Some of you probably remember when then Austrian law student Max Schrems started fighting a battle over privacy with Facebook.
Now probably neither you nor I would want to pick a fight with Facebook’s legal team, but Max, a law STUDENT, said, hey, what the heck.
That battle wound up at the CJEU – The Court of Justice of the European Union. The CJEU, the equivalent of the U.S. Supreme Court, is the final legal arbiter of EU law.
In October 2015, the CJEU ruled in favor of Max. Against Facebook. And against the United States. Safe Harbor, the agreement negotiated between the EU and the United States 15 years before to protect EU citizens data that was transferred by companies like Facebook from the EU to the US, was flushed down the toilet.
To replace that, the Commerce Department under President Obama negotiated a replacement agreement called Privacy Shield and that has been in force for about a year.
One of the clauses in the Privacy Shield agreement says that it will be reviewed one year after it became effective.
Many people, Schrems included, said that Privacy Shield was just Safe Harbor with a bit of lipstick on it. Not even a lot of lipstick.
An alternative to Safe Harbor was something called Standard Contract Clauses. These legal terms were written by the EU and when included in end user agreements VERBATIM, provided pre-approved permission to move data from the EU to the US because these clauses, supposedly, provided EU citizens with protection regarding their data.
Schrems being the thorn in the backside of Facebook that he was decided that these standard contract clauses didn’t really protect his data, so he went to the Irish Data Protection Commissioner and ultimately the Irish High Court and asked them to rule on Standard Contract Clauses.
Well that High Court decision is in and Facebook (and many other US companies that want to be able to move data back and forth between Europe and the US) is not happy. The Irish High Court agreed to ask the CJEU – the same folks that invalidated Safe Harbor – to rule on Standard Contract Clauses.
While we have no idea what the final ruling will be, Facebook and others, including the US government, have a very different interpretation of a person’s expectations of privacy. In general, US privacy rules are much looser than EU privacy rules and penalties are almost non-existent. Under a new law going into effect mid next year called the General Data Protection Regulation (GDPR), Facebook could be fined up to 4% of it’s global annual revenue for a privacy breach. For Facebook, with revenue of $27 billion last year, that means that they could be fined UP TO a billion dollars. That is why they are fighting so hard to keep these known rules in place.
The CJEU is the final stop. There is no appeal from there. Given that the CJEU ruled against Facebook two years ago, the odds of ruling for Facebook this time are shaky – but we don’t know how it will turn out.
Schrems, on the other hand, is a pretty happy camper.
Stay tuned. IF the CJEU rules in favor of Schrems, President Trump and the current administration will have to do some interesting dancing.
Alternatively, all data transfer between the EU and the US could be stopped unless the person who’s data it is has EXPLICITLY approved that transfer. That approval cannot be buried on page 27 of a terms of service agreement that no one reads.
STAY TUNED. It could get interesting.
Information for this post came from Fortune.