Lowering the Privacy Shield: Schrems II and its Implications
On 16 July, the Court of Justice of the European Union (CJEU) handed down the long-awaited judgment on the transfer of personal data from the EU to a third country. In Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), the Grand Chamber of the CJEU found the current framework of cross-border data transfer, also known as the “Privacy Shield” vis-à-vis the US, invalid, thereby putting an end to the transatlantic data flow as we know it. How did this come about and what does this mean?
Background
Following the request to access his personal data from Facebook, Maximillian Schrems, an Austrian national, was shocked to learn that the social media giant had gathered 1,200 pages of information about his activities on the platform. He subsequently raised concerns, among others, about the user tracing through “Like” buttons, applying facial recognition without consent, and shadow profiling, the practice of harvesting the data of non-users. Facebook listened. But the changes that ensued were not as far-reaching as Schrems had hoped. Then, Snowden happened.
With the worldwide exposure of Facebook’s passing of EU citizens’ data to the NSA — as part of mass-surveillance programme code-named PRISM — , Schrems’ complaint gained momentum. His case was referred to the CJEU in 2015, which successfully toppled the validity of preceding data transfer scheme, Safe Harbour, on which Facebook relied to move its user data from its Irish subsidiary to the US headquarters.
Since then, the Safe Harbour framework has been replaced by the Privacy Shield. Following the recent CJEU ruling, however, the Shield must now also be lowered.
Judgment
The CJEU invalidated the Privacy Shield immediately without any grace period. As the final appellate decision, the outcome may not be appealed further and binds the UK at least during the current Brexit transition phase. From the eleven legal questions put forward, the CJEU drew two conclusions.
1. The EU-US Privacy Shield is no longer a valid legal framework for transatlantic data transfers. Companies must rely on alternative measures such as the EU Standard Contractual Clauses (SCCs).
2. While the SCCs remain a valid mechanism, the data exporters and importers should bear the onus of demonstrating whether the importing jurisdiction provides an “adequate level of protection” prior to any transfer.
Reasons for the judgment
With regard to the first point, the CJEU in Schrems II interprets the GDPR to require a third country (i.e. a non-EU Member State) at the receiving end to ensure “a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter.” This means EU data subjects must be provided with the necessary limitations and safeguards against the interference with their personal data and an effective legal recourse in the US.
Finding that the US Foreign Intelligence Surveillance Act of 1978 disproportionately compromises EU data subjects’ rights for US national security, the CJEU ruled the US standard of protection inadequate. It also found that EU citizens have been deprived of a cause of action in the US where there is a data breach, since the Privacy Shield Ombudsperson is not a tribunal. More fundamentally, the Privacy Shield’s compliance with the respect for private life and the protection of personal data as enshrined in the European Charter of Fundamental Rights remains dubious even before considering the question of adequacy.
Regarding the second point, the CJEU does not go so far as to annul the SCCs, which are sets of model terms and conditions for data transfers between EU and non-EU countries. Due to their contractual nature, the CJEU maintains, the SCCs rightly do not bind the authorities of the data-importing third country. But the parties to the SCCs — the sender and the receiver of personal data — must exercise due diligence to discharge the burden of verifying an adequate level of protection in the destination jurisdiction.
Analyses and implications
Schrems II is a landmark decision with potentially seismic consequences. It has implications on multiple levels.
For EU data subjects and privacy campaigners, this decision is an instance of the actual enforcement of their EU fundamental rights. Schrems believes the CJEU has made clear “that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.” Meanwhile, the litigation process has also cast light on systemic obstacles that call for reform: Schrems spent 7 years submitting more than 45,000 pages of documents. The Irish Data Protection Commission, instead of standing up for EU citizens’ privacy rights, poured almost €3m into fighting off Schrems’ “frivolous and vexatious” complaint.
For the EU, Schrems II is an opportunity to exert its influence as a legal order and rectify its mistakes. While there is no concrete evidence that the Safe Harbour and the Privacy Shield held US technology companies to a higher standard, those companies have been benefiting tremendously from an unrestricted EU-US data flow. This is perhaps unsurprising, considering that the EU allowed both frameworks to function on a voluntary, self-certifying basis. This time, the EU will likely, and hopefully, not resort to another quick fix when redesigning the regulatory landscape.
For businesses, major US tech companies like Zoom and Google now must seek credible alternatives like the SCCs and bear the cost of proving adequacy themselves. It could be desirable to allocate more responsibility to those monopolistic American players. But start-ups and SMEs, which account for 65 percent of Privacy Shield-certified firms, might not have enough resources for such alternatives. Furthermore, European firms like Aldi and Louis Vuitton have benefited likewise from the Privacy Shield. After all, it is natural for data to flow and often mutually beneficial for it to flow. Schrems II, in this light, might be the onset of a transatlantic data trade war as the EU attempts to remedy its data trade deficit.
Finally, for the UK, the decision at hand adds a further twist to its Brexit process. Already in 2018, personal data-based services exports from the UK to the EU were approximately worth £85bn. To capture this gain, the UK government has been seeking an adequacy agreement from the EU Commission. But with the GCHQ’s “nightmarish” data tapping leaked by Snowden, enactment of the Investigatory Powers Act 2016, and a political drive to diverge from EU law, the UK might have a difficult time ahead. At the same time, the orbital pull to adopt laissez-faire standards from across the pond may prove too strong.
Sean Lee is a law graduate from UCL, currently training as a software engineer at a tech start-up in his native Korea. He is particularly interested in the regulation of artificial intelligence and data protection laws.
