Across the EU, this has been an eventful year in the world of privacy, with new regulations, controversial court rulings and conflict with major internet platforms.
One of the biggest changes has been the demise of Privacy Shield, the arrangement under which EU data has in the past been legally transferred to the US.
That thorn in Facebook’s side, Austrian campaigner Max Schrems, this summer challenged Privacy Shield’s validity on the grounds that US national security laws did not protect EU citizens’ data from government spies – and won.
The decision has left EU-US data transfers in doubt. Many organisations are now attempting to use mechanisms such as Standard Contractual Clauses (SCCs) to legitimise their activities – but this, too has come under question.
“The court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws,” says Schrems. “It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady.”
Unsurprisingly, these rulings have not been welcomed by the internet giants. After the Irish data protection commissioner issued a preliminary order compelling Facebook to suspend data transfers overseas, the company warned that it might pull out of Europe altogether.
In another major privacy-related judgement, the Court of Justice of the European Union (CJEU) recently ruled that France, the UK, Belgium and other European countries cannot require internet service providers to store all their customers’ traffic and location data for intelligence purposes.
The case was brought by privacy campaign groups Privacy International and La Quadrature du Net, and the ruling supports several previous judgements relating to individual member states.
“While the police and intelligence agencies play a very important role in keeping us safe, they must do so in line with certain safeguards to prevent abuses of their very considerable power.”says Caroline Wilson Palow, legal director of Privacy International.
“They should focus on providing us with effective, targeted surveillance systems that protect both our security and our fundamental rights.”
What next for privacy in Europe?
The next few months are likely to see more wrangling in the aftermath of the abolition of Privacy Shield. The tech giants are fighting the ruling all the way. And the US government is unsurprisingly lining up behind them, with the startling claim from Department of Commerce deputy assistant secretary James Sullivan that “The US legal framework for foreign intelligence collection provides clearer limits, stronger safeguards, and more rigorous independent oversight than the equivalent laws of almost all other countries.”
The legal arguments are likely to last well into next year.
Meanwhile, the EU’s way-behind-schedule ePrivacy Regulation looks set for a kickstart following Germany’s takeover of the EU Presidency in July. Introducing changes around consent, clarity of language and in particular the handling of cookie consent, it’s still not likely to come into force next year.
And the fallout of the recent data collection ruling is by no means over in the UK at least, where there is no desire to comply and, thanks to Brexit, no compulsion to do so.
EU vice-president for values and transparency Věra Jourová says she can’t predict whether data adequacy will be granted.
Finally, there’s the question of whether European data protection authorities will start to use their teeth. Penalties can in theory amount to €20 million or four per cent of global turnover, whichever is greater. However, in practice there have been very few really large fines – something that may change over the coming months.