By:
Gregory P. Bufithis, Esq.
Founder/Executive Director
The Project Counsel Group
26 May 2016 – The Irish Data Protection Commissioner has referred Max Schrems’ original complaint on standard contractual clauses to the EU Court of Justice to determine if Facebook’s transfers of personal data from the EU to the U.S. is legal.
Transatlantic data sharing has come under tight scrutiny following the collapse of the Safe Harbor agreement after a Court of Justice of the EU (CJEU) ruling in favor of Schrems last year.
The Irish DPC said:
“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”
The CJEU ruling against Safe Harbor mainly related to mass surveillance conducted by the U.S. NSA, whose PRISM snooping program allowed them access to EU citizens’ personal data collected by U.S. corporations.
While governments, under EU regulations, are required to provide a means of redress to citizens who believe their rights have been infringed by the spooks, such applications cannot be submitted to anyone in the U.S. As I noted in my previous posts, despite the CJEU’s declaration of the incompatibility of the EU and US data protection regimes, the American corporations … who do so love shipping bytes across the Atlantic … simply shrugged. Common was the reaction of companies such as Facebook, Microsoft, and Salesforce which invoked “model contracts” which they claimed allowed customers to practically ignore the judgment.
Schrems said in a Facebook post (oh, the irony!) that:
“model contracts pose a very serious issue for the US tech industry and EU – US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see now there could be a solution”.
A copy of Facebook’s “Model Clauses” contract provided by Schrems does not, however provide any means of redress for EU citizens whose rights may be violated by U.S. mass surveillance.
Facebook responded:
“Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in the EU. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contract Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries”.
Some thoughts
It’s not as if U.S. corporations have been caught unaware. Many are building EU data centers with legal firewalls between their operations and the U.S. corporation. In the e-discovery world, there are at least two EDD vendors building Relativity appliances that will be “EU only” with no connection to the U.S.
Whether any of this will help is questionable due to the power of “leverage”. In the case of a subsidiary (say, Microsoft Ireland), you’re deemed as owner to have enough power to compel certain activity. This stance is assisted by the refusal of U.S. law to acknowledge that anything else exists in the Universe: U.S. courts couldn’t care less that complying with a U.S. order for disclosure could cause the subsidiary to be in breach of local laws.
Note: to obtain a brilliant perspective of this issue I urge you to read U.S. Supreme Court Justice Stephen Breyer’s recent book The Court and the World which is a fascinating account of how an increasingly globalized and interdependent world influences the deliberations of America’s highest court and must influence all U.S. courts.
It’s getting slightly better insofar that moving your HQ from the U.S. will now help a bit. But as I learned at a recent international corporate counsel workshop in Brussels, the true test will be the attempts being made to defeat leverage through these big hosting projects and resales set ups: they’re mainly tests to see what amount of work needs to be done to create feasible proxies to indeed establish that sort of isolation. But in the case of a contractual relationship, if the DOJ can make it stand that you have set up such a contract to specifically work your way around U.S. law you have a problem too.
That latter point, by the way, is far more complicated anyway: hosting the data of your company outside your home jurisdiction still deems said data to remain under the jurisdiction of origin. I am baffled how so many U.S. companies who think that just hosting their data abroad somehow makes it magically exempt from jurisdictional law.
That’s why I think the far more important case is not the Schrems Follies but Microsoft Ireland which led me to read the milestone documents and briefs in the case (and compelled me to buy a 128GB iPad so I could store the 4,800+ pages … and counting … with all my other stuff). I was tired of the media largely treating this case as if the U.S. government were sending black helicopters to Ireland to snatch data. In this case, no U.S. law enforcement agents travel overseas or break into anything. Rather, the DOJ is asking the court to do what it has done in dozens of offshore banking cases: compel a company doing business in the U.S. to produce evidence stored offshore. Why should data be any different? Microsoft is a U.S. company that has evidence connected to a U.S. crime, and a U.S. judge has determined that the government has probable cause to seek that evidence. If the U.S. can get personal jurisdiction over Microsoft, there is no domestic or international jurisdictional principle that prohibits a U.S. court from compelling a U.S. firm like Microsoft to produce evidence under its control but stored abroad. Of course, there might be domestic statutory reasons not to allow this production, or scope-of-the-warrant issues, as others have noted, but these are separate questions beyond the scope of this post.
But beyond the issues of data localization, scope-of-warrant and general concerns of law enforcement, the current case also has steep implications for Microsoft’s ability to compete with smaller, more aggressive counterparts. Users seeking to avoid U.S. government orders for their data could sign up with foreign firms or embrace strong encryption tools such as those offered by companies such as Signal and Whisper, products designed in such a way that the company is unable to turn over data to prosecutors. Said one U.S. Federal prosecutor I spoke with:
“All this developing tech out there will have far-reaching implications for the future of law enforcement in the digital age. Microsoft? We can get them. But frankly there are so many other new tech companies with data we’d like. But we no longer ask them for user data. Because we know we can’t get it.”
And look at the proliferation of messenger/chat bots that companies are installing for intra-company chats amongst employees. I recently completed an extensive e-discovery assignment that involved a market-fixing investigation across three EU member states. While the emails did reveal the “bad acts”, more telling were the emails that said “let’s move this conversation to Talkie” [I changed the name of the chat bot]. Talkie was designed so all conversations were erased at the end of each day, and not recoverable. An employee could save his chats but it was not known if anybody did.
And to be fair, the U.S. does not make it easy in the other direction. American data laws present a thicket of hoops that foreign law enforcement agencies have to jump through in order to obtain the contents of customer data — such as emails — held in the United States. The Electronic Communications Privacy Act requires foreign law enforcement agencies to present a request for the data to the Justice Department. The department reviews that order, and it is then forwarded to a U.S. attorney, who goes to a judge, obtains a warrant, and presents it to the company in question. The requested data is then routed back to the foreign government via the Justice Department, a process that can take on the order of 10 months. The more law enforcement looks to digital forms of evidence, the more they face these massive delays because of things like requirements in U.S. law
Final note: I highly recommend the work of Jennifer Daskal, an assistant law professor at American University, who has written extensively about data location and privacy.