2. Overview
The purpose of this slides is to provide an overview of the Schrems II case
regarding the transfer of personal data between the European Union (EU) and
the United States (US). This paper will then analyze the decision behind the
ruling by the European Union Court of Justice (CJEU) against the EU-US Data
Protection Shield, and the potential effects of the ruling on the companies that
are involved in the data transfers.
2
3. Background: Schrems I
Schrems 2 is the continuation of privacy lawyer
Maximilian Schrems’s complaints against
Facebook Ireland over data privacy violations [1].
In 2013, former NSA contractor Edward Snowden
leaked a trove of information regarding classified
NSA materials. This included a program called
"PRISM", which is a program whereby the NSA
collects internet communications from U.S.
companies such as Facebook. The fact that
Facebook would share the data of its European
users with the NSA prompted Schrems to file a
complaint with the Irish Data Protection
Commission. He alleged that Facebook Ireland’s
data sharing agreement with Facebook, Inc., its
American parent, violated Schrems’ rights under
the Charter of Fundamental Rights of the
European Union because of Facebook Inc.’s
cooperation with US intelligence agencies.
3
Schrems I resulted in the invalidation of the
Safe Harbor framework, leading to the
creation of the Privacy Shield as a
replacement [4]. However, this did not
address Schrem’s original complaint over
the validity of Facebook’s data transfer, as
it and other companies simply switched
over to using Standard Contractual Clauses
(SCCs), an alternative process of data
transfer.
By consequence, Schrems continued his
campaign, filing another complaint to the
Irish High court, challenging the validity of
the Privacy Shield and the SCCs. This was
again referred to the CJEU, leading to the
Schrems II case.
4. What is the Privacy Shield?
The privacy shield was a framework designed by
the U.S. Department of Commerce and the
European Commission and Swiss Administration, to
provide companies with a presence in both
countries with a mechanism to comply with data
protection requirements when transferring
personal data from the EU to the US for
commercial purposes [2]. The framework was
initially approved by both the EU and the Swiss, as
on July 12, 2016, the European Commission
deemed it adequate to enable data transfers under
EU law. Similarly, on January 12, 2017, the Swiss
Government approved it as a valid legal
mechanism to comply with Swiss requirements
when transferring personal data from Switzerland
to the United States.
4
The framework was initially approved by both
the EU and the Swiss, as on July 12, 2016, the
European Commission deemed it adequate to
enable data transfers under EU law. Similarly,
on January 12, 2017, the Swiss Government
approved it as a valid legal mechanism to
comply with Swiss requirements when
transferring personal data from Switzerland to
the United States.
The privacy shield was a replacement for
“Safe Harbor” a EU-US data transfer
agreement that was previously invalidated by
the CJEU in 2015 after an earlier challenge
submitted by Max Schrems, a notable
Austrian lawyer and privacy activist.
5. Who is Max Schrems?
Maximillian Schrems is an Austrian attorney and privacy advocate.
Schrems I (Maximillian Schrems v Data Protection Commissioner) and
Schrems II (Data Protection Commission v. Facebook Ireland, Schrems)
arose from complaints lodged by Schrems with the Irish Data
Protection Commission [3].
In his complaints, he challenged the lawfulness of transfers of his
personal data by Facebook in Ireland to Facebook in the US, on the
ground that the legal system in the US did not ensure adequate
protection of his personal data against US national security
surveillance activities.
Schrems I invalidated the Privacy Shield’s predecessor- the Safe
Harbor. In Schrems II, Schrems challenged the validity of the Privacy
Shield.
5
6. CJEU Ruling
On July 6th, 2020, the CJEU struck down the EU-US Data Protection Shield,
ruling the arrangement to be inadequate and not up to the standards of EU law.
However, the ruling does not mean invalidate the operations of the privacy
shield itself. “The Standard Contractual Clauses remain a valid tool for the
transfer of personal data to processors established in the third countries. This
means that the transatlantic data flows can continue based on the broad
toolbox for international transfers provided by the GDPR.” - Věra Jourova,
Commissioner with Responsibility for Trust and Transparency.
What happened to the Privacy Shield?
6
7. Reasons behind the ruling
Intervention by U.S. Authorities
US authorities can access and use personal data of EU
subjects transferred under the Privacy Shield for
purposes which go beyond what is strictly necessary
and proportionate to the purpose of national
security. The prime concern with US law and
practices is that US businesses receiving national
security letters, or other such federal investigative
actions, are often precluded from contacting the
investigation targets (data subjects) about the
inquiry. This is contrary to the transparency principles
of the GDPR.
7
Inadequate Protection
The Court concluded that the US laws and
practices do not ensure a level of protection
essentially equivalent to that guaranteed
under EU laws, especially the actionable
rights of individuals before the US courts
with respect to the US intelligence services’
powers [5].
8. Effects of the Ruling:
Companies
The invalidation of the Privacy Shield has significant implications for
Facebook and other companies that used the framework, as they will
need to find alternative methods to transferring data. While the ruling
does not invalidate the SCCs themselves, the Court has clarified that
the ruling applies to all data flows, even within SCCs, whose company
falls under the NSA surveillance law.
But the ruling has not had the immediate effect that some may have
hoped, as most companies such as Facebook have instituted delays as
they review the decision and evaluate potential actions. As such, it
might be some time before the effects of the ruling are felt by the
private sector at large, if at all by major firms such as Apple or Google
who could seek exemptions or otherwise to avoid absolute
compliance.
8
9. Effects of the Ruling:
Countries
The invalidation of the Privacy Shield also has implications for
frameworks between the EU and other countries. Given that other
jurisdictions such as India or China also possess strong surveillance
capabilities, the ruling sets a new precedent for future evaluations of
data transfers to those countries [6].
One immediate implication is for the United Kingdom, which recently
separated from the EU as a result of the Brexit referendum. UK
surveillance law has also faced repeated challenges under EU human
rights. As a result, the UK could stand to fall under the same ‘third
country’ category that the US is in. However, there are differences
between US law, which is entirely sovereign, and UK law, which has
been reviewed and amended by European courts to comply with EU
regulations.
9
10. Conclusion
The outcome of Schrems II was unsurprising given the
Court’s strong support for data protection rights and
previous criticisms of the Privacy Shield. However, the
ruling is a monumental decision that could have sweeping
consequences for American companies operating in the EU
and data transfer agreements between the EU and other
nations. Companies that relied on the Privacy Shield must
now find legal alternatives if they are to continue
operations, or else be forced to pull out of Europe entirely.
The ruling also means that the US will not be able to
merely reach a third agreement by making minor changes
to the Privacy Shield. Given that it is unlikely the US would
easily relinquish its national surveillance operations for the
sake of adhering to EU regulations, the burden falls on
companies to deal with the legal implications [7].
10
One idea could be to develop codes of conduct or
certification mechanisms together with enforceable
commitments covering US data flows as foreseen under
Article 46(2) GDPR. Codes of conduct and certification
mechanisms as a legal basis for data transfers have not
been approved under the GDPR thus far but present an
opportunity for both countries to cooperate on.
12. About Evertio
Evertio helps companies launch a privacy
program by providing basic privacy
education and privacy tools.
Our software features include data mapping,
assessments, privacy and cookie policy
generator and many more.
12
https://evertio.com