Facebook among thousands of companies weighing EU data protection legal risks

A long-standing court battle between Facebook Ireland and Austrian lawyer Max Schrems has spilled over into the corporate world, threatening to disrupt thousands of companies from tech to pharma and retail.

‘Every element of the business has to ultimately worry about this and the potential for one of these claims,’ says Warren Allen, associate general counsel at New York-based Diligent Corp software company. ‘Privacy is pretty critical to the goodwill and the ultimate value of a business. It is also a reflection of trust within really every jurisdiction at this point.’

Non-compliance with the EU court ruling, known as Schrems II, could impair the value inherent in a company or even put directors at risk and create regulatory, civil and potentially criminal legal actions. Demonstrating compliance with the EU’s ‘gold standard’ privacy law is now critical to being a successful multinational, adds Allen.

The EU ruling doesn’t just pose a risk to Facebook, which collects user data to sell targeted advertising. Online retailers and professional service providers like accountants and management consultants should also be concerned, as should the US hospitality sector, because it processes travel arrangements.

‘If you are taking bookings at a hotel from EU citizens, are you allowed to hold their data?’ asks Josh Hardie, deputy director general of the Confederation of British Industry (CBI), which represents 190,000 businesses. The CBI says the uncertainty around the judgment poses a ‘real concern’ for business as the EU ruling extends to third-party countries that import European data – and that includes the UK come January 1 unless a Brexit deal is reached.

While Facebook declined to comment, the company notes in its third-quarter results that EU developments are creating ‘continuing uncertainty around the viability of transatlantic data transfers’ and ‘we are closely monitoring the potential impact on our European operations’.

Spying and eavesdropping

Privacy litigation ramped up after Edward Snowden, a former US National Security Agency (NSA) contractor, blew the whistle in 2013 on NSA mass surveillance, including spying and eavesdropping on emails and mobile phones.

Schrems I followed when Shrems himself challenged Facebook Ireland over its use of a US-EU safe habor agreement to move data from Europe to the US, citing privacy concerns. Schrems won. The agreement was invalidated by Europe’s top court, the EU Court of Justice (CJEU), in 2015. A new ‘privacy shield’ agreement was negotiated by the Obama government but it was on shaky ground.

Schrems II was decided in July 2020 when the CJEU struck down the privacy shield. Judges also expressed doubts about US data protection laws, creating legal uncertainty about whether US companies can rely solely on standard contractual clauses (SCCs) as their backup plan in lieu of the privacy shield.

Hogan Lovells law firm set up a tracker noting that individual countries like Denmark may generally accept SCCs but cities like Hamburg in Germany want companies to rely on individual agreements plus binding corporate rules (BCRs) and SCCs. Pinsent Masons is also monitoring the divergent approaches of European countries and non-EU authorities including Switzerland and Iceland.

Knockout punch

With IROs and corporate counsel still dissecting the implications of Schrems II, the European Data Protection Board (EDPB) delivered a third knockout punch in November when it interpreted the judgment conservatively and adopted draft guidance for EU regulators.

‘At the moment we are in a very uneasy position where the regulators seem to have set the bar too high and businesses are trying to explain that if they keep the bar at that height the implications will be enormous,’ says Marcus Evans, EMEA head of data protection, privacy and cyber-security at Norton Rose Fulbright law firm in London. ‘If they could soften this guidance so we could take into account the likelihood of access by a foreign government, the world might be able to carry on spinning without the disruption the current guidance is suggesting.’

Microsoft was the first company to respond to the EDPB guidance in November when it committed to challenge every government request for public sector or enterprise customer data – from any government – if there is a lawful basis for doing so. The company also offered compensation should Microsoft disclose data in response to a government request in breach of the EU’s General Data Protection Regulation.

‘It shows Microsoft is confident that we will protect our public sector and enterprise customers’ data and not expose it to inappropriate disclosure,’ says Julie Brill, Microsoft’s chief privacy officer, in a statement.

Diligent is building on its existing privacy program, too. The company is going through thousands of vendor and customer contracts, looking at SCCs and BCRs and examining underlying transactions to assess risk. It is also bringing in an outside vendor to beef up its data-mapping processes.

‘For a company to do appropriate due diligence, you have to start with your contractors,’ says Allen. ‘You have to start looking at where they are moving data. And you have to start looking at the measures you have in place with them and the measures they may have in place. And to some degree, just by practicality, you have to prioritize the most sensitive situations.’

Other companies may decide to adopt technical measures by encrypting, pseudonymizing or anonymizing information. But do smaller companies need to be wary, particularly those that would never normally be ordered to hand over data to state security services?

‘Well, it hasn’t quite got to that point yet but it could do,’ says Evans. ‘At the moment, what the regulator says is that every company has to do an assessment of the law of the importing country and then work out whether those laws are more intrusive or less intrusive, more protective or less protective than what’s allowed in Europe, which is an incredibly difficult piece of work to do.’

Ireland on the move

Ireland’s main privacy watchdog, which regulates the European headquarters of Microsoft, Facebook, Apple and Google, swung into action weeks after the judgment.

The Irish Data Protection Commission sent a preliminary order to Facebook ordering it to suspend US data transfers involving EU users. The issue is now with the Irish courts, with Facebook hoping to slow down the process and Schrems hoping to speed it up. Irish data protection commissioner Helen Dixon told CNBC she hopes the dispute with Facebook will be resolved by early 2021.

As for Schrems, the 33-year-old says the problem is in the US. ‘It is clear that the US will have to seriously change its surveillance laws if US companies want to continue to play a major role in the EU market,’ he told Bloomberg.

Schrems’ privacy group, Noyb, has also set its sights on Apple, which it targeted with data protection complaints in Spain and Germany. ‘At the moment we will not be filing the Apple complaint in other countries. [But] we have filed a complaint against Google,’ Noyb tells IR Magazine.

The Google complaint, sent to Austria’s regulator, claims Google tracks Android phone users with an ID allowing Google and third parties to monitor them.

Neither Google nor Apple responded to IR Magazine’s request for comment.