Schrems II
In July 2020, the Court of Justice of the European Union (CJEU) issued its long-awaited decision in the Data Protection Commission v Facebook Ireland case. The decision invalidated the European Commission’s previous adequacy decision for the EU-US Privacy Shield Framework and will have a significant impact on personal data transfers.
The decision, colloquially known as Schrems II as it is the second legal challenge by the Austrian activist Max Schrems, ruled that “the Privacy Shield does not provide adequate protection” and the CJEU affirmed that it had found “for a second time now that there is a clash between EU privacy law and US surveillance law”.
In the first Schrems decision in 2015, the Court invalidated the Safe Harbour framework that had governed EU-US personal data flows; Schrems II has now struck down Safe Harbour’s data protection-enhanced successor, Privacy Shield. The CJEU specifically invalidated Decision 2016/1250, the European Commission’s 2016 decision that Privacy Shield was adequate to enable data transfers under US law. The decision also contradicts three years’ worth of annual reports from the Commission affirming the stance of their 2016 decision.
The Commission had in the past raised its own issues with the Privacy Shield, for instance it had consistently argued that a permanent ombudsman should be appointed to fill the role of tribunal as specified within Article 47 of the EU Charter of Fundamental Rights.
With the Court now ruling that Privacy Shield is insufficient to govern the data sharing between the EU and the US, over 5,300 participants will be severely affected. Two main reasons were cited by the CJEU in their decision, pertaining to the all-encompassing nature of US surveillance and the lack of action EU citizens can take against the US if they are adversely affected.
Firstly, the Court found that US surveillance programmes are not limited to strictly necessary data, despite their assessment by the Commission, thus meaning that they do not meet the requirements of Article 52 of the EU Charter. Secondly, the Court ruled that EU data subjects lack actionable judicial redress with regard to US surveillance, thus not satisfying the demands of Article 47 of the Charter.
The CJEU also issued a further ruling that will significantly affect how companies establish compliance with EU data protection rules. The Court ruled Commission Decision 2010/87, focused on standard contractual clauses (SCCs), to be valid. This ruling means that personal data transferred subject to said contractual obligations between data controllers and protectors is still sufficiently protected.
SCCs are thus still considered a valid method to ensure data protection, but the CJEU’s overall ruling does certainly create the question of the utility of SCCs as a means to govern data sharing, a question the Data Protection Commission (DPC) raised in its reaction to the decision. Divergent opinions also emerged among tech companies, with some saying that it was unclear if SCCs would meet data protection standards given the Schrems II ruling, while others rushed to reassure clients that data transfers were still possible.
“Firstly, the Court found that US surveillance programmes are not limited to strictly necessary data, despite their assessment by the Commission, thus meaning that they do not meet the requirements of Article 52 of the EU Charter. Secondly, the Court ruled that EU data subjects lack actionable judicial redress with regard to US surveillance, thus not satisfying the demands of Article 47 of the Charter.”
The entire case began when Schrems alleged that Facebook had violated his privacy rights once it had transferred his data to the United States, where it could be analysed by US intelligence agencies. Given that Facebook’s EU headquarters are in Dublin, it then fell to Ireland’s DPC to prosecute. The DPC is now charged with action on the guidance provided by the CJEU.
In a statement released after the CJEU ruling, the DPC said it “welcomes” the decision. “The Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable,” the DPC said.
“This is an issue that will require further and careful examination, not least because assessments will need to be made on a case-by-case basis. As well as providing clarity on points of substance, today’s judgement also contains important statements of position relating to matters of process, to include the allocation of responsibility between data controllers and national supervisory authorities when it comes to ensuring that the rights of EU citizens are protected in the context of EU/US data transfers.
“While noting the Court’s reference to the fact that a supervisory authority would not suspend data transfers while an adequacy decision – such as Privacy Shield – was in force, the DPC acknowledges the central that it, together with its fellow supervisory authorities across the EU, must play across the EU.”
In September 2020, the DPC sent Facebook a preliminary order to halt the transfer of EU citizens’ data to the US, with a fine of 4 per cent of annual revenue to be imposed if conditions are not met. Facebook’s Vice President of Global Affairs and Communications Nick Clegg, responding on a Facebook blog, acknowledged that data protections laws are changing, but stated that more legal clarity was needed and advocated a revision of Privacy Shield.
“These [reform] efforts will need to recognise that EU member states and the US are both democracies that share common values and the rule of law, are deeply culturally, socially and commercially interconnected, and have very similar data surveillance powers and practices,” Clegg wrote.
The European Data Protection Board issued recommendations for firms dealing with transfers. There were six recommendations: know your transfers; identify the transfer tools you are relying on; assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer; adopt supplementary measures; procedural steps if supplementary measures have been identified; and re-evaluate at appropriate levels.
Further repercussions of trans-Atlantic intelligence services and surveillance could arise from a push to place European intelligence services beyond court jurisdiction. EU member states, led by France, are now seeking to insert a national security exemption in the pending ePrivacy Regulation, which would exclude third parties such as the US.