This post has been written by Javier López Guzmán, Legal researcher at Vrije Universiteit Brussel. PhD candidate.
On 16th July 2020 the Court of Justice of the European Union passed a milestone judgement in the area of personal data protection and information society. The Schrems II case transcends these areas of knowledge and has a huge impact in the digital market, at EU level and globally. And therefore, in the life of millions of citizens, users of social media and digital services across the globe. This impact will be analysed furtherly in this article. If you are interested in the topic, continue reading. But be aware: law is like sausages. If you enjoy them, maybe it’s better not to figure out how they are made.
This judgement (maybe?) ends the Schrems series. Maximilian Schrems, an Austrian citizen, began challenging the personal data international management regime of social media in 2013. Following the Snowden revelations, the world came to notice that many digital services used globally were a source of personal information at the reach of any government interested in it. But especially at reach for the United States of America administration and their programs of mass-surveillance. These revelations inspired many actions in defense of fundamental rights, privacy and personal data protection. Mr. Schrems chose the battleground of social media. Thus challenged the data management regime of the biggest social media at the time: Facebook.
Maximilian Schrems brought several complaints against Facebook before the Irish Data Protection Commissioner (“DPC”), based on, amongst other reasons, Facebook’s membership and obligations under the EU-US Safe Harbour. Why in Ireland? The company, as many other digital global players, has his European branch based there for regulatory and taxation reasons, Facebook Ireland, Ltd; which is responsible for the processing of personal data of its users in Europe. And why the Safe Harbour? This legal structure was created by the European Union and the USA to cover the legality of international personal data transfers to the USA. Following this scheme, tech-companies who wanted to take personal data from European users and process them in the USA could do so. They would need to follow a number or requirements, but these transfers were allowed since the European Union considered that the protection for personal data in the USA was “essentially equivalent” to the one granted by the European regulation. (under article 45 GDPR).
This legal battle began in 2013, with this challenge to the international personal data transfers before Irish courts, which eventually reached the European Court of Justice. The applicants considered that this scheme circumvented the application of GDPR and made European citizens vulnerable to the mass-surveillance programs of the USA administration. Therefore, the USA had become de facto a non-adequate third country for the transfer of the personal data. Since this decision was taken following an European competence under EU law, Irish courts had to refer a preliminary ruling to the ECJ on the interpretation of the European laws for the case (Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and Articles 25(6) and 28 of Directive 95/46/EC, the Data Protection Directive) and the validity of the Safe Harbour. In October 2015, the ECJ ruled that the Safe Harbour was invalid, due to limiting the investigatory powers of the national data protection authorities, and a number of other reasons.
One might think that this could have ended the issue and the actors of the lawsuit would give up. Not at all. Personal data mining is too important in our current digital industry. It was already too important in 2016 to simply let the flow of data stop. It was in the interest of every player in the digital field to continue with these transfers (industry, USA government and EU Member States). Despite the acknowledged and continuous attacks to fundamental rights. Consequently, a new adequacy decision was passed. The Privacy Shield substituted the annulled Safe Harbour. This new data transfers regime introduced changes following the Schrems I judgement. Nevertheless, it would not fix the problem of these personal data being accessed by the USA administration for surveillance.
Privacy Shield was challenged in December 2015, once again, by Mr. Schrems, bringing the case before the Irish courts, which ended once again before the ECJ, delivering the judgement of July 2020. The Privacy Shield introduced changes, but the fundamental problems with personal data protection and the clash with the GDPR stayed. Facebook and the Irish DPC tried to swift the debate by arguing that the Privacy Shield was not the only valid legal umbrella for their activities. Other legal instruments recognised in GDPR were brought on the table: Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR). These documents have been under scrutiny and are of high importance currently, since they are the valid operation to perform transfers when the receiving country has no adequacy decision recognised by the EU.
Once again, the European court favored the arguments made by the appealers and declared the Privacy Shield invalid. The basis of the judgement is the interpretation made by the Court of Articles 46(1), 46(2)(c) and 58(2)(f), (j) of GDPR. If a national data protection authority (named the Irish DPC) considers that a transfer of personal data to a third country does not ensure the fundamental rights of the European data subjects, it must be ordered to stop. Regardless of the presence or not of an adequacy decision in force with that country. Privacy Shield is invalid, because it deems adequate the USA legal structure to the processing of European citizens personal data, without providing administrative and judicial remedies for this processing. If an USA citizen wants to challenge these mass-surveillance programs or challenge the misuse of his personal data for law enforcement reasons, he or she is protected by the Amendments of the US Constitution. But a European citizen cannot challenge this processing. Neither before the US Administration nor before US courts. This is not in line with the fundamental rights recognised in the EU Charter and the GDPR protection of personal data.
The Court has annulled the main legal instrument to operate the transfers to the USA. But it has maintained the validity of the use of SCCs and BCRs with additional safeguards. This remains a route for big data processors to take personal data out of the Union. Although it will be problematic in the future also for big tech-players. The use of these clauses has still to be controlled by the Data Protection Authorities. If the third country to which the personal data is exported does not offer an essentially equivalent protection to the one of GDPR, it does not matter the legal instrument behind it.
This is what the Irish DPC has been forced to decide after Schrems II. There are currently hearings under session in the Irish Supreme Court to decide if Facebook can still use SCCs to transfer data to the USA. But this case is not only about Facebook. Many other big technological players relay on this instrument now. And most (if not all) of the companies creating services that we use every day do send our personal data outside the EU. Social media, cloud storage services, mailing services, operative systems of our digital devices, videocalls services and many other digital services providers. They do it because processing these data in aggregate is extremely profitable. And it is in the interest of the US Administration also to protect the dominant position of its companies in the global market. Facebook is already questioning the use of its services in Europe if personal data flows are stopped.
The Schrems II importance is embedded in the process of European legislation itself, but also in digital industry and geopolitics. The judgement affects the processing, mining and use for surveillance of personal data of EU citizens. Being the EU the current vanward on digital privacy, it affects indirectly to all the citizens and digital users in the world. In the near future, NGOs and public interest associations in defense of social rights will have an important role to play. Many actions against these practices were brought before courts by organisations such as NOYB (founded by Max Schrems after the judicial series) and La Quadrature du Net.
Consequences of the Judgement
The Schrems II judgement has had an important impact in industry, for individual users, and for Small and Medium Enterprises. It will shape international relations in the coming months and have an effect on the transatlantic relation between the EU and the USA. The new Biden administration in the USA has been seen as a hope for the recovery of trust in international trade and a boost for this bilateral relation. But this does not mean that the new administration will align with the EU priorities in personal data protection. The new USA administration is rather industry friendly oriented. And the spotlight nowadays in international relations is not the Atlantic anymore. It is the Pacific and the relation and economic rivalry with China.
All this does not mean that there is not room for agreement and improvement of data protection standards. Some states in the USA have already started to develop laws in favour of privacy and limiting the practices of the industry and government. An accession to adequacy for these single states, other than the USA as a block is a possibility that was in the mind of EU top officials.
The current trend in Europe, however, is dominated by other priorities. In a world were data is the fuel of economy, concepts as data location and data sovereignty are becoming more and more important. The French DPA issued a call to not store sensitive data such as health data in cloud services outside the EU. Data protection authorities, on the other hand, have focused on developing the consequences of the judgement. The judgement will also have an impact on Brexit, being the UK a major receptor of data transfers from the rest of the EU block. And also a member of the 5 eyes surveillance alliance and a major intruder in fundamental rights in this regard, as already assessed in this blog by Rebeca Ferrero Guillén.
The European Data Protection Board issued three important documents in this regard: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance, Recommendations 02/2020 on the European Essential Guarantees for surveillance measures and a proposal from the European Commission on new Standard Contractual Clauses. They were made for clearing the path for data controllers and help them guide through a difficult and technical judgement, which has left a big part of our information system in the limbo.
These measures and the foreseen negotiation between the EU and the USA after the judgement have already been critisised by activists and academia. Max Schrems summarised it quite accurately in this statement: “There is no «supplementary measure» that you can put on a piece of paper to make a US company that has factual access to the data ignore #FISA702 — the only «supplementary measure» that can fix that is in the hands of the US legislator.”
The development of digital services and international personal data transfers in the future remains unpredictable. It is safe to say that they will continue to have an impact on the digital market and fundamental rights in Europe and the whole world. We will remain vigilant and study these consequences.