by David Horrigan
on July 22, 2020
Cyber Security & Data Privacy
Max Schrems has probably had a greater impact on the international transfer of data than any person on the planet.
Whether you agree with his privacy crusade against Facebook or bemoan his attacks on international agreements that took years to develop, his impact is undeniable.
Well, Max Schrems strikes again.
The Court of Justice of the European Union (CJEU) on July 16 invalidated the EU-US Privacy Shield Framework, which allowed data transfers between Europe and the United States, in Data Protection Comm’r v. Facebook Ireland, Ltd. and Schrems, C‑311/18.
Of course, we needed the Privacy Shield because Mr. Schrems also had a hand in the demise of the Privacy Shield’s predecessor, the US-EU Safe Harbor Framework. The CJEU invalidated the Safe Harbor in its October 2015 decision, Schrems v. Data Protection Comm’r, No. C-362/14.
So, if we want to transfer data between Europe and the United States, what do we do now?
Maximilian “Max” Schrems got an early start on things, beginning his data privacy mission while he was still an Austrian law student.
According to media reports, Schrems was inspired to act when he was a law school exchange student at one of America’s more tech-forward law schools, the University of Santa Clara School of Law.
Apparently appalled by a presentation by a Facebook data privacy lawyer, Schrems swung into action.
While still a law student, Schrems began his mission against the data privacy practices of Facebook. Eventually, he would launch a website, europe-v-facebook.org, a compilation of data privacy grievances against Facebook—including a redacted version of his own Facebook data, and file numerous data protection complaints against Facebook.
In addition, Schrems formed the data privacy organization, noyb, which operates the website, noyb.eu. In case it didn’t occur to you, noyb stands for “None of Your Business.”
Before the 2018 effective date of Europe’s General Data Protection Regulation (GDPR), data privacy in Europe was governed by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, known commonly as the EU Data Protection Directive.
The 1995 Directive—which went into effect in 1998—placed substantial restrictions on the processing of personal data, forbidding the transfer of personal data on Europeans to non-EU nations not meeting European adequacy standards for data privacy and protection.
One of those nations was the United States.
To get around this tricky problem, the US Department of Commerce worked with the EU to create the US-EU Safe Harbor Framework so that US enterprises could be certified as being in compliance with the European adequacy standard. The US created a corresponding Safe Harbor program with Switzerland.
The Safe Harbor Framework was unpopular with many European data privacy advocates. They argued the Safe Harbor’s self-certification meant the proverbial fox was guarding the data privacy henhouse and that enforcement was lax.
One of those people unhappy about the Safe Harbor was Max Schrems.
Schrems’s concerns focused on the Edward Snowden revelations about surveillance by the US government. The American government argued the attacks of September 11 and international terrorism required the surveillance. Snowden argued that the United States could not possibly provide “adequate data protection” under European standards when the government was spying on citizens and their data.
In what has become known as Schrems I, Max Schrems filed a complaint against Facebook in 2013 with the Ireland Data Protection Commissioner. He filed in Ireland because Facebook’s European headquarters is in Ireland.
The Irish Data Protection Commissioner rejected Schrems’s case, but The High Court of Ireland granted review and referred the matter to the European Court of Justice, the high court of the European Union and one of the two branches of the Court of Justice of the European Union (CJEU).
In Schrems v. Data Protection Comm’r, No. C-362/14, the court ruled in October 2015 for Schrems, invalidating the Safe Harbor.
Work then began on a successor to the Safe Harbor, the EU-US Privacy Shield Framework.
In an attempt to fix issues with the Safe Harbor, the Privacy Shield provided data subject access rights and enforcement provisions, among other things, and on July 12, 2016, the European Commission determined the Privacy Shield contained adequate data protection under EU law.
However, Max Schrems still wasn’t satisfied.
He continued his data privacy crusade in Data Protection Commissioner v Facebook Ireland Ltd. and Schrems, No. C‑311/18, known as “Schrems II.” (Although most observers refer to this case as Schrems II, Schrems filed an American-style class action against Facebook in Austria in 2014, so some refer to the current case as Schrems III).
Schrems II was not only an attack on the Privacy Shield, it was also an attempt to invalidate another workaround to meet European data protection adequacy requirements: standard contraction clauses.
Standard contractual clauses are agreed terms and conditions formulated between parties transferring data between the European Union/European Economic Area and the United States (or other jurisdictions that do not meet European data protection adequacy standards) so that the parties can transfer personal data lawfully.
Standard contractual clauses are designed to ensure compliance with European data protection adequacy standards, and they are provided for in Article 46 of the GDPR. Article 47 of the GDPR provides for “binding corporate rules.”
Standard contractual clauses are agreements between two parties, where binding corporate rules are more like a “code of conduct” of agreed practices, approved by a data protection authority.
The International Association of Privacy Professionals (IAPP) provides a compilation of links to approved binding corporate rules, including those of eBay (Luxembourg DPA), HP (CNIL, the French DPA), and JP Morgan Chase (ICO, the UK DPA).
As we noted above, in its July 16 decision in Schrems II, the CJEU invalidated the Privacy Shield, holding that US government data surveillance practices violate the EU Charter on Fundamental Rights and that the United States offered no proper legal remedy for violations. European citizens having a private right of action in US courts has been proposed, but it was not part of the Privacy Shield.
But what about standard contractual clauses? Do we still have our workaround?
If you listen to Max Schrems and his friends at noyb, the answer would be no.
“SCCs cannot be used by Facebook and similar companies,” Schrems and his noyb colleagues stated, referring to standard contractual clauses. However, the legal reality is somewhat more nuanced.
The fact of the matter is that the Schrems II court upheld the use of standard contractual clauses. It merely put restrictions on their use.
The court’s opinion basically followed the December 19, 2019 recommendation of the court’s Advocate General. Although the court upheld the use of standard contractual clauses, the court held that—before any transfer—parties must verify there is in fact an adequate level of protection for personal data in the jurisdiction receiving the data, and that, if not, the parties must ensure an adequate level of protection for personal data transferred.
That’s the basis of the Schrems-noyb argument that the court held Facebook can’t use the standard contractual clause—noyb argues standard contractual clauses can be used only where there is “no conflicting law.”
“The judgment makes it clear that companies cannot just sign the SCCs, but also have to check if they can be complied with in practice,” Schrems wrote on the noyb site.
The invalidation of the Privacy Shield Framework is a big deal in the world of data privacy and data protection. It was a vehicle to allow companies to work around European data transfer requirements, and now it’s gone.
Admittedly, after the court’s July 16 decision, the US Department of Commerce said it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. However, that does little good if the Europeans won’t play ball.
The survival of standard contractual clauses is of some relief to those transferring data between Europe and the United States, but there are strings attached there, too. Companies wishing to transfer data should consult with counsel and examine using standard contractual clauses.
Another possible remedy?
We’ve said it on these pages before. It’s really time for the United States to pass comprehensive federal data privacy-data protection legislation. That way we could be “adequate” in the world of data privacy and protection.
But, oh yeah, it’s an election year. Good luck with that.
David Horrigan is discovery counsel and legal education director at Relativity. A former reporter and assistant editor at The National Law Journal and analyst and counsel at 451 Research, he was First Runner-Up for Best Legal Analysis in the 2019 LexBlog Excellence Awards.
Microsoft v. United States and the Privacy Shield: How Did We Get Here?
How Does the EU-US Privacy Shield Affect Cross-Border Discovery?
5 Easy Things to Do to Prepare for the California Consumer Privacy Act