Privacy Shield now facing questions via legal challenge to Facebook data flows

Privacy Shield now facing questions via legal challenge to Facebook data flows
From TechCrunch - April 13, 2018

The Irish High Court has referred for a second time a legal challenge to FacebooksEU-US data transfers to Europes top court, seeking a preliminary ruling on a series of fundamental questions pertaining to the clash between US mass surveillance law and EU citizens fundamental privacy rights.

The sustainability of the EU-US Privacy Shield mechanismwhich thousands of companies rely on to expedite transfers of personal data across the Atlanticlooks to be at stake.

The case is based on a 2013 complaintby lawyer and privacy campaigner Max Schrems against Facebook (and other tech giants) related to US surveillance law. Schrems drew on information about US intelligence agency practices and systems for sucking up data that had been revealed by NSA whistleblower, Edward Snowden.

In 2015, a landmark ECJ judgement overturned a long-standing EU-US data transfer mechanism, called Safe Harbor, as a result of his legal action.

Schrems then updated his complaint, this time focusing exclusively on Facebook and addressing a secondary EU-US data transfer mechanism thats still being used, called Standard Contractual Contracts (SCCs).

SCCs are used by Facebook to transfer data between its European entity, Facebook Ireland, and Facebook USAessentially via a contract in which Facebook USA pledges to follow EU privacyprinciples.

The Irish High Court court issued an underlying judgement on the updated complaint lastOctober, deciding to refer legal questions over this EU-US data transfer mechanism to Europes top court, as it had with Schrems original complaint.

The court has backed the view that US government surveillance practices involve a mass processing of personal data.

Its a finding thatclashes with fundamental European privacy rights. And this core legal clash is the Gordian knot that US tech giantsincluding Facebookare now bound up with as a consequence of domestic surveillance law granting their government swingeing rights to suck up personal data from electronic communication service providers.

Incompatibility between two separate and distinct legal regimes and data priorities (in simple terms, EU vs US law on data boils down to protection for privacy vs retention for security) was the reason for the 2015 strike down of the 15-year-old Safe Harbor arrangement, following Schrems original complaint.

Its also whythe replacement EU-US Privacy Shield mechanism, which only started operating in August 2016, remainsprecariously placed with the Trump administration doing nothing to enhance privacy protections as EU lawmakers want.

On the contrary; earlier this year president Trump signed into law another six years of the controversial warrantless surveillance lawaka Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Yet last fall year EU lawmakers were still lobbying publicly for a sympathetic reform of FISA 702 i.e. which would include privacy provisions for foreigners data.

In the event US lawmakers failed to reform surveillance law even where domestic targets are concerned, renewing a controversial legal loophole that provides U.S. intelligence agencies with a means for the warrantless surveillance of American citizens.

Privacy reforms that consider the rights of foreigners dont even appear to register as a debate-worthy concept on the floor of the US Senate and Housewhich spells big trouble for the sustainability of EU-US transatlantic data flows. And means this issue will inexorably continue to be brought before EU judgesas has happened again here.

The court that invalidated Safe Harbor will now have to consider how its follow up meshes with several similar points of law vis-a-vis US mass surveillance practices. And whethera targeted application of EU law might be possible.

Its even possible the entire Privacy Shield mechanism could come unstuckif so it would be years sooner than its predecessor, given its not even reached its second birthday yet.


Continue reading at TechCrunch »