Strength of ‘Privacy Shield’ hinges on Facebook case in Ireland

1 August 2016. By Vesela Gladicheva.

As of today, thousands of US companies can start signing up to a newly adopted EU-US deal allowing them to shift personal information lawfully across the Atlantic. But that mechanism — the fruit of years of fraught negotiations between Brussels and Washington — could take a serious hit if Europe’s highest court voids another data-transfer method.

An Irish court case against Facebook, to be heard in February, could land before EU judges and weaken the new trans-Atlantic “Privacy Shield” accord.

The Privacy Shield is a voluntary agreement aimed at making it easier for companies to transfer personal data from the EU to the US by ensuring that the information is protected in America with privacy safeguards similar to those in Europe.

Washington today started accepting self-certifications from companies that they comply with the accord.

One of the companies to adopt the arrangement on its first day of operation was Pleasanton, California-headquartered Workday, a seller of cloud-based finance and human-resources software.

“As part of our certification, Workday agrees to resolve privacy-related issues in an expedient manner through cooperation with European data-protection authorities and binding arbitration,” the company said in a statement.

The accord replaces “Safe Harbor,” a data-transfer mechanism dating to 2000. Europe’s top judges invalidated Safe Harbor last October, because it failed to offer European citizens effective legal remedies in the US in alleged violations of their rights.

Prolonged talks between the European Commission and the US Department of Justice resulted last month in the adoption of the Privacy Shield. The agreement offers stronger privacy protections to citizens by imposing stricter rules on companies shifting data — such as payslips and photos — across the Atlantic.

Model contracts

Workday also said it will use Privacy Shield alongside boilerplate legal contracts for data transfers to non-EU countries, which are approved by the commission.

Obligations under “standard contractual clauses,” as they are officially known, include security measures and information that companies should give European citizens in case sensitive data are transferred. These model contracts, first issued by the commission in 2001, also list citizens’ rights to have their personal data erased.

Irish Challenge

But Irish judges are scrutinizing the lawfulness of this mechanism, and the outcome of that case could damage the robustness of the Privacy Shield.

On Feb. 7, Irish judges will hear a complaint brought by Austrian student Maximilian Schrems in 2013 against Facebook’s data transfers from its European subsidiary in Ireland to the US. American law can’t protect the privacy of European citizens from surveillance practices by US intelligence agencies, he argues.

That hearing at the Irish High Court could give a first indication as to which aspects of the Privacy Shield might also be put to the test at the EU’s Court of Justice in Luxembourg. For example, the arrangement creates an ombudsman who would oversee how US authorities comply with the mechanism. The ombudsman has the power to investigate complaints about data transfers under any mechanism, including model contracts.

Schrems’s complaint initially escalated to the Court of Justice, which invalidated the Safe Harbor arrangement. The case then returned to the Irish data-protection commissioner, Helen Dixon, who in May said the EU court should now examine the validity of Facebook’s model contracts.

The US government will intervene in the hearing next year. Privacy advocates and two trade associations representing major tech companies such as Apple, Microsoft and Siemens will also testify.

Washington will attempt to convince Irish judges that the Privacy Shield will lawfully protect Europeans’ privacy, for example through the role of the ombudsman. If the case lands before EU judges, the court will have to consider the testifying parties’ arguments.

EU judges could well rule that the ombudsman mechanism isn’t enough to protect Europeans’ information against US mass surveillance. They could even invalidate the model contracts.

That wouldn’t be enough to bring down the Privacy Shield. But it would add fuel to the fire at a time when privacy advocates will be threatening to challenge the deal.

In the meantime, until the fate of the model contracts is crystal clear, thousands of companies will continue to rely on them for their data transfers. In many instances, companies will combine contracts with the Privacy Shield, just like Workday, according to the needs of their clients’ business operations.

* Additional reporting by Mike Swift