Schrems and the latest transatlantic data transfer challenge
When Max Schrems asked the Irish Data Protection Commissioner to stop Facebook Ireland transferring his personal information to the US in 2013, he could not have foreseen that it would put the personal data processing operations of thousands of other businesses in legal jeopardy.
Schrems’ 2013 complaint went all the way to the European Union’s top court, which in 2015 unexpectedly struck down the Safe Harbor Agreement on transatlantic data transfers. Thousands of businesses that had relied on this to justify their export of customers’ and employees’ personal data from the EU to the US for processing suddenly had to seek alternate legal justification — or find data hosting and processing resources inside the EU.
“Judgment in the case known as Schrems II is not expected until 2020, but a public hearing on July gave hints about how things could turn out”
Safe Harbor’s demise
EU data protection law says that personal information cannot be exported to a regime offering less protection than it has in the EU. Various legal mechanisms exist to extend that protection, including binding corporate rules for intra-group transfers, or standard contract clauses approved by the European Commission. Safe Harbor was one of these — essentially a declaration that, as long as businesses followed certain rules, the European Commission considered that US law provided adequate protection.
After months of uncertainty following its demise, it was replaced by Privacy Shield, a new agreement between EU and US administrations allowing transatlantic data transfers to resume.
However, it turned out that Facebook had never relied on Safe Harbor at all, but rather on standard contract clauses to protect its data transfers under EU privacy law.
Schrems duly revised his original complaint about Facebook’s processing of his data to target standard contract clauses, and that complaint has once again made its way to the Court of Justice of the European Union amid speculation that it too could threaten businesses’ export of personal data to the US.
Judgment in this new case, which has become known as “Schrems II,” is not expected until early in 2020, but a public hearing on 9 July gave hints about how things could turn out.
Interestingly, Schrems is not the plaintiff in the case, but a defendant. The plaintiff is the Irish DPC, which filed suit against him and Facebook as a legal manoeuvre to obtain a ruling on matters of law raised by his complaint.
At stake is whether the US government undertakes mass processing of the personal data of EU citizens when that data is held in the US, whether that form of surveillance is legal under EU privacy law, and whether standard contract clauses on data transfers provide adequate privacy protection for EU citizens.
Standard contract clauses in the crosshairs
Schrems and the DPC agree that US surveillance laws breach fundamental EU privacy rights; where they differ is on what can be done about it. Schrems wants the DPC to stop individual data transfers where standard contract clauses provide insufficient legal protection; the DPC says it has no power to do so.
The EU is seeking to make improvements in this area. European Commissioner for Justice Vĕra Jourová said on 13 June: “We are already working to modernise standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.”
Facebook, meanwhile, says that there is no problem with its data transfers as the European Commission has already ruled, through its acceptance of the Privacy Shield data-sharing framework that replaced Safe Harbor, that US surveillance laws pose no threat to EU citizens’ fundamental rights.
The adequacy of Privacy Shield, though, is the target of another legal challenge the court is mulling, this one from a group of French NGOs.
And there is the rub: if the CJEU decides to take a very broad view of the French case or of the second Schrems complaint, as it did with his first, it could decide to invalidate the standard contract clauses used by Facebook and others, and Privacy Shield too.
Actions for CIOs
For CIOs and general counsel, then, it could be 2015 all over again. Some processing of EU citizens’ personal information in the US could be outlawed overnight, leaving businesses to either stop it, find somewhere else to do it, or take a gamble on the consequences.
While there is still time, CIOs need to figure out what personal information their organisations hold on EU citizens, whether they are processing it outside the EU, and what consent or legal justification they have for that processing. On the bright side, as long as their organisation is in compliance with the EU’s General Data Protection Regulation (GDPR), which entered force on 25 May, 2018, they should already have many of the answers at their fingertips.
The European Data Protection Board has produced a handy guide to the derogations provided by Article 49 of the GDPR that will help CIOs decide what to do next.
Some processing of personal information is always allowed, such as to comply with a contract to provide goods or services to the person concerned, or if the person has consented to the data transfer and has been made aware of the privacy risks involved. Again, organisations in compliance with GDPR will already have a record of which data they can transfer under these derogations.
For the rest, there are still a few months left in which to prepare technological responses to a potential data disaster that may never happen.
IDG News Service