The Schrems saga continues – international transfers

On the 9th of July, the hearing of the so-called Schrems 2.0 case took place before the Grand Chamber of the European Court of Justice (“CJEU”).

The main parties involved in this case are the well-known Austrian privacy activist Max Schrems, the Irish Data Protection Commissioner (“DPC”) and Facebook Ireland Ltd. Given the interests at stake, numerous other stakeholders, such as representatives of the European Commission, the European Data Protection Board, Member States, the US government, DigitalEurope, Electronic Privacy Information Center, etc. intervened during the hearing in Luxemburg by Europe’s top court.

Why is the Schrems saga so important from a data protection perspective and a business perspective?

Schrems 1.0

History of the case

First things first. Max Schrems started a war back in 2013 against Facebook for its privacy violations. Data of Facebook Ireland’s users who reside in the EU is transferred to servers belonging to Facebook Inc. that are located in the US, where it undergoes processing. Schrems’ major issue herewith is based on the findings of whistle-blower Edward Snowden, who disclosed that Facebook allows the US intelligence services access to personal data of EU residents under surveillance programs like “PRISM”.

According to EU data protection legislation, a transfer of personal data of EU residents to a third country, such as the US, may take place only if that third country ensures an adequate level of protection. Transfers of personal data to third countries not ensuring an adequate level of protection, on the other hand, are prohibited under EU legislation.

Schrems contended that US law and practice did not ensure such an adequate level of protection. Schrems lodged therefore several complaints before the DPC against Facebook Ireland Ltd, aiming to prohibit Facebook from further transferring personal data from Ireland to the US and from keeping that data on servers located in the US. One of those complaints resulted in a reference for a preliminary ruling before the CJEU.

CJEU ruling

This ultimately led to the accomplishment of Schrems’ major legal victory in 2015. He convinced the CJEU to strike down the well-known Safe Harbor Framework, the main tool to legitimize the flow of personal data of EU residents to the US. In short: the CJEU agreed with Schrems that US law and practice did not provide adequate protection of the rights of EU residents and declared the Safe Harbor Framework invalid.

Privacy Shield

This ruling was of paramount importance for dataflows from the EU to the US. Although there are alternatives to rely on to legitimize EU-US dataflows, such as Standard Contractual Clauses (SCCs), the Safe Harbor Framework was the most convenient one.

In response to the invalidation of the Framework, a similar tool “EU-US Privacy Shield” was designed to transfer personal data from the EU to the US in support of transatlantic commerce.

Schrems 2.0

Why is there a Schrems 2.0 case then?

The DPC notified the privacy activist that Facebook has never relied on the Safe Harbor Framework, but on SCCs.

In response, Schrems reformulated his complaint by now challenging the SCCs. The DPC brought proceedings before the Irish High Court, which referred several questions to the CJEU for a preliminary ruling. This led to the hearing of the Schrems 2.0 case on the 9th of July.

Impact

The central question at stake is whether the US Foreign Intelligence Service Act breaks EU data protection legislation, and, if so, whether that invalidates the current data transfer tools? In simpler terms, does Europe’s top court consider the SCCs – and a fortiori other tool such as the Privacy Shield – invalid?

This is an important matter, because if both tools are declared invalid, it would place international businesses in an immensely difficult position. The effects on trade would be massive, as businesses would be running out of options to legitimize data transfers outside the EU.

The CJEU’s is expected to issue its judgment before the end of the year or early 2020.

Conclusion

The CJEU should consider whether US law infringes EU data protection law and, if so, this may have an impact on the validity of SCCs and the EU-US Privacy Shield. The effects for international businesses would be tremendous, since a suitable and convenient alternative for international dataflows is currently lacking. Therefore, the outcome of this case should be kept under close review.

If you want more information on the potential impact on the dataflows of your business, please contact one of our lawyers.