بازدید 25278

Top court hearing puts EU data transfers in jeopardy

Four years ago, Max Schrems brought a data-sharing deal worth billions of euros between Europe and the United States crashing down.
کد خبر: ۹۱۰۱۱۸
تاریخ انتشار: ۱۷ تير ۱۳۹۸ - ۰۹:۰۱ 08 July 2019

Four years ago, Max Schrems brought a data-sharing deal worth billions of euros between Europe and the United States crashing down.

Now he could do it again.

On Tuesday, the European Court of Justice in Luxembourg will hear arguments in another case brought by Schrems over claims that the U.S. government does not sufficiently protect Europeans' data when it is shipped across the Atlantic.

"There is fundamentally a clash between surveillance laws in the U.S. and privacy rules in Europe," he said. "We're in a debate about who governs the internet. Europe governs privacy, but the U.S. governs surveillance."

At stake is the legality of so-called standard contractual clauses, complex legal mechanisms that allow thousands of companies to move data freely from Europe to the U.S., Asia and elsewhere.

Tuesday's hearing marks the latest chapter in the standoff between Europe's stance on privacy and the United States' government's surveillance practices.

These agreements are used by companies from Google to General Electric to transfer digital information between their various hubs worldwide. They cover how people's social media posts, firms' payroll information and a litany of other sensitive data are handled by major corporations.

Schrems and his lawyers are expected to argue this data-transfer mechanism runs against EU privacy rules because it allows U.S. national security agencies extensive access to Europeans' digital information. Others, including the European Commission and industry groups, will says these agreements provide sufficient guarantees for EU citizens.

A final decision by Europe's highest court is expected some time next year, following Tuesday's hearing in Luxembourg.

A lot is at stake.

While the case originally brought in Ireland focused on the standard contractual clauses used specifically by Facebook in the U.S., judges in Luxembourg could rule against the validity of those agreements in general. Their decision could potentially turn off data transfers from Europe to the U.S. and elsewhere overnight, pulling the plug on billions of euros of trade that underpinned by companies' ability to readily shift data between trading blocs.

Privacy campaigners and industry groups are also worried the Luxembourg court may use the case to invalidate other legal mechanisms for moving data outside of Europe — including the EU-U.S. Privacy Shield mechanism — affecting wide swathes of the digital economy.

"The case is tremendously important," said Omer Tene, vice-president of the International Association of Privacy Professionals, a trade group. "If the carpet is pulled out from companies' feet, it may cause massive disruption."

The Commission, which oversees these complex data agreements, declined to comment on the upcoming hearing, but officials said the region's existing privacy rules offered individuals sufficient protections against misuse. Facebook said that current data transfer mechanisms protect EU data when it is transferred outside the bloc.

Schrems 2.0

Tuesday's hearing marks the latest chapter in the standoff between Europe's stance on privacy and the United States' government's surveillance practices.

As part of documents sent to participants ahead of Tuesday's hearing, the court asked a series of questions about the legality of the separate Privacy Shield agreement.

In 2013, Schrems filed a complaint with Ireland's privacy regulator claiming Facebook violated the region's data protection standards by allowing U.S. authorities to have undue access to Europeans' data.

His allegations were linked to revelations by Edward Snowden, a former contractor for the U.S. National Security Agency, who alleged Washington carried out mass surveillance on people worldwide by accessing data stored by some of Silicon Valley's biggest names, including Facebook and Google. The companies deny any wrongdoing.

After lengthy legal wrangling in Ireland, the country's data protection watchdog, which oversees Facebook's privacy regime because the company's international headquarters are in Dublin, referred the case to Luxembourg because it said only Europe's highest court could decide if the U.S. government's data collection practices were in line with Europeans' privacy standards.

That decision ruffled feathers within the Commission, industry bodies and privacy groups, many of whom believed Dublin already had the legal right to decide on the legitimacy of these complex data transfer agreements. In response, the office of Ireland's Data Protection Commissioner said it would not comment ahead of Tuesday's court hearing.

American officials defend how national security agencies collect, access and store people's digital information. They say that existing rules offer individuals, including Europeans, the right to appeal; that independent oversight limits the government's unfettered access to data; and that the Commission — through its EU-U.S. Privacy Shield pact, a separate agreement on transatlantic data transfers — already established American privacy protections were "essentially equivalent" to those of Europe.

"U.S. law sets rigorous standards for government access to personal data," Washington said in a filing to Irish courts. "These standards reflect a commitment to privacy that has been ingrained in the U.S. Constitution and laws since the founding of the republic." A representative for the U.S. Department of State declined to comment on the upcoming Luxembourg hearing.

Not surprisingly, opponents disagree. They claim that existing U.S. law still allows for the bulk collection of reams of personal data on non-Americans, and that there are not sufficient legal protections in place for non-citizens to take Washington to court if they believe their data has been mishandled or collected illegally. That comes despite years-long transatlantic negotiations to give Europeans a greater say when their digital information is moved to the U.S.

"Current U.S. surveillance laws fail to adequately protect the privacy rights of people in the E.U.," said Ashley Gorski, a national security lawyer at the American Civil Liberties Union, who testified when the case was in Irish courts.

Be careful what you ask for

Europe's highest court must now decide who is correct — and if existing data transfer rules uphold European rights.

"No matter what transfer mechanism you use, you end up with a conflict. The U.S. laws allow espionage against EU citizens" – Max Schrems, lawyer and privacy activist

But privacy campaigners, industry groups and government officials in both Brussels and Washington are increasingly worried the Luxembourg judges will take a broad view when it comes to their eventual ruling. That could mean going beyond merely looking at how Facebook and other tech companies potentially hand over data to U.S. national security agencies.

As part of documents sent to participants ahead of Tuesday's hearing, the court asked a series of questions about the legality of the separate Privacy Shield agreement, according to people with direct knowledge of the matter, who spoke on the condition of anonymity because court proceedings remain confidential. A separate hearing on the Privacy Shield agreement at the EU's General Court was recently postponed until there's a judgment in this case.

That has raised concerns the court could eventually rule against both the legality of standard contractual clauses and other data transfer agreements which lie at the heart of Europe's trading relationships.

A ruling against these data transfer agreements may also jeopardize so-called binding corporate rules, another mechanism used by companies to move data outside of the EU within their own organizations.

"The judges have the authority to look at whatever they want to," said Eduardo Ustaran, co-head of the privacy and cybersecurity division at Hogan Lovells, a law firm, who is not involved in the case. "The questions referred from Ireland are very wide, they go beyond just contractual clauses."

Even the most ardent privacy campaigners, including Schrems, do not want the Luxembourg court to invalidate all these data transfer mechanisms.

Instead, they are asking the judges to force tech companies to uphold European data protection standards by not allowing U.S. authorities to undertake surveillance practices that threaten EU rights. Legal experts, though, are skeptical if the European court can realistically enforce such a ruling against American government agencies.

With the court keeping all options on the table — including invalidating almost all the ways in which companies can move data from Europe to elsewhere — the stakes in Tuesday's hearing could not be higher.

"No matter what transfer mechanism you use, you end up with a conflict," said Schrems, who would prefer the judges focus solely on how Silicon Valley companies handle EU data. "The U.S. laws allow espionage against EU citizens."

سلام پرواز
خیرات نان
بلیط اتوبوس
تبلیغات تابناک
اشتراک گذاری
برچسب منتخب
# ماه رمضان # عید نوروز # جهش تولید با مشارکت مردم # دعای روز هجدهم رمضان # شب قدر