Schrems II: The CJEU Invalidates Privacy Shield
Schrems II is short for the case, Data Protection Commissioner v. Facebook Ireland Ltd., Maximillian Schrems. The case was heard in the Court of Justice of the European Union (CJEU) last week concerning the arrangement between Europe and the United States called Privacy Shield. Privacy Shield governed the means by which personal data was transferred from Europe to the United States.
In their decision the CJEU invalidated the Privacy Shield meaning the 5,500 businesses that rely on the data transfer arrangement are no longer in compliance with European law and. Scrambling to make sense of the new situation companies can for the short term rely on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), which survive, but are on tenuous grounds.
Procedural History
This case is called Schrems II because it is the second case the CJEU has reviewed concerning data transfers from Europe to America. In the first case the CJEU invalidated the Safe Harbor, the precursor to Privacy Shield.
The CJEU heard this case per request from the Irish High Court. The original case was brought by the privacy rights activist Max Schrems. Schrems lives in Austria and has been a Facebook user since 2008. As is the case with most Facebook users living in the EU, some or all of Schrems’s personal data was transferred by Facebook Ireland to servers belonging to Facebook Inc. located in the United States.
In 2013 Schrems filed a complaint against Facebook under the old Safe Harbor framework arguing that Facebook’s transfer of EU citizens’ personal data to the United States violated their rights. Schrems’s complaint was rejected on the ground that the Commission had found that the United States ensured an adequate level of protection. However, this decision was overruled by the Irish High Court.
Schrems then amended his claim arguing that the United States did not offer sufficient protection of data transferred to the country seeking the suspension or prohibition of future transfers from the EU to the US. The case history relates to the NSA program famously exposed by Edward Snowden. That institution was able to gobble huge amounts of information and communications in their “surveillance activities” under the aegis of the ‘War on Terrorism,’ and basically Europeans got upset that their abstract principles related to human rights and privacy were being violated.
In reviewing the complaint, the Irish Data Protection Authority claimed that personal data transferred to the United States was likely to be consulted and processed by certain U.S. authorities in a manner incompatible with articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The Irish data protection authority concluded that U.S. law did not provide EU citizens with the equivalent of effective judicial remedy in accordance with article 47 of the Charter, and that the SCCs were not capable of remedying this defect. These were the claims brought before the Irish High Court who in turn referred a set of 11 questions to the Court of Justice of the European Union.
CJEU Ruling and Why
The Court of Justice ruled on two important issues about data transfers subject to a contractual agreement (SCCs) and the validity of the E.U.-U.S. Privacy Shield. On the question of Privacy Shield, the Court nullified the arrangement citing inadequate safeguards when transferring personal data.
The Court of Justice invalidated the decision on the grounds that American laws failed the ‘adequacy standard.’ In doing so the CJEU wrote that data transfers to third countries may only take place if the third country ensures an adequate level of data protection. The Court ruled that the failure of United States laws to give redress to EU citizens if violations of GDPR are found was a key reason. In addition, the CJEU ruled that American surveillance practices failed the proportionality requirements of GDPR that limit the scope and duration of data collection to necessary activities held for a stipulated duration with deletion requirements at the end of the stated period. Under American National Security there are no such limitations.
The Court then turned to the question Standard Contractual Clauses. On the question of SCCs, the Court found them to be adequate for the transfer of personal data outside the EEA to the third parties. However, depending on the position of the particular third party country, the adoption of contractual provisions may need to meet a higher standard. In the context of America, the CJEU ruled that SCCs must provide additional protections against US government surveillance.
The conflict again arises in this tension between American surveillance practices and EU law. Under American law, companies located in America are compelled to turn over requested data. This fact is what the CJEU is taking issue with and they must be hoping to secure some protections for EU citizens from this surveillance regime.
What Must Businesses Do Now?
There is a duty for each data controller and recipient of data in each country outside the EU to investigate and guarantee that the recipients country’s laws are adequate. Each member nation of the EU supervisory authority must make a determination on a country’s adequacy. If there are disagreements between EU nations on a determination of adequacy the issue goes to the European Data Protection Board (EDPB).
The CJEU said that SCC are valid but laid out the conditions to retain that validity in practice. Exporters and Importers have obligations around analyses of the laws of the third party country. If the exporter doesn’t suspend transfers where law cannot be complied with then Data Protection Authorities must step in.
Article 49 of the GDPR details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under derogations for specific situations. These exceptions include explicit consent,[3] necessary for the performance of a contract between the data subject and the controller, necessary for important reasons of public interest, necessary for legal claims, necessary to protect vital interests of the data subject or of other persons. These are exceptions among others.
- Transparency
Andrew Sherwin, an expert in American National Security Law laid out some things that companies can do to insure that data transfers remain complaint in the short term. One of those was to be as transparent as possible about data transfers. Detailing if the American surveillance apparatus had made requests in the past for data in the past and if so documenting those requests; the volume and frequency.
2. Acknowledge Industry Related Privacy Laws
Companies should acknowledge the privacy laws of their specific industry whether that is HIPPA, CCPA, etc and note the requirements of those laws.
3. End to End Encryption
Companies can theoretically argue that without access themselves they cannot provide access to the US government.
4. Data Localization
Don’t store data in the United States. Store data in Europe instead. Europe lies outside the sovereign jurisdiction of the United States.
Getting into the Legal Jargon
The gist of the issue for the CJEU is that US laws provide no effective legal remedies for data subjects. For EU citizens there are no constitutional protections or privacy rights afforded to the personal data of EU citizens when that data makes its way across the borders of the United States. It should be stated that Americans do not have much redress because (1) the government maintains the secrecy of its surveillance program and (2) the government gets constitutional and legal challenges dismissed as it’s really hard for people to prove they are under surveillance as was held in the Supreme Court decision Clapper v. Amnesty International.
American surveillance activities are governed by Section 702 of the Federal Intelligence Surveillance Act. Section 702 permits surveillance of individuals who are not US citizens located outside the US in order to obtain ‘foreign intelligence information. Executive Order 12333 (E.O. 12333) permits the NSA to access data ‘in transit’ to the US and thus has access to the underwater cables on the floor of the Atlantic and can ask Service Providers like Facebook (Whatsapp) and Apple (iMessage) to supply communications.
Under the Third Party Doctrine of the Fourth Amendment, the U.S. Supreme Court has held that people lack a reasonable expectation of privacy in personal data held by third parties even if those third parties have promised them privacy in a contract.
The CJEU, in considering American surveillance law wrote, “in so far as those standard data protection clauses cannot…provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require…the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.”[2]
In addition, the CJEU criticized US law’s lacking a “principle of proportionality” because there is no limiting factor in American law ensuring only necessary data to meet legitimate interests or “to protect the rights and freedoms of others” is collected.[1] The CJEU also said US law lacks sufficient controls over use and retention of personal data gathered by the government.
While these criticisms are fair, the real difficulty is that the CJEU cannot change US laws. Thus, for those companies that operate in America, they are first subject to American laws and if those laws require that companies hand over data, those companies must hand over data even if it violates European laws.
This decision not only effects transfers of data from the EU to the US, but also effects data that goes from the EU to another country and then onward to the US relying on the Privacy Shield.
[1] Schrems II ¶ 174
[2] Schrems II ¶ 133
[3] Explicit consent is not usually valid in situations regularly transferring personal information
