An adviser to Europe's highest court told its judges Thursday to uphold the contractual terms that Facebook and other companies rely on to transfer billions of dollars worth of data on Europeans. But he said regulators should still force companies to halt transfers under certain circumstances and raised questions about a key U.S.-EU agreement on data flows, adding to the uncertainty surrounding a transatlantic disconnect over online privacy rights.
The European Commission-backed model agreements that companies use to protect users' privacy in data transfers are "valid," but companies and regulators must stop the transfer if there is a conflict between the privacy protections Europeans have and the laws of the country receiving the data, wrote European Court of Justice advocate general Henrik Saugmandsgaard Øe in an advisory opinion, a non-binding recommendation that the court follows the vast majority of the time.
Why it matters: A final ruling in line with the opinion that the contracts are valid could reassure U.S. companies. But Saugmandsgaard Øe leaves the door open to European regulators blocking data transfers because they think U.S. surveillance practices conflict with EU privacy standards. And if the court picks up questions he raised around the EU-U.S. Privacy Shield and finds it invalid, there would be major repercussions for the thousands of companies that rely on it to freely transfer data ranging from payroll information to European customer records.
"We are talking about billions and billions of dollars worth of commerce that relies on that transatlantic data flow," Aaron Cooper, vice president at BSA | The Software Alliance, said ahead of the opinion's release. "It is about every industry sector."
The big picture: Europe has sought to set the global standards on online privacy, with strict data safeguards that contrast with the United States' historically laissez-faire approach. The pending court ruling represents a judgment before the world of how people's data gets handled in the U.S.
Details: The European Court of Justice, the EU's supreme court, is weighing whether model agreements with U.S. companies meant to protect Europeans' privacy abroad are up to snuff.
- The case stems from a complaint against clauses in Facebook's data contracts, brought by European privacy advocate Max Schrems.
- The European Commission has endorsed the so-called standard contractual clauses, but Schrems argued the Facebook clauses do not adequately protect Europeans from government surveillance in the U.S.
- He said he is "generally happy" with the advisory opinion, noting that he did not want to disturb the thousands of contractual agreements in place globally. "Everyone will still be able to have all necessary data flows with the US, like sending emails or booking a hotel in the US," Schrems said in a statement. "Some EU businesses may not be able to use certain US providers for outsourcing anymore, because US surveillance laws requires these companies to disclose data to the NSA."
- Facebook associate general counsel Jack Gilbert said the company is grateful for the opinion. "Standard contractual clauses provide important safeguards to ensure that Europeans’ data are protected once transferred overseas," Gilbert said in a statement.
Flashback: You might remember Schrems from launching the case that upended the previous agreement that governed data flows between the U.S. and Europe, the Safe Harbor.
- Responding to U.S. government data collection practices exposed by NSA contractor Edward Snowden, Schrems filed complaints against several U.S. companies that led to the European high court declaring the Safe Harbor invalid in 2015.
- U.S. companies scrambled to set up alternative arrangements while the U.S. and Europe hammered out a new agreement, 2016's Privacy Shield.
Now, the Privacy Shield faces a major test, and court watchers have been worried it will not pass.
- The main question before the European court is whether the standard contractual clauses adequately protect privacy, but a lot of the questions posed by the court relate to Privacy Shield, so the final ruling could affect both.
- The advisory opinion says the court shouldn't weigh in on Privacy Shield, but also raises concerns about the adequacy of the agreement for protecting Europeans privacy.
- In particular, Saugmandsgaard Øe questioned Privacy Shield's reliance on a U.S.-appointed ombudsperson to resolve Europeans' complaints about how their data gets handled, including by American intelligence agencies. He's not sure a single ombudsperson is sufficient—or sufficiently independent from U.S. government interests—to give proper redress.
Yes, but: The advisory opinion is just that — advisory. The high court often goes along with it, but that's not always the case.
What's next: The final ruling is expected sometime in the first half of 2020.
- The Electronic Privacy Information Center has sided with Schrems in the case, warning that the U.S. has not done enough to correct the problems revealed by Snowden.
- EPIC President Marc Rotenberg said, "The Advocate General failed to understand that standard contractual clauses do not protect personal data of Europeans from access by US law enforcement agencies. The Court of Justice is likely to look at this issue much more closely."
