EU High Court Adviser Questions Privacy Shield Legality

The case against was initially brought by Max Schrems, whose initial privacy challenge led to the creation of PS. After PS was created and Schrems challenged that privacy regime, the Irish data protection commissioner brought its case against Facebook (C-311/18). It arose from the facts that led to the 2015 EU high court decision rejecting the pre-PS data transfer safe harbor agreement (see 1510060001). The Irish DPC later asked the continent's top court for a preliminary ruling whether the U.S. ensures adequate protection of personal data of EU citizens and, if not, whether SCCs sufficiently protect citizens' fundamental rights.

Analysis now "disclosed nothing to affect the validity" of the EC's SCC decision, Saugmandsgaard Oe said. He explained doubts that PS meets requirements of the EU general data protection regulation in light of the European Convention on Human Rights. Purposes for processing personal data under U.S. Foreign Intelligence Surveillance Act Section 702 and presidential policy directive 28 aren't clearly defined enough to ensure protection, he wrote. PS' ombudsman isn't sufficiently independent from the U.S. government, the AG said.

The AG noted a direct challenge to the shield pending in EU General Court (T-738/16). That complaint is by France privacy advocate La Quadrature du Net and others. The new opinion "illustrates the levels of complexity associated with the kinds of issues that arise when EU data protection laws interact with the laws of third countries," including the U.S., and recognizes "significant tensions" between needs to be pragmatic and to assert fundamental EU and national values, a DPC spokesperson emailed. Acknowledging SCCs may be imperfect, the EU approach strikes an appropriate balance, he said.

Schrems called the opinion a "total blow to the Irish DPC and Facebook." It's "a very important step for users' privacy," he said.

Facebook is "grateful" for the opinion on such complex questions, wrote Associate General Counsel Jack Gilbert. The EU designed and approved SCCs, he noted. They "enable thousands of Europeans to do business worldwide."

The findings are "good news for European internet users and businesses" alike, said Computer & Communications Industry Association Senior Policy Manager Alexandre Roure. SCCs are "the only viable and affordable instrument for European companies to transfer data beyond the dozen countries the EU deems adequate," he said. "European data protection authorities can enforce SCCs, including the prohibition or temporary suspension of data flows if they have serious concerns that SCC cannot be complied with because of foreign legislation," noted CCIA. Its members include Facebook.

The opinion puts PS "in the firing line," said Center for Data Innovation Senior Policy Analyst Eline Chivot. It increases "uncertainty for businesses at a time when the EU and U.S. should be fostering more cooperation in the digital economy to respond to China's growing economic clout," she added. The AG "suggests that supervisory authorities in EU member states are permitted to suspend data transfers based on SCCs to the United States, even though the EU-U.S. Privacy Shield has established a legal basis," wrote Brussels-based Chivot. Her center is affiliated with the Information Technology and Innovation Foundation, whose board includes Amazon, Apple and Microsoft executives.

The opinion doesn't "bode well for the future of Privacy Shield," said the American Civil Liberties Union. It urged U.S. politicians to "swiftly enact broader surveillance reforms before our government's surveillance practice become an even greater financial liability for U.S. companies trying to compete in a global market."