ECJ's US/EU data transfer ruling: What it means in five key points
What does today’s European Court of Justice ruling on data transfers mean?
Here’s a quick explainer on what it’s all about and how it affects ordinary internet users, multinationals based in Ireland and Irish authorities.
1. Background to the case
The case is the culmination of an action brought against Facebook in the Irish High Court by an Austrian student, Max Schrems. Mr Schrems argued that Facebook flouts privacy considerations in its pursuit of expansion and commercial success. He also said that personal data processed by Facebook is unprotected because it is transferred to the US, where it is not treated properly.
He made a complaint to the Irish data protection commissioner about this, who said that his office could not investigate because the issue was covered under an EU-US legal convention called ‘Safe Harbour’, which promises to protect EU citizens’ personal data.
Mr Schrems challenged this decision in the High Court, which referred it to the European Court Of Justice on a point of European law. The ECJ has now agree with Mr Schrems and struck down ‘Safe Harbour’.
2. Ordinary internet users
If Irish Data authorities restrict or ban data transfers on popularly used services such as Facebook or Gmail, those companies say that it will limit new services made available to EU users. That could mean if Facebook were to introduce, for example, new messaging services, EU-based users wouldn’t get them. It could also mean that the next big online service -- a Snapchat or a Pinterest -- may simply ignore the European market when launching.
3. Multinationals in Ireland (Facebook, Google, Microsoft and others)
This doesn’t mean that Facebook, Google or Microsoft will start thinking of pulling out of the EU. But it could make their presence in Ireland, and the rest of the EU, much trickier and much more expensive. For a start, it probably means that they will have to double down on data centres in the EU. This is because hosting the data here overcomes some of the hurdles put up by European privacy authorities. Most big web multinationals have already done that either here in Ireland or elsewhere in the EU.
Some tech companies located here have previously acknowledged a threat to their business from the case. “Revocation of the Safe Harbour Framework could require us to create duplicative, and potentially expensive, information technology infrastructure and business operations in Europe or limit our ability to collect and use personal information collected in Europe,” said a filing from Twitter earlier this year.
4. The Irish Data Protection Commissioner
Helen Dixon’s office will now be under pressure like never before. The European Court Of Justice has just told the world that the immediate future of European Facebook data transfers rests on her shoulders. And that means she now has to formally make a call on US security agencies’ practice of snooping through our Facebook and email data. It’s a huge responsibility. And her office can no longer point to overarching treaties between the EU and the US to avoid ruling on the matter, which is what her predecessor did.
5. The Irish government
The Irish government, while outwardly projecting solidarity with citizens’ privacy rights, will be groaning at the placatory job on its hands over the coming months. It already has an impending headache with the EU’s probe into tax deals gleaned here by multinationals such as Apple. Now it has walk the line between privacy rights and keeping the big web companies, who are starting to grumble a lot, happy in Ireland.