1. An initial analysis of the politics of the European Court of Justice's landmark decision invalidating the EU-US Privacy Shield arrangement, based on @ANewman_forward and my recent book on EU-US privacy fights - https://amzn.to/2UVnyI6 
2. Provisos - I am a political scientist rather than a lawyer, so I may miss some nuances. Also, I'm suffering from sinusitis. But the main points of the decision (which you can see for yourself here - http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=9725767 )seem to me to be as follows.
3. First - Privacy Shield has been a dead man walking for some time. Few thought that the agreement would survive the ECJ's scrutiny. But the ECJ's judgment is notable for its thoroughness, building on the initial referral from the Irish courts.
4. The ruling finds that the current proposals for protection of the rights of EU citizens are fundamentally inadequate. The Privacy Shield provided for an Ombudsperson (working in State) and pointed to an executive order providing some protections for non-US people
5. whose data was taken up e.g. in US upstream surveillance. The Court found that the Ombudsperson was not independent (recent Trump firings of Inspectors-General probably didn't help make the case for autonomy of US bureaucracy) and that there was no recourse in courts.
6. The implication of all of this is that it is very difficult to see how any successor agreement that will survive ECJ scrutiny can be negotiated as an executive agreement. It would likely require Congressional law - giving substantial rights to non-citizens.
7. The ECJ lays out a path (similar to its Safe Harbor decision) for review of any future European Commission adequacy decisions on agreements through DPAs referring the matter to courts, which would then look to the ECJ for interpretation of the law and fundamental rights.
8. The consequences are straightforward. First, Privacy Shield is dead. Second, there will be no replacement agreement anytime soon and any agreement will be _very_ hard to negotiate. Third, businesses like Facebook that rely on vast transatlantic transfers of data are in trouble
9. The decision also looked at standard contractual clauses, another way for businesses to get data across the Atlantic, and upheld the validity of this approach. However, as I read it (I'm not an expert on clauses), clauses may be tricky to use in practice.
10. The court says that clauses can only be used to transfer data to countries without adequate protections, when appropriate safeguards are in place, and effective legal remedies are available. Data protection authorities are required to block transfers without such.
11. However, "mandatory requirements of that legislation which do not go beyond what is necessary in a democratic society to safeguard, inter alia, national security, defence and public security are not in contradiction with those standard data protection clauses"
12. How such a broadly stated standard is going to be evaluated by privacy compliance officers, except in obvious cases, is _way_ beyond my competence to speculate. Suffice to say that there will be lots of work for the lawyers in future.
13. It may also be possible to transfer data with the consent of the individual under Article 49 of the GDPR, but that is also tricky in practice (Schrems has cases in the works under GDPR looking to eliminate the wiggle room around notions of consent that Facebook etc rely on)
14. For IR scholars, this is, as Abe and I describe it in the relevant parts of our book, an extraordinary example of how a skilled and entrepreneurial individual with little outside resources like @maxschrems can exploit transnational legal structures to achieve results.
15. The global strategies of great powers and extraordinarily powerful corporations have been complicated - and perhaps upended - twice in a row. Finis
16. Postscript - one other important aspect of the judgment is its affirmation of the role of the European Data Protection Board in dealing with divergences of interpretation between different data protection authorities.
17. On the one hand, this will make it harder for e.g. Ireland's DPA to protect US companies with big presences in Ireland. On the other, it may hem in DPAs like Hamburg's from embarking on adventures. The politics of the EDPB are going to be of enormous international interest.
You can follow @henryfarrell.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: