Adviser to Europe’s top court made some pretty bold statements today about Europe’s privacy standards, US govt surveillance, @Facebook’s data practices, etc today.
But this stuff is complicated. Here’s what you need to know.
<<Cue thread>>
But this stuff is complicated. Here’s what you need to know.
<<Cue thread>>
So let’s start off w/ the basics. This all comes down to whether Europe’s data is sufficiently protected when it’s moved outside the bloc. It forms part of a wider debate about who gets to set the global privacy rules — Europe, China, US or others.
In short, it’s a big deal
In short, it’s a big deal
Specifically, this case (first filed by @maxschrems in 2013 w/ @DPCIreland over @Facebook’s potential misuse of his data if that information was used illegally by US national security agencies when transferred to the US) has been a long time coming
It focuses on something called “standard contractual clauses,” or complex data-transfer agreements that allows companies to move information freely between Europe and rest of world.
Key question: does US surveillance (involving collection of EU data when moved to US) breach the legal obligations under these clauses, and if so, should Ireland’s privacy regulator order FB to stop moving data to US (FB’s HQ is in Dublin, hence why Irish agency has oversight)
To cut long story short, Irish regulator challenged its right to make this decision in local courts, saying that it was a matter for a higher legal authority to make a ruling on if such transatlantic data agreements — and US govt surveillance — were legit or not
As caveat: both FB & US govt disagreed that EU data was being misused when transferred to US, and said EU did not have jurisdiction over such practices outside of the 28-country bloc
So eventually, Ireland’s courts kicked this case to Europe’s highest court w/ these key questions: are standard contractual clauses valid? If so, who should oversee them & ensure third-party countries (aka US) don’t breach EU privacy standards?
Also: (‘cos this isn’t complicated enough) Court’s judges also asked questions about validity of EU-US Privacy Shield, a separate transatlantic data-transfer agreement that came into force in 2016
Questions about Privacy Shield focused essentially on if US promises not to misuse EU data were sufficient to make US law “essentially equivalent” to Europe’s own privacy standards.
Anyhoo, on to today’s ruling: The nonbinding opinion (final ruling due by March, 2020) said a bunch of important things:
1) That standard contractual clauses are 100% valid, meaning that they still can be used by companies to move data from Europe to around the world (including to US and, ahem, China)
2) That though they’re valid, it’s up to EU national privacy regulators like the one in Ireland to determine if surveillance practices in third-party countries (aka US) comply w/ EU privacy standards.
This, to be clear, is the biggest point. It means that Ireland’s privacy regulator must rule on US surveillance practices — something that it has spent years trying to avoid.
Ireland’s privacy regulator would say that’s b/c it’s a decision that would affect the whole EU, and therefore Europe’s top court should decide. Adviser to EU highest court says that’s not true, that it’s up to Ireland to make that judgement #awks
3) That EU-US Privacy Shield *could* be invalid b/c of lack of privacy protections for EU citizens when data is moved to the US.
That’s a potentially big deal b/c thousands of companies rely on Privacy Shield to move data from EU to US, and so if judges rule against its validity, it’s going to cause issues
And, interestingly, such a ruling would put a lot of pressure on Irish regulator to also rule that US surveillance is illegal under people’s use of standard contractual clauses
Why? Cos it would be odd for EU-US Privacy Shield to be ruled invalid on surveillance concerns, but then allow EU-US data transfers to continue under standard contractual clauses.
You can’t say one transfer is invalid, while one is OK.
You can’t say one transfer is invalid, while one is OK.
I get this is super complicated. And I get you’ve probably turned off by now. But the point is this: adviser to Europe’s highest court has just put a shot across the bow of transatlantic (and potentially EU-worldwide) data transfers
It’s a victory for @maxschrems, who had been calling on Ireland’s privacy regulator to make a ruling on US surveillance, & @Facebook, which can continue to use standard contractual clauses, at least for now
It’s a hit for Ireland’s privacy watchdog as it’ll now have to wade into hot waters about determining if US surveillance activities breach EU privacy standards (a previous ruling from Europe’s highest court said that they had, so there’s that)
Finally, it’s a blow for both US govt & @EU_Commission that had put a lot of effort into getting Privacy Shield over the line, a pact that may soon be invalidated
@EU_Commission Phew, get all that? It’s complicated, it’s geeky, but it comes down to this: Who gets to set global privacy standards? Europe or the US? And where can you draw the lines on privacy protections in a digital world where borders don’t really matter?
Also, beware of a lot of BS out there about what this all means. Read the complete legal document bit.ly/34BCPkP, and remember that all of this may be mute if EU judges go a different way in their final judgement (yay?!)
Rant over. Thoughts appreciated.
.@DPCIreland responds to today’s legal opinion. Kinda shows how complex this stuff is.
Basically: “Thanks, advocate general for your views. We’ll wait to see how judges rule next year"
Basically: “Thanks, advocate general for your views. We’ll wait to see how judges rule next year"
