Photo taken by Glen Carrie.
On the 16th July 2020, the Court of Justice for the European Union (CJEU) came to a decision on the Schrems II case. The decision, by the highest European Union court, invalidated a major EU-US privacy agreement that previously allowed personal data to freely flow between the EU and the US. This court case is the latest chapter in an ongoing saga of privacy activists, commercial selling of ‘big data’ and revelations made by whistle blower Edward Snowden regarding US mass surveillance.
This article will give a brief timeline of the events leading up to this case, why the court came to their decision, and what effects it has on organisations going forward. For UK readers who may have forgotten about Brexit during the current Covid-19 pandemic, do not worry, this article will bring the UK’s departure from the EU back to your news feed too; the Schrems II court case has potential consequences for the UK after Brexit.
A Timeline of EU-US Privacy Protections
1953: The European convention of Human Rights comes into effect for all member states of the Council of Europe (today this is comprised of 47 countries).
Within this convention is ‘Article 8 – Right to respect for private and family life’:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
1970-1980: Various national data protection laws are enacted across Europe.
With the introduction of computers and automated data processing, concerns were raised about the right to a private life. The first local and national data protection laws were enacted mostly throughout Europe. These laws were sometimes conflicting, making it difficult for international organisations to comply with them.
1981: The Council of Europe signs Convention 108.
The Council of Europe signs the first legally binding international data protection treaty. It forces member states to enact privacy laws based on the principles in ‘Convention 108’. This brings some standardisation to European data protection laws.
1992: The EU is formed.
Currently comprised of 27 European countries.
1995: The EU signs The Data Protection Directive.
Unhappy with the existing European data protection laws, the EU creates and signs ‘The Data Protection Directive’ which strengthens data protection laws within the EU. It allowed free transfer of data across EU borders due to its strong, consistent data protection laws. It prevented the transfer of personal data to countries outside of the EU unless the ‘third country’ could ‘guarantee adequate levels of data protection’.
2000: The EU agrees to the USA’s Safe Harbour Principles.
Under the Data Protection Derivative, the USA was classed as a ‘third country’. This meant that US organisations were not allowed to freely transfer EU citizen data outside of the EU. This hampered US access to EU markets. To foster greater commercial opportunities, the EU and US agreed to ‘The Safe Harbour Principles’. American companies were allowed to apply for Safe Harbour Certification. Certified companies agreed to abide by seven data protection principles, allowing them to freely transfer data from the EU to the US.
2004: Facebook is formed.
2011: A 24-year-old Austrian law student goes on a year abroad to the USA.
Max Schrems, a 24-year-old Austrian law student, goes on a year abroad to Santa Clara University in the Silicon Valley, USA. Max attends a privacy lecture at Santa Clara University. The guest speaker is Ed Palmieri, Facebook’s privacy lawyer. Ed Palmieri shows a shocking lack of understanding of EU privacy law causing Max Schrems to become concerned about his own Facebook account. Using the EU’s Data Protection Directive, Max Schrems requests a copy of the personal data that Facebook’s headquarters in Ireland holds on him. He is given a CD containing 1,200 pages of his personal data which he is informed is held on US databases. Max published a redacted version of this data to the public. He then starts a series of legal battles against Facebook.
2013: Edward Snowden tells the world about the extent of US surveillance programs.
Whistle-blower Edward Snowden tells the world that the extent of mass data collection by US national security agencies was far greater than the public knew about and included ‘dangerous’ and ‘criminal’ activities. The prime source of data for surveillance was from a government program called ‘PRISM’. PRISM takes data from the US’s biggest telecom and tech companies for the explicit use of mass surveillance. Facebook was accused of voluntarily giving PRISM mass, unfiltered access to the personal data of all its users, without the need for probable cause. Also on the list of data suppliers for PRISM was Microsoft, Yahoo!, Google, Paltalk, YouTube, AOL, Skype and Apple.
2013: ‘The Schrems Case’.
In light of the revelations by Edward Snowden, Max Schrems issues a legal complaint against Facebook Ireland Limited. The complaints states that Schrems’ right to privacy has been violated when Facebook gave the US government unfiltered access to his personal data. Schrems also highlighted that Facebook and other US companies were, by their own admission, not allowed to tell the truth about this type of data processing, and were legally bound to lie about their involvement and even the existence of programs such as PRISM. This legal complaint is escalated to the highest EU court, the CJEU.
2015: The CJEU invalidates Safe Harbour.
Due to Max Schrems’ complaint, the CJEU examined the EU-US safe harbour decision. They found that the extent to which US government bodies had access to EU citizens personal data went beyond what was strictly necessary or proportionate for the purposes of US nation security. In light of this, they determined that this was a breach of EU subjects right to privacy. The conclusion was that the Safe Harbour decision was revoked, returning the state of EU-US data transfers back to stricter pre-2000 laws. The immediate aftermath of this was a large amount of legal work for some of the largest multinational corporations so that they could continue to transfer personal data outside of the EU (albeit now with stricter contracts and new security measures).
2015: Facebook relies on Standard Contractual Clauses to transfer personal data.
In response to the ‘Schrems decision’ to invalidate Safe Harbour, Facebook relies on ‘Standard Contractual Clauses (SCC)’ to transfer data outside of the EU. SCC are the default mechanism for transferring data outside of the EU to a third country (the Safe Harbour decision was specific for the US and granted easier mechanisms for transferring data compared to SCC).
2015: ‘Schrems II’ case begins.
Max Schrems is asked by a court to reformulate his complaint in light of the decision to scrap the Safe Harbour decision. Schrems poses a similar legal complaint against Facebook on the grounds that their use of SCC does not hold due to US surveillance.
2016: The US and EU created a new framework called ‘Privacy Shield’.
Shortly after the Safe Harbour decision was revoked, the EU and US agreed to a new framework. This framework was called ‘Privacy Shield’ and was very similar to the Safe Harbour decision but with new protections for EU citizens. Privacy Shield gave EU citizens more avenues to file legal complaints against US companies, including the introduction of a US ombudsman. One of the ombudsman’s duties is to verify the validity and legality of US public bodies accessing the personal data of individual EU citizens. It also introduced stricter monitoring of US companies, and stricter reporting by those companies.
2018: The GDPR is introduced.
The GDPR is introduced across all the EU giving EU citizens new fundamental rights, further unifying EU data protection laws, and giving EU authorities vastly greater powers to hand out massive fines and penalties to non-compliant organisations. For Facebook’s role in the Cambridge Analytica scandal, they were given the maximum fine of £500,000. Under the GDPR, they would have faced a maximum fine of up to 4% of their worldwide annual turnover.
2018: Days after the GDPR is introduced Max Schrems lodges multiple legal complaints.
Max Schrems (now the most famous privacy activist in the world and founder of European non-profit privacy rights group, NOYB) launches legal complaints under the GDPR directed at Facebook (these are separate complaints to the ‘Schrems II’ case). The complaints would total €3.9 billion in fines if held up in court. In the following year, Schrems also lodges complaints against Amazon, Apple Music, DAZN, Filmmit, Netflix, SoundCloud, Spotify and Youtube for similar breaches in privacy. The total predicted fines for these companies amounts to €18.8 billion if held up in court. To date, there has been no conclusion to these complaints.
July 2020: CJEU rules that Privacy Shield is invalid in the Schrems II case.
The Schrems II case reaches the CJEU. Initially, the complaint only concerned SCC, but by the time it reached the CJEU, the validity of Privacy Shield was also questioned. The court upholds that SCC are valid. SCC require that the company exporting data outside of the EU is required to ensure the same protections as if the data had remained inside the EU. Thus, the onus is on the company exporting data to ensure sufficient protections. The CJEU also rules that Privacy Shield is invalid. The reason for this is that US national security takes precedence over the powers of the Ombudsman (who was created to oversee US surveillance of EU citizens). As neither the Ombudsman nor the EU courts have any legal recourse over US government agencies, Privacy Shield cannot guarantee the privacy of EU citizen data. This was a very surprising outcome to the Schrems II case and has immediate effect. This means that the thousands of companies who were using Privacy Shield to freely transfer EU data to the US now no longer have legal grounds to do so.
What does this mean for Companies today?
Companies that were relying on Privacy shield to transfer personal data from the EU to the US are no longer able to use this legal mechanism and must find an alternative. In reality, companies are unlikely to halt the transfer of data and implementing an alternative will take time. Supervisory Authorities in EU countries are unlikely to impose penalties on companies that do not instantly comply with the surprise ruling in mid-July. However, that does not mean that organisations can sit by idly.
Going forward, companies in the US are now treated like any other country outside of the EU. This means that they must rely on SCC. If you are part of an organisation which transfers data from the EU to the US, speak to your lawyers about implementing SCC or binding corporate rules. This should be done as soon as possible. Whilst the EU Supervisory Authorities are likely to give some leeway over how long it takes to implement these new measures, this will not go on indefinitely.
The use of SCC comes with the stipulation of guaranteeing the same level of protection in the third country as would be expected within the EU. It is this area that is perhaps a bit unclear. If a US company is bound by US law to comply with US surveillance programs, then how are they able to guarantee EU privacy? This EU-US privacy saga has not finished and with Schrems’ legal complaints under the GDPR, it is not likely to end at any point soon.
Brexit and the Schrems II Case
At the start of this article, it was alluded to that the Schrems II case may have implications for Brexit. Currently, the UK has left the EU and is in a transition period which ends in 2021. Once the transition period ends, the UK will be treated like any other country outside of the EU.
If you are a country within the EU, simply by fact that you are a member, you abide by the GDPR, and you are subject to rulings by the CJEU, you are able to freely transfer personal data between other member states. When the UK’s transition period ends, the UK will not have this freedom by default. From a data privacy standpoint, countries outside of the EU are categorised in two different ways, they are given an ‘adequacy decision’ or are treated as a ‘third country’.
An adequacy decision is given by the European Commission about a country outside the EU. It states that a countries data protection laws are sufficiently on par with those within the EU. This means that an adequacy country can also freely transfer personal data to and from the EU. A ‘third country’ does not have this freedom. They must rely on SCC or another legal mechanism as has already been discussed.
Before the UK leaves the EU, the European Commission will have to decide whether to give the UK an adequacy decision. As the UK has adopted the GDPR and will continue to use these data protection laws even after it leaves the EU, you may assume that an adequacy decision would be taken for granted. Unfortunately, the UK also has a very comprehensive mass surveillance program that was revealed by Edward Snowden. This program has the codename Tempora and is run by GCHQ. GCHQ is alleged to have placed data interceptors on fibre optic cables that run between Europe and the US that are capable of scanning and transferring 21 petabytes of data per day. This data is filtered by computers, then by GCHQ employees, where it is then shared with US surveillance agencies. In some privacy experts’ opinions, Tempora collects far more data and is more invasive than the US surveillance programs.
The Schrems II case is important for the UK as if the US is unable to gain an adequacy decision (which is effectively what Privacy Shield was), then the UK is unlikely to acquire one too. This would put an immediate halt on data transfers from the EU to the UK, causing major disruption for UK and EU businesses. UK companies would have to resort to SCC, similar to the disruption that US companies are experiencing right now.
About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/