Over the past two days, U.S. observers of Facebook have been focusing on Mark Zuckerberg’s testimony to Congress, and the question of whether U.S. politicians might introduce new regulations of Facebook’s privacy and data sharing practices. They have been missing the real story.
Facebook faces a far more immediate threat from European regulators. Next month, the European Union’s General Data Protection Regulation (GDPR) comes into force, potentially forcing Facebook to introduce major changes to its privacy practices, or face massive fines.
As the Open Markets Institute’s Matt Stoller noticed, Zuckerberg had talking points on the GDPR with him when he testified. However, on Thursday morning, the stakes got much, much bigger, thanks to a new ruling by Ireland’s High Court.
Facebook has already been at the center of big fights
What happened is the sequel to an earlier legal battle. After former National Security Agency contractor Edward Snowden revealed the vast extent of U.S. government surveillance, Max Schrems, a young Austrian lawyer and privacy activist, realized that he had an opportunity to take a case against Facebook. Facebook’s business model requires it to share data internationally — so that if an American has European friends (or vice versa) they are all on the same network. However, Europe has much stricter privacy laws than the United States, which means that Europe places restrictions on companies’ ability to export people’s personal information outside Europe, to countries with laxer privacy rules.
Facebook — and other major U.S. e-commerce firms and multinationals — took advantage of an E.U.-U.S. agreement called the Safe Harbor, which allowed them to export data to the United States, as long as they agreed to abide by certain privacy principles. However, if this data was then exposed to U.S. surveillance, one could make the argument that E.U. citizens’ privacy was being breached in a quite fundamental way.
Facebook’s European operations are centered in Ireland. Schrems first tried to get Ireland’s privacy officials to take action against Facebook and failed (we discuss how this happened in detail in the second half of this paper — nonpolitical scientists should skip the beginning sections). He then took a case (the “Schrems I” case) in Ireland’s High Court, and caught U.S. officials and Facebook nodding. The Irish judge found that there had been a “massive overreach of the [U.S.] security authorities, with an almost studied indifference to the interests of ordinary citizens,” and referred the European legal questions to the European Court of Justice (which serves as a kind of Supreme Court of European law).
In a landmark judgment, the European Court found that the Safe Harbor deal was invalid. This caused consternation among companies like Google and Facebook, which relied on Safe Harbor to do business in Europe. After panicked negotiations, the E.U. and United States came up with a new compromise, the “Privacy Shield” arrangement, which would once again allow U.S. firms to export data.
The Privacy Shield is probably broken
Now, the Irish court has ruled again on a new case taken against Facebook by Max Schrems (Schrems II), where Schrems argued that an alternative means that Facebook used to export data to the United States was also invalid, again claiming that it exposed European citizens’ personal data to unlawful surveillance. This time, U.S. officials tried to forestall disaster by working together with Facebook and by providing information to the Irish court about U.S. law, which they hoped would prevent the Irish court from making damaging findings of fact. It didn’t work.
The Irish high court on Thursday found there was “mass, indiscriminate processing of data” by U.S. authorities. Again, it referred the matters of European law to the European Court of Justice to rule upon. The High Court also noted the difficulties that European citizens would have in challenging surveillance under U.S. law and found that it was arguable that the remedies offered by the Privacy Shield were inadequate. It has referred 11 fundamental questions to the European Court of Justice.
It is, of course, possible that the European Court of Justice will blink. However, given the ECJ’s previous rulings, and the findings of fact made by the Irish court, that is highly unlikely. The court is very likely indeed to agree with the implicit message that the Irish judge is sending and to find that the Privacy Shield is inadequate. If anything, the politics have gotten worse for the United States over the last 18 months. Not only is Facebook far more controversial than it was some months ago, but the current U.S. administration is not particularly popular with European judges.
Judges who might have been inclined to give the benefit of the doubt to the Obama administration are likely to be far more suspicious of President Trump. It is possible that the European Court of Justice will issue a ruling very quickly — while it usually moves slowly, its ruling on the first Schrems case was extraordinarily speedy.
Facebook may soon be in a world of hurt
If (as is very likely), the Privacy Shield falls, then companies like Facebook and Google face some very serious problems. They cannot easily change their practices to mollify European judges and regulators, since these judges and regulators are more directly worried about U.S. government surveillance than about Facebook’s own possible privacy abuses. European judges are likely to demand major changes to U.S. surveillance practices, which U.S. agencies such as the NSA are going to be extremely unwilling to deliver on.
Just as in the United States, judges are not particularly interested in bargaining or dealmaking. Instead, they are driven by their understanding of European law (and by their political interests in expanding their own powers and independence). At best, this suggests a period of lengthy legal uncertainty for companies such as Google and Facebook, which will substantially add to the pressure that they already face in Europe. At worst, it suggests a fundamental challenge to their international business model.
It could, of course, be that the United States introduces extensive privacy legislation along European lines, creating a foundation for a U.S.-E.U. deal in which both countries would accept privacy protections for each other’s citizens, building on the Judicial Redress Act. Certainly, some U.S. legislators appear to be curious about the possible benefits of a European-style approach to privacy, rather than regarding it, as they have in the past, as a fundamental competitive threat. However, that would require a major sea change in U.S. politics, which is unlikely to happen quickly.