One of the questions that privacy advocates are asked the most often is whether we should be more concerned about the privacy invasions of corporate giants such as Google and Facebook or the seemingly all-encompassing surveillance of the NSA, GCHQ and others. Perhaps the best lesson that we could learn from Case C-362/14 Schrems v Data Protection Commissioner is that this is the wrong question to ask: the two are intimately and perhaps inextricably linked. From the perspective of privacy, we need to consider them together, and be concerned about both. Whether we will learn that lesson is quite another matter.
The Schrems ruling has really put the cat among the pigeons and brought some serious chickens home to roost – and there are several enormous elephants in the room. A whole herd of them. If we are to find a way through all of this we need to examine all these animals carefully.
The cat is the invalidation of the original safe harbour decision. The implications of this are potentially huge, as has already been discussed at length. So huge, in fact, that some have effectively tried to pretend it hasn’t really happened at all, or to hide from its implications. The initial response of the Commission was to treat the invalidation as little more than a technicality, entirely ignoring one of the bigger of the elephants – the role of surveillance – and trying to work for a detailed technical solution to a problem whose essence is based on fundamental rights, not technical details. This kind of approach, first suggesting that model contracts could be the solution then trying to negotiate a ‘Safe Harbor 2.0’ that in practice varies very little from the first version, missed the main points of the ruling and the bigger issues that lie behind it. Avoiding the main points may well work in the short term – a kind of ‘muddling through’ approach to the issue may be the only way to deal with the consequences of the judgment – but in the longer term it only stores up problems. Those problems are the chickens that are coming home to roost: primarily the failure over a number of years to face up to the really serious issues that data protection has in the context of social networking in general and Facebook in particular.
Facebook challenges some of the fundamental principles of data protection, and has done from the very beginning. Purpose specification, consent – and informed consent in particular – and data minimisation are in some ways contrary to the whole Facebook business model, and that’s without even starting on the issue of data transfers out of the EEA which were the basis for Schrems. These challenges have been skirted around for years, with the occasional and quite specific confrontation – the right to be forgotten, it must be remembered, was originally mooted by Viviane Reding as a response to Facebook’s failure to allow people to delete their profiles – but the larger conflict remains. How can a business model based on general gathering of as much data as possible, for no particular purpose, to be shared around the globe with abandon, fit within a legal regime that intends minimum data gathered for specific purposes and kept as discretely and securely as it can be? The big picture is one of fundamental contradiction, and all that the regulators have done is tinker at the edges and pretend – or perhaps convince themselves – that there is no real problem.
This is where Max Schrems comes in. Whilst the authorities have largely avoided confrontation, he has been challenging Facebook since 2011, and on a broad range of issues. The authorities, and the Irish DPA in particular, did not seem particularly keen on Schrems’ challenges – from the outside it looked as though Schrems was viewed as a bit of an annoyance, upsetting the apple-cart for no real reasons. Whether they privately acknowledge that he was actually addressing fundamental issues is another matter – these were, and to a great extent still are, problems that it is very hard to find a way around. Either way, it took a huge amount of persistence and courage for Schrems to keep going, right to the top of the legal mountain – and in the end he does seem to have won.
The fact that it was the surveillance activities of the US authorities that was the key to Schrems’ success should also not be surprising – and this is another chicken coming home to roost. The revelations of Edward Snowden – mentioned specifically by the CJEU in both the ruling and the press release that accompanied it – cast a huge shadow over the whole idea of privacy on the Internet, and that very much includes data protection. The idea that the security and intelligence services could in effect have unfettered access to our personal data had previously been one that was discussed only informally, believed primarily by what were previously considered to be conspiracy theorists. Snowden’s revelations have made it far harder to avoid dealing with the implications.
It must be understood, however, that this is not just about ‘overreach’ by the security and intelligence services but about the combination of the mass data gathering, holding and analysis by Internet companies (Facebook, Google et al) with that overreach. As Bruce Schneier put it ‘[t]he NSA didn’t wake up and say, “Let’s just spy on everybody.” They looked up and said, “Wow, corporations are spying on everybody. Let’s get ourselves a copy.”‘ The Snowden revelations should not just make people wonder about the activities of the spooks, but of the data-hungry – and in many ways data-protection-avoiding – corporations upon which the spooks feed.
That hints at what may be the largest of the elephants in the room – and one which those negotiating the reform of the data protection regime are trying their very best not to see. The business models of Facebook, Google and others are based on systems for the gathering, holding and use of data that are essentially at odds with the principles upon which data protection is based. Those principles were established in what was not just a pre-social networking age but a pre-internet age, and yet we are still trying to apply them in a form very little different today. The reform, insofar as we can see it, just tinkers at the edges. Indeed, in some ways it reinforces the worst of the problems: the emphasis on consent, for example.
The problems have been well signposted, but the trilogue have largely ignored those signs. The Google Spain ruling in 2014 should have given pause for thought at the very least – and a thorough re-examination of how data protection should apply to search, and a re-working of the right to be forgotten and erasure at best – but nothing seems to have been done about it at all. That is close to unforgiveable – and yet at the same time understandable, as stirring the pot at this late stage and getting agreement from all the relevant parties would have been very difficult indeed. Even more pertinently, the idea of fundamentally changing the way giants such as Facebook do their business seems almost as impossible as stopping the way that the NSA and others do their surveillance. And that brings to mind another of the herd of elephants slowly circulating around the room: if the NSA’s surveillance is a threat to fundamental rights and to data protection, what about the surveillance of GCHQ and the other European intelligence and security services? France has passed a surveillance law that enables almost as much intrusion as is speculated about the NSA, and in the UK the recently revealed draft Investigatory Powers Bill envisages much the same. How can it be consistent to worry about what the US does while not caring about what is done within Europe? There are legal arguments about this, of course, but the fundamental issues remain.
In practice, I fully expect the trilogue to keep averting its eyes from the elephants and closing its ears to the squawking of the chickens, and push through the data protection reforms in essentially the same form. Those elephants are not going anywhere, however, and the chickens will be more and more insistent. At some point we will have to face them both – but that point seems a long way off right now.
Dr Paul Bernal is Lecturer in Information Technology, Intellectual Property and Media Law at the UEA Law School. Twitter: @paulbernalUK
He offers his apologies to Cambridge University’s David Erdos for misappropriating his elephant, and toBird & Bird’s Graham Smith for poaching his chickens.