How has Schrems changed the data privacy legislation landscape?
In 2013, Max Schrems - an Austrian activist, author and lawyer - put company cross-border data transfers into the spotlight.
Perhaps two of the most well-known and law-changing data privacy cases; Schrems I and II were brought before the Court of Justice of the European Union (CJEU) for their final verdicts.
Schrems I challenged Facebook for privacy violations, swiftly followed by Schrems II - that forced the reevaluation of the existing privacy safeguards for cross-border data transfer from the EU to third-party countries (with particular emphasis on the US).
These two cases put the way in which the US and the EU view and practice data privacy at the forefront of data protection legislation, which in turn, has forced many other countries to reconsider their own approaches to data privacy vs surveillance legislation.
While the US tends to view data as public unless privacy is specifically requested, Europeans generally view data as private unless express permission has been given for its use. The US Foreign Intelligence Surveillance Act (FISA) Section 702, Executive Order 12333, and Presidential Policy Directive 28 all permit the US government to monitor data that can be used by national security agencies. This includes data from non-US citizens, leaving European citizens in a vulnerable data position.
How did it all begin?
In July 2000, the Safe Harbour agreement was created by the European Commission (EC), based on principles outlined by the European Data Protection Directive 1995.
This legislation meant that Europe deemed the US satisfactory when it came to providing data protection safeguards for cross-border transfers. These data protection safeguards had to be aligned with the data protection principles outlined in the Directive, which include:
The non-EU country has to have an adequate legal framework in place to protect and enforce effective data protection for its citizens.
The European Commission (EC) determines the adoption of adequacy decisions that declare the non-EU country has satisfactory privacy safeguards. This allows the EU to ensure that fundamental rights, such as the Article 8 right to privacy under its Charter, are respected in third-party countries.
In conjunction with the Safe Harbour Agreement, there is, of course, the GDPR.
For cross-border data transfer, there needs to be either:
An adequacy decision – whereby the EC (with consent from the other member states and the European Data Protection Board) decides a country ensures an adequate level of protection for data (1), OR
The controller or processor must provide the necessary safeguards (2), which include:
Legally enforceable instruments between public authorities or bodies
Binding Corporate Rules
Standard Contractual Clauses (SCCs) adopted by the EC
An approved code of conduct
An appropriate certification mechanism
In many cases where a country lacks an adequacy decision, SCCs are a common legal basis for companies to transfer data. These are EC-approved clauses that contain contractual obligations on both the exporters and importers of data, as well as enforceable rights for the subjects of the data.
Schrems I: Maximillian Schrems v Data Protection Commissioner
On 25th June 2013, Schrems complained to the Irish Data Protection Commissioner (DPC) of Facebook’s use of the Safe Harbour agreement - accusing them of transferring his personal data from its Irish subsidiary to its servers in the US without proper precautions in place.
Considering Edward Snowden’s allegations of the surveillance activities of the NSA and other US intelligence agencies, Schrems argued that US law offered no legitimate protection against surveillance of his (and EU citizens’) data by the US government.
The DPC refused to further investigate this issue, as the Safe Harbour agreement had been approved by the European Commission. Schrems appealed this decision before the Irish High Court, who then referred the complaint to the CJEU.
“The Commission concluded in point 8 that ‘the large-scale access by intelligence agencies to data transferred to the [United States] by Safe Harbour certified companies raises additional serious questions regarding the continuity of data protection rights of Europeans when their data is transferred to the [United States]’.”
On 6th October 2015, the CJEU ruled that national Data Protection Authorities (DPAs), like the Irish DPC, have the right to investigate individual complaints related to EC decisions, but the CJEU is the only authority able to declare whether national decisions are valid or not.
For Schrems, this meant that the CJEU flipped the Irish DPC’s decision, and declared the Safe Harbour agreement as invalid as it did not provide adequate safeguards.
Namely, its data protection obligations would be superseded by US law and discarded if there were matters of national security, public safety, and law enforcement at hand.
“It seems to be definitely that the court is making a definite decision about the privacy impact of mass surveillance. It is concerned also about individuals having a way of challenging that and having a right of recourse via their own domestic data protection authorities.”
As a result, regulators had to try and create a new legal framework for cross-data transfers which would be compliant with the principles of EU rights.
The European Data Protection Board encouraged EU Member States to do the same, and on July 8th 2016, the Privacy Shield agreement was adopted.
Privacy Shield was an agreement between the EU and the US which allowed personal data from the EU to be sent to the US and processed.
Schrems II: Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems
But it was not over yet: in July 2020, Schrems II came to the court.
Following the first Schrems judgment, Facebook argued that most of the data that it transferred to its American parent company was actually based on standard contractual clauses (SCCs). Schrems lodged a complaint with the Irish Data Protection Commissioner, arguing that the SCCs could not justify Facebook’s cross-border transfer, as surveillance programmes in the US interfered with fundamental rights to privacy, data protection, and proper legal remedies from a court.
Schrems went through the same process: the DPA brought an action before the Irish High Court, which then referred it to the CJEU for a preliminary hearing.
As well as SCCs, the Privacy Shield was also challenged.
Schrems argued that the Privacy Shield contained many of the same issues as Safe Harbour, including its reliance on self-certification by private American companies.
The CJEU declared the Privacy Shield as invalid since:
US surveillance programmes are not limited to what is strictly necessary and proportional as required by Article 52 of the EU Charter of Fundamental Rights. (5)
EU citizens did not have proper judicial redress against US surveillance programmes and lacked access to effective remedies in the US, as required by Article 47 of the Charter. (6)
The Privacy Shield Ombudsperson (who is supposed to be independent of the security services) still had to report to the Secretary of State. (7)
However, they did rule that SCCs continue to be valid, but must be verified by businesses on a case-by-case basis to ensure proper protection under EU law.
This means that currently SCCs are the only viable option for transferring personal data outside of the EU - if there is a guarantee for the same level of protection as when it is within the EU.
Where this is lacking, additional safeguards must be implemented or the transfer of data suspended. (8)
The Schrems II judgment also potentially impacts UK companies post-Brexit. In June 2021, the EU gave the UK an adequacy decision, approving UK data protection standards as compatible with the data protection rights in EU Law. However, this decision may not see an end to legal challenges (particularly in light of privacy advocates mounting legal challenges against the Investigatory Power Act 2016 for violation of privacy rights), and with recent news that the UK GDPR is to go under complete re-evaluation in an attempt to be more responsible around data management.
This June, the EU also published new and updated SCCs, incorporating the recent changes to the data privacy landscape, i.e. GDPR and Schrems II. There are also new UK SCCs expected to be finalised later in the year, and so businesses based in the UK will need to both be aware of these and prepare.
Outside the courtroom: how has this affected businesses?
Schrems II has generated a degree of confusion and even panic amongst companies, particularly multi-national organisations with partners in the US, outside the EEA, and especially in non-EU countries where adequacy decisions have not yet been made.
As the Privacy Shield underpinned “transatlantic digital trade” for over 5,300 organisations (65% of which are SMEs or start-ups) its immediate invalidity meant that affected companies were obliged to sign up to SCCs. (9)
Even though SCCs were revalidated, it has meant that stricter requirements for data transfers reliant on SCCs are necessary. Schrems II in particular should also encourage companies to adopt strong encryption and redaction techniques to further protect their data to satisfy these requirements.
These companies will now have to carry out case-by-case assessments of their data transfers to ensure their protection meets EU standards of privacy and is GDPR compliant. Organisations that continue to transfer data based on an invalid mechanism risk a penalty of €20 million or 4% of their global turnover (10). For countries like the US, where there are different rules for national security agencies, adequate limitations must be in place and any actions taken should be proportional, as required under EU law.
Covid-19 has sparked a considerable increase in online business activity and cast a spotlight on how our data is managed, transferred, and secured. With the legislative landscape changing rapidly, we can perhaps anticipate new guidelines for cross-border transfers and even more stringent adjustments to current SCC rules. Even though it was a struggle to get to where we are today with regards to cross-border legislation, it seems that privacy and one’s right to keeping personal data protected is driving the direction of data protection laws more and more.
Useful links to check out:
References
Article 45 of the GDPR
Article 46 of the GDPR
Para 25 of Schrems judgment
Para 184-185 of Schrems II judgment
Para 191-193 of Schrems II judgment
Para 194-195 of Schrems II judgment
Para 131-143 of Schrems II judgment
Article 83(5)(c) of the GDPR