on to the Irish data protection commissioner and, after gaining little success, carried it on to the highest court available.

The ECJ’s decision tomorrow comes two weeks after its advisor’s eye-catching opinion was published.

On 23 September, Yves Bot (advocate general to the ECJ) gave his views on the case, with his opinion on Safe Harbour dominating headlines.

Bot called Safe Harbour ‘invalid’ but, as we detailed last week, there is more to the case than just Safe Harbour, with the understanding of European Commission decisions also up for debate.

What if ECJ follows Bot?

In saying that the Commission’s decisions on Safe Harbour are “not absolutely binding”, Bot’s opinion, if followed, questions the validity of more than just this data deal.

And it’s something that businesses both sides of the Atlantic have come out shouting about.

“If the ECJ issues a decision that adopts [Bot’s] views […], such a decision will lower the protections afforded to personal data of European citizens, burden businesses on both sides of the Atlantic, and undermine the authority of the European Commission to make ‘adequacy’ determinations for privacy regimes,” says Brian Hengesbaugh, who helped negotiate the original Safe Harbour agreement.

Calling for a new “Safe Harbour 2.0”, which is well in the works already, his views have been echoed by Daniel Castro, vice president of the Information Technology and Innovation Foundation in the US.

“If EU data cannot be stored or processed in the United States, it damages European users of technology, both businesses and consumers,” he says.

Castro argues that both EU and US lawmakers must come up with ways to restore confidence in the transfer system, which is one that has so far only damaged EU citizens.

Citing the USA Freedom Act as a good a start, Castro thinks a decision in front of US Congress that would allow non-US citizens to bring civil cases against the US for privacy violations – of which the reverse is already in place in the EU – is needed.

What if ECJ ignores Bot?

Of course, were the ECJ to go against Bot’s opinion, securing Safe Harbour in theory, that would not be the end of things. A growing number of EU states are thinking about going it alone and setting out their own data protection rules.

Castro warns that any state looking to do that would ultimately cause more harm than good, “fragmenting” the digital economy.

“The EU digital single market cannot be about ‘Fortress Europe.’ It needs to be the first step toward a transatlantic digital single market.”

Disrupting the free flow of data will obviously impact how technology companies throughout the world operate and develop, with Mike Weston, CEO of Profusion, claiming the “main casualties in this scenario” will be the consumers.

“Better data protection is essential, and transparency should be the cornerstone of any approach,” he says.

“Sweeping legislation seldom gets the best results because technology moves so quickly. What we need is a global, consensus-driven approach based on the ethical, transparent and open use of data, with strong penalties for companies or individuals who fall short of these standards.”

Either way, this landmark case will see fallout right throughout the IT industry, and beyond. Tomorrow we will know.

Main image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com