What is this Schrems judgement about?
Its going to define the shape of the internet for years to come, its come out of Ireland (twice) and its super complicated. This is the Gist.
Some background: I represented Digital Rights Ireland in the Schrems I case and would have represented the EFF in the Schrems II case if the court had accepted them as an amicus to the court. So I’ve been thinking about the context of these consequential decisions by the Court of Justice (CJEU) for quite a number of years.
The nuts and bolts
The case resulted in a decision on two different legal mechanisms for sending personal data from the EU to the US – the EU-US Privacy Shield and the general-usage Standard Contractual Clauses. Privacy Shield was always basically farcical and it’s an embarrassment that it was allowed to linger as long as it did. But the Standard Contractual Clauses element of the case is where the long-term consequences are going to come into play. Basically, now you can’t just sign a contract and have both sides promise to be good. Now, you have to look at the legal systems the parties live under to see if that contract can really be held to.
This is particularly significant for transfers of personal data to the US, which hasn’t followed the EU and a good chunk of the world in accepting that data protection is a human right, and whose hunger for mass-surveillance data from its tech companies was revealed by the Snowden revelations.
As the Irish DPC said after the ruling, utilising much of the nation’s store of understatement as they spoke, “it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”
All of the bromides and reassurance statements coming from the US and the EU Commission during the day was the sound of losers, who had lost, not wanting to admit just how bad their loss was.
OK, so does the EU’s top court just really hate Facebook and other Silicon Valley behemoths? That’s not what this is about – though that’s the fixed opinion of a lot of those Valley company executives. But, like so much else, this isn’t actually about them. The European Commission, the EU's executive arm, has now twice tried to make a politically attractive compromise with the US to keep the EU-US data pipes flowing. And, twice, the court has simply said that they were flat out wrong to do it and that the agreement was illegal.
There isn’t going to be a third Potemkin data deal.
Institutionally, that’s an important line for the CJEU to hold the commission to. No matter how convenient they might find it to do so, the commission isn’t going to be allowed ignore the Treaties and the EU Charter of Fundamental Rights.
The clash of philosophies
In the unipolar world after the USSR expired, the US developed a digital culture with unimaginable profits pumping through it, all dependant on the idea of people being economic units whose data can be sold on, mostly to advertisers.
The EU, though the Charter of Fundamental Rights, has codified a human right of data protection, complementary but distinct from privacy, which runs entirely contrary to that Matrix-style model of humans as economic batteries for huge data machines. The EU has been using its market power (it is the richest market in the world) to encourage and cajole other countries to come along with it. Nearly 100 countries now have some sort of data protection laws on their books, making trade with the EU much easier.
And the court, as we’ve said, is holding the line on this newest human right as something non-negotiable for the future of the internet. This change is going to come to the US as well – probably from the state level up, with the most prominent example being California.
And this matters because there is a third model for the treatment of individuals and their personal data, and it is the Chinese one. The US model can make huge profits, but so can the Chinese model. But the EU’s data protection principles aren’t compatible with that Chinese model as it stands today.
The unipolar moment has ended.
The CJEU have their eyes on a horizon, because that’s their job. But they’re not worried about which venture-capital hoodie is up or down. They’re holding the line that matters. They’re making sure that by the time we realise that the online world and offline society are one and the same thing, we still have a chance to keep the offline rights we’re used to in both.