Surreal fallout of EU-US battle
WHAT would happen if Europe’s supreme court declared it was illegal to send emails to the US? We may soon find out — because Europe versus Facebook is a circle that really can’t be squared.
It’s a case where one side wants the principle of the other vanquished. It’s a monumental cyber-collision between Europe and the US, pitting notions of our privacy against their national security fears.
But it threatens to usher in a surreal era where Facebook, Google, Twitter, Slack and other communications service are told they’re not allowed to carry EU messages to US recipients.
For those who missed it during the week, the Irish High Court referred this sensitive geopolitical case about Facebook, Ireland and US spying to Europe’s supreme court.
The case saw the Irish data protection commissioner, Helen Dixon, in rare agreement with opponents on the subject of the Americans going too far.
Both Dixon and the Austrian student Max Schrems, who has been a thorn in the side of the Irish data watchdog for years, contend that US laws permitting indiscriminate police surveillance of European social media feeds mean that big tech companies here shouldn’t be allowed to rely on existing European legislation to do business.
Specifically, they say that the EU legal instrument called a ‘standard contract clause’ — used by Facebook and thousands of other multinational organisations to legally transfer data across the Atlantic — should be declared invalid because it no longer protects European citizens from American snooping.
Lest your eyes be in danger of glazing over at the mention of ‘data’, I’m talking about emails, messages, comments, likes and other everyday things we do hundreds of times a day.
Can you imagine if Europe’s supreme court ruled it illegal for Gmail to carry your emails to US respondents? Or for family members in the US to see pictures of your kids on Facebook back in Ireland? It sounds dystopian and chaotic. Yet ultimately, these are the stakes. For the time being, the High Court has agreed to Helen Dixon’s request to refer the matter to the European Court of Justice for adjudication in about 18 months’ time.
It’s fairly clear what Europe’s governing court is going to say. They’re going to agree with Dixon and Schrems about striking down the ‘model clauses’ due to lack of protection given to EU data in the US.
And that means that the Irish data boss, backed by the ECJ, may soon have to legally halt the flow of data between the two zones.
The consequences arising from this would be monumental.
In simple English, it would mean that messages sent by Europeans to Americans might be blocked. Updates, photos, likes, comments and other interactions would not legally be allowed to occur on Facebook’s services between the two areas, insofar as these happen via data transfers (which they do).
It sounds nuts. But it’s the ultimate consequence if one or other of the EU or the US doesn’t water down their current positions.
A compromise would mean one of two things. Either the US revokes laws such as the Foreign Intelligence Surveillance Act (Fisa, which allows US authorities to engage in electronic surveillance of “foreign” entities and citizens) or the EU has to back down from its stance that the US may not indiscriminately monitor European personal data from social media and other sources.
Do we think either is actually going to happen?
Obviously, this isn’t just about Facebook. The measure would likely apply to hundreds, if not thousands of major companies and organisations deemed to be “communication service providers”. That means Google, Twitter, Microsoft, Slack, Yahoo (although it might be a mercy cutting off Yahoo at this point) and many others.
All face the bizarre prospect of possibly having to construct some sort of ring-fenced data arrangement within the EU.
Both the European Court of Justice and the Irish High Court are grappling specifically with an issue that, they acknowledge, may lead to the “suspension” of data from giant companies between the EU and US.
Last week, the presiding High Court judge, Caroline Costello, declared that there were literally billions of euro at stake.
Business lobby groups in Ireland and across Europe say that’s just the thin end of the wedge, that tens of thousands of jobs could also be thrown into the mix.
And that’s before we even figure out how the hell it might be possible to distinctly geo-fence so much data between two blocs so large and expansive.
For the most part, few in the tech industry have worked out how it might be technically possible.
“It would be very expensive to divide out data so that it’s stored only in Europe,” one Facebook executive told me at an earlier stage in the case, when the threat of data suspension first arose. “We would have to build new data centres [in Europe]. We would probably also have to halt some product development while we rethink the architecture of how the data was stored and dealt with.”
In the absence of either side backing down, we might be doomed to enter a Groundhog Day cycle for the coming years. The ECJ will strike existing policy down (as it did with the ‘Safe Harbour’ treaty).The Commission and member states will then hastily convene an emergency treaty to keep things going. That is decried by privacy activists before being challenged in a local European court, which, after the year it takes to get to a hearing, will kick it back up to the European Court Of Justice. That would take between 18 months and two years to come to a conclusion with the new treaty struck down. Whereupon the Commission and the member states repeat the process all over again.