Cybersecurity

Experts warn EU privacy case might backfire

A European Union court case ostensibly to keep personal data private could backfire and cause great damage to the continent, say industry leaders and legal experts.

This week, Irish courts referred the latest chapter of a longstanding legal challenge between activist Max Schrems and Facebook to the European Union courts. At issue are “model” contractual clauses Facebook uses that are supposed to replicate the protection EU citizens have within Europe.

Without model clauses, it is typically illegal to store EU citizen’s data outside of Europe. Schrems argues that U.S. surveillance operations make it impossible for the model clauses

{mosads}

But model clauses are not only used by Facebook to store personal data in the U.S. They are also used by a bevy of companies and services throughout Europe and across the world to store data outside the EU.

“If model clauses are deemed inadequate, the economic damage will be enormous,” said Thomas Boue, director general of policy for Europe, the Middle East and Asia for the software industry trade group BSA. BSA does not count Facebook among its members. 

The only non-European Union nations that companies can transport EU data to without a model contract are Andorra, Argentina, Canada, Switzerland, Israel, New Zealand and Uruguay. Additionally, four British or Dutch protectorates, the Faeroe Islands, Guernsey, Isle of Man and Jersey, do not require model clauses, and the United States is covered by a treaty known as Privacy Shield.

That means to do business with major markets like Brazil, India and Japan, European Union companies must use model clauses.

“The model contracts are used by EU companies to transport data all over the world, including countries that have much worse records for surveillance than the United States, like China and Russia,” said Cameron Kerry, former general counsel and acting secretary of the Commerce Department and current senior counsel at Sidley Austin. 

“It has the potential not just to shut down data to the U.S., but to turn the European Union into a data island,” he said. 

Facebook could shift from using model clauses to using Privacy Shield, although that treaty is also being challenged in European courts.

Schrems first rose to fame when he successfully brought down Privacy Shield’s predecessor, Safe Harbor, in a previous court case.