Big Techs Navigate Quagmire of EU Data Sovereignty
In the saga of Big Tech companies and their seemingly never-ending confrontations with EU legislators, issues surrounding what the EU calls “digital sovereignty” are among the most intractable.
The European Parliament has defined digital sovereignty as “Europe’s ability to act independently in the digital world” adding that the concept should be understood in terms of both “protective mechanisms and offensive tools to foster digital innovation (including in cooperation with non-EU companies).”
The European Parliament has also at times mobilized the related concept of data sovereignty, which exists at both the individual level and at a larger scale.
For the individual, data sovereignty refers to people’s ability to control who does what with their data. But at another level, data sovereignty can refer to independence from what the EU perceives as the oversized influence of a handful of Big Tech firms in the global data economy.
Since last year, EU’s relationship with American Big Tech companies, most notably Google and Meta, has become increasingly fraught following a landmark ruling by the Court of Justice of the European Union (CJEU).
In July 2020, the CJEU struck down a transatlantic data sharing agreement known as the EU-U.S. Privacy Shield, which was designed by the U.S. Department of Commerce and the European Commission to ensure that the requirements of the EU’s General Data Protection Legislation (GDPR) were met when transferring personal data from the EU to the U.S.
The case that led to the invalidation of the Privacy Shield was initially filed by an Austrian privacy advocate, Max Schrems. In 2015, Schrems filed a complaint with the Irish Data Protection Commissioner (DPA) against Facebook, challenging the company’s use of standard contractual clauses (SCCs) as a legal basis for transferring his personal data to the U.S.
Schrems argued that the personal data of EU subjects might be at risk of being mass processed by U.S. intelligence agencies once transferred without ensuring a level of protection equivalent to GDPR.
While the Schrems case led to the Privacy Shield being struck down, Facebook has continued to use SCCs. However, the practice has come under increased scrutiny since.
Under the DPA’s warnings that Facebook and Instagram’s use of SCCs as a means of exporting data may be illegal, in February, Meta raised the issue in its annual report, stating that if a replacement to the Privacy Shield isn’t worked out soon, it may have to pull both platforms from the EU.
Already, data protection agencies across the EU have been warning businesses that their usage of Google Analytics is illegal for similar reasons.
Further reading: French Privacy Regulator Rules Against Use of Google Analytics
The Future of Transatlantic Data Flows
Although U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an agreement “in principle” for a new Trans-Atlantic Data Privacy Framework in March, even if the framework is implemented, it may only be a matter of time before that, too, has its Schrems vs Facebook moment.
For privacy advocates like Max Schrems, there is a fundamental incommensurability between GDPR and the way U.S. agencies gather data on foreign citizens.
In his assessment of the anticipated “Privacy Shield 2.0,” the lawyer and data rights expert Grégory Sroussi pointed specifically to the U.S. Supreme Court’s decision in FBI v. Fazaga as one issue that “would make it more difficult for the U.S. and EU to reach a lasting agreement that would withstand a challenge before the CJEU.”
In the Fazaga case, the Supreme Court ruled that the federal government could invoke its state-secret privilege to prevent the disclosure of information to individuals who claimed they had been subject to illegal surveillance from U.S. authorities under the Foreign Intelligence Surveillance Act (FISA).
The Fazaga ruling is critical because one of the key issues discussed in the Schrems case was the broad scope of surveillance under FISA.
For his part, Schrems appears to be preparing to challenge the proposed deal already:
“The final text will need more time, once this arrives, we will analyze it in depth, together with our U.S. legal experts. If it is not in line with EU law, we or another group will likely challenge it. … We expect this to be back at the court within months from a final decision,” he said earlier this year.
He added: “It is regrettable that the EU and U.S. have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”
For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.
We’re always on the lookout for opportunities to partner with innovators and disruptors.