11 September 2020
On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered its judgment on the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (otherwise known as "Schrems II").
The CJEU decided that the EU-U.S. Privacy Shield is no longer valid. The thousands of businesses using this scheme would be breaking the law if they continued to do so in the normal way.
The Schrems II case has the potential to severely impact trade between Europe and the United States. In this article, we'll be looking in detail at the reasoning behind the Schrems II judgment, and considering the steps that affected businesses should take following this monumental decision.
Below is a brief explanation of the Privacy Shield framework. If you already understand the Privacy Shield framework, you can skip ahead to our analysis of the Schrems II case.
The EU General Data Protection Regulation (GDPR) applies all over the European Economic Area (EEA). The EEA includes the 27 European Union Member States, plus Norway, Iceland, and Lichtenstein. At the time of writing, this includes the United Kingdom (which is currently transitioning out of the EEA).
Some other countries, including the U.S., do not have such a high level of data protection. Businesses have more freedom to sell data subjects' personal information, and the government has greater powers to intercept it.
The GDPR does not allow EEA-based data controllers to transfer personal information to third parties in those countries unless there are additional data protection safeguards in place.
There are exceptions to the restriction on international transfers of personal information. Some countries, such as Canada, Argentina, and Japan, have data protection laws that are broadly equivalent to the GDPR.
Where a third country has a strong level of data protection law, the European Commission can make an "adequacy decision" to indicate this. EEA businesses can transfer personal information to countries with an "adequacy decision," without any special safeguards in place.
The U.S. does not have an adequacy decision.
The EU-U.S. Privacy Shield was designed to allow U.S. and EEA businesses to freely share EEA data subjects' personal information, as though the U.S. had an adequacy decision.
U.S. businesses could opt into Privacy Shield to make life easier when importing personal information from the EEA. This reduced friction when building new business relationships with EEA partners.
The Privacy Shield framework provided a set of requirements for participants. Participants were also required to certify with the framework regularly.
Here's an example of one of the Privacy Shield's requirements. Businesses participating in the Privacy Shield are required to grant EEA data subjects access to their personal information and correct, amend or delete their personal information if it is inaccurate:
This requirement is similar to that imposed on EEA data controllers under Article 15 of the GDPR:
It also incorporates elements of Article 16:
To some extent, the above section of Privacy Shield also incorporates Article 17 of the GDPR, which allows data subjects to request the erasure of their personal information.
Other requirements under the Privacy Shield framework include:
Before Schrems II there was "Schrems I" (Maximillian Schrems v Data Protection Commissioner). The first Schrems case concerned a complaint by Maximillian Schrems, privacy activist and founder of the European Centre for Digital Rights (known as "NOYB": None of Your Business).
The story of the Schrems I case began in 2013 when Edward Snowden revealed the depth of the U.S. Government's intelligence-gathering practices.
Schrems, a Facebook user, argued that Facebook was putting his privacy at risk by transferring his personal information from Facebook Ireland, based in the EEA, to Facebook Inc, based in the United States.
At the time, Facebook relied on the "Safe Harbor" framework to make these restricted transfers of personal information between its sister companies. Safe Harbor was the predecessor of Privacy Shield.
Schrems made a complaint about Facebook to the Irish Data Protection Authority, the Data Protection Commissioner. Schrems argued that the Safe Harbor framework did not protect his personal information against U.S. Government interference.
The Irish Data Protection Commissioner rejected Schrems' complaint, and, in 2015, it ended up before the CJEU.
After considering Schrems' complaint, the CJEU declared that the Safe Harbor framework did not provide adequate personal information protection. As a result, the CJEU abolished Safe Harbor.
One key issue for the CJEU was that it did not protect personal information from the U.S. Government's access:
The CJEU also criticized Safe Harbor for:
The CJEU returned to some of these themes in the Schrems II judgment, as we will see below.
Following the Schrems I case and the abolition of the Safe Harbor framework, Facebook began using another safeguard to facilitate its transfers of personal information to the U.S., namely Standard Contractual Clauses (SCCs).
Schrems made a further complaint to the Irish DPA, arguing that, like Safe Harbor, SCCs did not protect his personal information from U.S. Government interference. Again, the Irish DPA rejected Schrems' complaint, and it ended up before the CJEU.
So, Schrems II was, centrally, not about Privacy Shield at all, but about SCCs. The CJEU concluded that SCCs are a valid safeguard for restricted transfers of personal information (with some caveats, as we will see below).
However, despite the case being about SCCs, the CJEU decided to evaluate Privacy Shield. The CJEU concluded that the Privacy Shield framework was invalid, for similar reasons that it invalidated Safe Harbor five years earlier.
Privacy Shield was invalidated partly due to its inability to protect EEA data subject's personal information from the U.S. Government's surveillance powers. Those powers are derived from national surveillance laws.
Three U.S. surveillance laws are particularly important for the Schrems II decision:
Let's take a brief look at these three important pieces of legislation.
FISA 702, passed in 2008 as an amendment to the Foreign Intelligence Surveillance Act of 1978, allows the U.S. Government to target non-U.S. citizens' communications outside of the United States.
FISA 702 allows the Government to access communications without seeking a court order. It also requires certain types of companies, namely "electronic communication service providers," to assist the Government in accessing such communications.
The definition of "electronic communications service provider is given at 50 USCS § 1881 (available here):
Examples of electronic communication service providers include:
EO 12333 was enacted in 1981 under President Reagan. It was amended twice under the Bush Sr administration, and once under President Obama.
EO 12333 gives the U.S. Government vast powers to collect and analyze foreign intelligence and counterintelligence. It allocates surveillance duties among Government agencies. It also forbids certain intelligence-gathering practices from taking place within the United States.
The order is considered a central piece of legislation in developing and expanding the U.S. surveillance architecture. It has been used by the National Security Agency (NSA) to justify its vast data collection exercises.
PPD-28 is a directive issued by President Obama in 2014, which refines and limits the ways in which the Government treats personal information collected via signals intelligence.
A key passage from PPD-28 reads:
"...all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information. "
PPD-28 also establishes that:
Now we're going to consider the Schrems II judgment text and see why the CJEU took issue with the laws listed above.
A key consideration for the CJEU was a "derogation" that appears at paragraph 1 (5) of the Privacy Shield requirements:
The provision above limits the protection Privacy Shield participants can offer EEA data subjects "to the extent necessary to meet national security" and comply with U.S. laws and regulations.
At paragraph 165 of the judgment, the CJEU considered paragraph 1 (5) and concluded that it allows U.S. public authorities to access and use EEA-originating personal information:
Access to personal information by public authorities is not, in itself, a "deal-breaker" for the EU. Surveillance is recognized as being necessary for safeguarding national security across all EU Member States. The problem is the nature of such access, as stated in paragraph 168:
There are three issues described in the paragraph above:
The lack of access to a judicial remedy is also considered in relation to PPD-28 (at paragraph 181):
Despite the good intentions of PPD-28 in establishing some degree of privacy when collecting signals intelligence, the directive does not go far enough to satisfy the CJEU.
Another issue for the CJEU was the fact that EO 12333 allows access to personal information based on presidential decree. The Privacy Shield framework does not effectively protect EEA data subjects against this interference (at paragraph 191):
Based on the above considerations, the CJEU concludes that the Privacy Shield is invalid (at paragraph 201):
The CJEU then considered whether the invalidation of Privacy Shield would create a "legal vacuum." This would require some sort of transition period before the use of the Privacy Shield program by EEA data controllers was rendered unlawful.
The CJEU determines that abolishing Privacy Shield would not create a legal vacuum and so it should be invalidated with immediate effect.
Thousands of businesses used Privacy Shield to facilitate the import and export of data from the EEA. If you're one of these businesses, you will need to seek alternative arrangements to safeguard EEA data subjects' personal information.
The Department of Commerce (DoC) has produced a set of FAQs about the impact of the Schrems II decision, designed for U.S. Privacy Shield participants.
The key takeaways from the DoC's guidance include:
It is likely that SCCs will be an appropriate alternative to Privacy Shield participation for many U.S. businesses and their EEA partners.
EEA businesses that export personal information to U.S. Privacy Shield participants must work quickly with their U.S.-based partners to bring about alternative arrangements.
The European Data Protection Board (EDPB) has published a set of FAQs for EEA businesses. Key takeaways from the guidance include:
It is likely that SCCs will be an appropriate alternative for many EEA businesses and their U.S. partners. For more information, see our article Using Standard Contractual Clauses.
The key reasons for the CJEU's decision were:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.