No Short-Term Impact on Companies in Facebook-EU Privacy Skirmish

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

Companies doing business in the European Union won’t be impacted immediately by the Irish High Court’s Oct. 3 move to ask the EU’s top court to rule on the legality of privacy contract clauses relied on by Facebook Inc. and other companies.

“Nothing changes for companies in Ireland or Europe” based on just the High Court ruling, Irish Data Protection Commissioner Helen Dixon told Bloomberg BNA. “Only the Court of Justice of the European Union could declare a transfer mechanism invalid.”

Ireland’s position is significant because many U.S.-based multinationals in addition to Facebook make their EU home in Ireland, including tech giants Apple Inc., Microsoft Inc., and Alphabet Inc.'s Google. Ireland’s privacy office is the primary EU privacy regulator for those companies, and plays an outsized role in the bloc as a privacy policy maker and enforcer.

The European Commission, the EU’s executive arm, determined in 2001 that standard contractual clauses, which provide boilerplate language companies can include in agreements, provided adequate privacy protections for data transferred outside the EU.

The present case began when Max Schrems filed a complaint with the Irish privacy office asserting that Facebook’s use of standard contractual clauses didn’t safeguard against U.S. government surveillance. The Irish privacy office asked the High Court to refer the case to the CJEU.

Irish High Court Justice Caroline Costello said in the ruling that “there are well founded grounds” for believing that the commission’s privacy adequacy decisions on standard clauses are invalid. A final decision by the EU court on the use of standard clauses “has implications for billions of euros worth of trade between the EU and the U.S.,” Costello said.

Schrems and Facebook are well-acquainted. He also filed the complaint against Facebook with the Irish privacy office that led to the downfall of the U.S.-EU Safe Harbor scheme that provided a legal basis for data transfers from the EU to the U.S. for U.S. companies that self-certified to the U.S. Commerce Department their compliance with EU privacy principles. The Safe Harbor was replaced by the EU-U.S. Privacy Shield, which includes stronger privacy protections and is relied on by more than 2,500 U.S. companies to transfer data from the EU.

The referral to the CJEU doesn’t mean that the Privacy Shield is no longer available as a means to transfer data outside the EU, the Irish privacy office said in a statement.

New EU Privacy Regime

Rob Corbet, a partner and head of technology & innovation in the Dublin-based law firm Arthur Cox, told Bloomberg BNA that it will likely be at least a year before the EU court rules in the case.

During the interim, “a lot will happen” that could change the outlook on issues before the court, including the EU’s new privacy regime, the General Data Protection Regulation, taking effect in May 2018.

The GDPR notes with approval the use of alternative methods to transfer personal data out of the EU, he said. In addition, the first annual review of the Privacy Shield netted positive comments from EU and U.S. officials, he said.

Longer Term Uncertainty

There may be longer term uncertainty for companies about their ability to transfer data.

“This is not just about Facebook but about tens of thousands of companies across Europe that use some sort of data transfer methods,” Paul Sweetman, the director of Technology Ireland, which represents many tech sector companies operating in the country, including multinationals, told Bloomberg BNA. “Uncertainty has been created.”

Standard clauses are “indispensable” as a data transfer mechanism, so the ECJ’s ruling “will have significant implications,” Sweetman, who is also a board member of the Brussels-based tech industry group Digital Europe, said. “International data flows underpin the modern economy,” and any disruption to data flows could hit as much as 1 percent of the EU’s annual domestic gross product, he said, citing Brookings Institution estimates.

The parties to the case are scheduled to make submissions to the High Court Oct. 11 on specific questions to be referred to the EU court. How the questions are posed may play a significant role in the scope and impact of its ruling beyond the present case involving Facebook and transfers to the U.S.

Standard clauses are used not just by companies seeking to transfer EU data to the U.S., but are also the legal basis “for most EU companies to transfer data to many other countries,” Cameron F. Kerry, privacy and cybersecurity senior counsel at Sidley Austin LLP in Washington and former general counsel and acting secretary at Commerce, told Bloomberg BNA.

“These include major EU trading partners like Russia, China, and India that have far less developed privacy and data protection laws for the commercial sector—much less for law enforcement and intelligence services,” he said.

Facebook didn’t immediately respond to Bloomberg BNA’s requests for comment.

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security