Court move on data will rock Facebook to its core
Final decision could undermine business models at Google, Twitter and Apple
Facebook might have felt the worst was over. Chief executive and chairman Mark Zuckerberg concluded a gruelling two-day appearance before US Congressional committees on Wednesday, and Facebook was still intact. But a day is a long time in international data privacy battles. Yesterday, the company learned the European Court of Justice (ECJ) is going to decide whether the instrument it uses to transfer Europeans’ data to the US, called standard contract clauses (SCCs), guarantees adequate privacy protections.
And that’s only the start of a potential transatlantic nightmare. The High Court referral by Ms Justice Caroline Costello includes the bombshell questions of whether the EU/US data transfer agreement Privacy Shield is valid. And if neither Privacy Shield or SCCs pass muster, should transatlantic data flows cease?
Privacy Shield was hammered out between the US and the European Commission after an initial case taken by Austrian privacy campaigner Max Schrems over his Facebook data resulted in the ECJ declaring invalid Privacy Shield’s predecessor agreement, Safe Harbour. Schrems is also a party to the current case. It rests on whether his data stored on Facebook’s US servers, and transferred using SCCs, is safe from indiscriminate US surveillance. Those concerns stem from Edward Snowden’s disclosure in 2013 of large-scale NSA spying programmes such as PRISM, believed to have accessed data from Facebook and other technology companies.
Data Protection Commissioner Helen Dixon has said she is inclined to side with Schrems – already a worry for Facebook. But in a complex case taken against Facebook, the commissioner asked the High Court to determine if the contracts could be deemed safe instruments. Now, all formats for data transfers are under scrutiny. There’s no question that Facebook and many other US and European companies that routinely move data between the two jurisdictions will view this referral with primal fear. Not least because, along with the very real prospect of losing hundreds of millions of users and customers in an instant, there’s little Facebook or any other company can do but sit and wait for the view of the judges.
Judges who, in recent years, have made a series of landmark privacy rulings. And, worse again, there’s little that companies can do when the problematic part of these instruments is due to the firm stance on data access taken by the US government in the name of security.
In the current case, Facebook has argued that such security provisions are grounds for exemptions to EU data protection law, and asked for the referral to be quashed. Ms Justice Costello seems very unlikely to withdraw a referral for a case whose entire point was to produce a referral, but has agreed to give Facebook lawyers until April 30th to consider the document before the referral is formalised. While many businesses and privacy organisations expected a challenge eventually to Privacy Shield, few expected this High Court case would result in such a comprehensive consideration of the viability of both SCCs and Privacy Shield in a single go.
Awaiting the ECJ’s view – which could take over a year – will keep many a chief executive and executive board in a sweat.
The ultimate decision could, in one blow, overturn long-standing business models and demand a major rethink of how all companies manage customer and user data, especially large gatherers and managers of data such as Facebook, Google, Amazon, Twitter, Microsoft and Apple, to name just a few.
Privacy campaigner Max Schrems who took a case over his Facebook data and potential US surveillance.