During the aftermath of the general election and in the run-up to Christmas, there were some very important decisions published by the Court of Justice of the European Union (CJEU).
I shall concentrate on only one, which is likely to continue to have impact once we have left the EU.
Before doing so, I shall merely point to another that is also interesting for lawyers, namely the judgment in relation to Airbnb - Case C-390/18.
A French association for professional tourism and accommodation brought a case against Airbnb on the grounds that it acted as an estate agent in France without first having the appropriate professional licence.
This raised the old issue of whether electronic platforms such as Airbnb are to be classified as an ‘information society service’ under Directive 2000/31 on electronic commerce (which allows it to escape national regulation and to be regulated only at EU level) or whether Airbnb is the equivalent of an estate agency service (which makes it subject to more comprehensive national regulation).
Uber went through the same process some while ago, but the CJEU differentiated Airbnb from Uber on the grounds that neither Airbnb’s principal intermediation service ‘nor the ancillary services offered by Airbnb Ireland make it possible to establish the existence of a decisive influence exercised by that company over the accommodation services to which its activity relates, with regard both to determining the rental price charged and selecting the hosts or accommodation for rent on its platform.’ Therefore, it is an information society service.
Ireland, being the host of the European headquarters of American tech giants, also features in the case on which I want to focus, which concerns Facebook Ireland, and has been brought by Facebook’s old nemesis, Max Schrems, the Austrian digital activist - Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, Case C-311/18. The case has only gone so far as the opinion of the advocate general, which was delivered just before Christmas, but since such opinions are very often followed by the Court in its judgment, it is worth our attention.
The essential question is the same that has bothered Mr Schrems from the beginning. Since Facebook Ireland sends his data back to the US for processing, is his data safe (as defined under EU law), given the Snowden revelations regarding the role of the US National Security Agency in having access to the data, and also given that he, as an EU citizen, has no legal footing to challenge what happens to his data in the US?
In the past, his activism has seen the previous arrangement for protecting data sent to the US (the old ‘safe harbour’ scheme) struck down for not being sufficiently safe. That has now been replaced by the ‘privacy shield’, about which there continue to be doubts – see below.
His case is of importance to us for various reasons, but mainly because we are about to assume the same status in relation to the EU as the US, namely a third country. Unless our government can come to a special deal regarding data protection by the end of this year (such as an unconditional adequacy decision), any data that travels from the EU to the UK will be governed by the considerations in this case.
The EU has published a useful information note on what will happen if there is no deal about data movement. One of the principal approved routes is through standard data protection clauses published by the European Commission, and it is these that lie at the heart of the latest Schrems case.
He says that such clauses do not protect him in the US against US law. The Irish data protection authority asked for a ruling on whether the EU decision setting up the clauses was valid, given that they offer no protection against US national security laws.
In an extremely long and complex decision, here summarised brutally and briefly, the advocate general said that the standard clauses decision was valid insofar as there is an obligation on data controllers and supervisory authorities to suspend or prohibit a transfer when the clauses cannot be complied with.
The advocate general did not consider it necessary to consider the validity of the new ‘privacy shield’ arrangement, but, in case he was wrong on his main decision, went ahead to do so – and concluded as follows: ‘I entertain certain doubts as to the conformity of the ‘privacy shield’ decision to Article 45(1) of the GDPR, read in the light of Articles 7, 8 and 47 of the Charter and of Article 8 of the ECHR.’ Wow!
The opinion contains long and careful analysis of the work of the GDPR in relation to transfers to third countries, and, as such, is vital reading for solicitors in relation to the likely fate of their own and their clients’ data post-Brexit.