As Expected, EU Court Of Justice To Review If Internet Company's Privacy Practices Are Acceptible
from the here-we-go dept
The European Court of Justice is going to look into the acceptability of US internet company’s privacy practices under the so-called “Privacy Shield” framework that was put in place last year. As you may recall, for years, the EU and the US had a “safe harbor” agreement, under which tech companies underwent a fairly silly and almost entirely pointless process (I know, because we did it ourselves…) by which the companies effectively promised to live up to the EU’s data protection rules, in order to move data from servers in the EU across the Atlantic to the US. It is important that companies be allowed to do this, because without it, the internet doesn’t function all that well. But, because of NSA snooping, it became clear that what companies were promising couldn’t match what was actually happening. And thus, the EU Court of Justice tossed out the framework, saying that it violated EU data protection rules.
After a bit of a scramble, the EU and the US came to an agreement on another framework, called the “Privacy Shield” that both argued was acceptable. It required US companies to do better in handling Europeans’ data, to make sure EU residents had redress over data protection and included some transparency requirements regarding US government access to the data. However, as we noted at the time, unless the US was drastically changing how the NSA did surveillance, it seemed nearly impossible for the Privacy Shield to be valid under EU law. And, indeed, Max Schrems, the guy whose lawsuit brought down the original “safe harbor” quickly challenged the Privacy Shield in an Irish court. Over the past few months, we’ve pointed out that some of Trump’s statements on surveillance made it clear that the Privacy Shield was not likely to survive.
Earlier this week, the Irish court asked the European Court of Justice to review. The ruling is long (over 150 pages) and pretty detailed. The court clearly recognizes how important this issue is:
The case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond. Firstly, it is relevant to the data protection rights of millions of residents of the European Union. Secondly, it has implications for billions of euros worth of trade between the EU and the US and, potentially, the EU and other non-EU countries. It also has potentially extremely significant implications for the safety and security of residents within the European Union. There is considerable interest in the outcome of these proceedings by any parties having a very real interest in the issues at stake.
The court hasn’t yet officially asked the CJEU to weigh in, but rather has said that it will — but first it wants the parties involved in the case to more or less argue about what exactly should be the questions submitted to the CJEU.
Most of the ruling itself is basically around whether or not there’s anything to discuss here at all. Facebook — the service whose privacy practices are at issue in this particular case — tried to argue that because surveillance issues are “national security” and there’s a carve out for national security, there’s no issue with the Privacy Shield But the court doesn’t buy that. First, it says that the issue under scrutiny is about the relationship between the EU and its member states (and how the data protection rules work) rather than a question about “national security” in the US. Similarly, it points to the original Schrems ruling that got the old safe harbor tossed out and notes that no one had a problem with saying the law applied in that case:
The submission is inconsistent with the ruling of the High Court in Schrems v. The Data Protection Commissioner [2014] 3 I.R. 75 and the CJEU in Schrems where the court proceeded on the basis that it had jurisdiction to rule on the reference. If Facebook?s submission in this case is correct, it did not have jurisdiction so to proceed. Eight Member States, the European Parliament, the European Commission and the European Data Protection Supervisor intervened in those proceedings. If Facebook?s point was well made, it is remarkable that none of these participants raised this fundamental matter of jurisdiction.
So, there’s still time before the CJEU will sort this out, but we stand by our initial statement. Unless the US changes its NSA surveillance practices, it’s difficult to see how the Privacy Shield comes to an end any different than the old privacy safe harbors. If the US doesn’t want to have the Privacy Shield rejected again, it might want to start by reforming surveillance — and it can do that right away in refusing to renew Section 702 of the FISA Amendments Act without significant reform and modifications.
Filed Under: cjeu, data protection, max schrems, nsa, privacy shield, surveillance
Companies: facebook
Comments on “As Expected, EU Court Of Justice To Review If Internet Company's Privacy Practices Are Acceptible”
Why would they do that, they are the good guys after all!
Nice idea, but...
If the US doesn’t want to have the Privacy Shield rejected again, it might want to start by reforming surveillance — and it can do that right away in refusing to renew Section 702 of the FISA Amendments Act without significant reform and modifications.
Doing that would require them to admit, even if only to themselves(as I doubt they’d ever be honest enough to admit it to the public) that’s there’s a problem with the ‘Grab everything!’ mentality/practice.
That’s… not likely to happen, to say the least.
The USG are the Good Guys. Good guys don’t make mistakes or engage in Bad Things. Therefore any perceived wrongdoing is entirely in the minds of the Bad Guys(because if you’re not on the side of the Good Guys then clearly you’re against them) who object to what the Good Guys are doing.
Given the number of countries there who deploy DPI and other things to spy on their people, one has to wonder why they worry so much.
Perhaps its just how they keep everyone distracted from their own bad acts, pointing at everyone else lest someone ask what they are doing.
Pinky Promise! Really!
Nah, they’ll just pinky promise to do better yet again, give it another new name, and carry on as before.
Re: Pinky Promise! Really!
Yeah, they’ll “reform” it as they’ve done several times already since the Snowden revelations. And then two months later, surprise! They stopped doing that under one law, but redefined and reinterpreted stuff so they could do it under another. And in a couple years we’ll learn that the oversight board was powerless to stop it, or didn’t even know about it.
But there’s a good chance this will be good enough for Europe. They don’t want to lose those business relations, so plausible deniability might win out over real change. By the time the EU does anything about it, the US will have “reformed” a few more times, making any EU rulings moot. Realistically the EU just has to accept this and continue doing business, or cut off the business entirely. There’s no workable level of oversight; even if the EU brings their own people to the USA to monitor, they’re not going to find out more than the Senate Intelligence Committee which we’ve already seen cannot effectively oversee things.
"Acceptible" is not Acceptable
Mike,
The red squiggly line under words. Live it, love it, embrace it.
It's expected
Perhaps its just how they keep everyone distracted from their own bad acts, pointing at everyone else lest someone ask what they are doing.