And the Saga Continues: On The Road Again to the CJEU with Shrems II
This post is authored by Robert Rubenstein, a third-year law student at the Thomas R. Kline School of Law at Drexel University.
Facebook has been caught in a legal battle concerning the adequacy of its data protection well before the Cambridge Analytical revelations that came to light in the past few weeks. While spending a semester in the United States studying at Santa Clara University, Austrian law student Max Schrems first became aware of Facebook’s limited grasp of the severity of European Union (“EU”) data protection laws in 2011 when a privacy attorney from Facebook spoke to his class. Angered by the lack of appreciation of the EU privacy law in his home continent, Schrems decided to write his thesis paper about “Facebook’s Misunderstanding of Privacy Law in Europe.” During the course of his research, Schrems learned that Facebook had been violating strict EU privacy law, which prompted him to file numerous complaints with the Irish Data Protection Commission (DPC) in 2011. He later rescinded this set of complaints because the DPC had ignored his efforts.
Two years later, Schrems became distressed by the disclosures made in 2013 by Edward Snowden concerning the activities of the United States intelligence services and Facebook’s willingness to disclose EU citizens’ personal information to the National Security Agency (NSA). He filed another complaint with the DPC alleging that the laws and practices of the US do not offer adequate protection to EU data subjects against surveillance by the US for the data transferred to the US. He specifically claimed that the EU-US Safe Harbour framework, which was an agreement that allowed transatlantic data transfers, did not offer adequate protection when transferring data from Facebook’s Irish Headquarters to the Facebook Headquarters in the United States.
The Irish Authority initially rejected Schrems’ complaint because of a binding DPC decision from 2006, which held that the EU-US Safe Harbour framework ensures an adequate level of protection of the personal data transferred. Schrems then appealed to the Irish High Court, who referred the matter to the Court of Justice of the European Union (“CJEU”). In 2015, the CJEU invalidated the EU-US Safe Harbour framework because it failed to provide a level of a level of protection for EU citizens that was “essentially equivalent” to that guaranteed under EU under the Data Protection Directive 1995 and Fundamental Rights of the European Union (“Charter”). This ruling led to the adoption of the EU-US Privacy Shield in July 2016, which is still in place today and provides a legal framework for companies to transfer personal data from the EU to the United States that is consistent with EU law.
After the CJEU ruling, Facebook implemented another available mechanism to transfer EU data to the U.S, called Standard Contractual Clauses (“SCC”). SCCs, one of the most frequently used means for transferring data outside the EU, continue to be a viable option under the European Union’s General Data Protection Regulation (“GDPR”). In short, SCCs impose contractual obligations on the parties to ensure that there is an adequate level of data protection, even where the third country where a party is located has not been deemed to provide an adequate level of protection.
Schrems, dissatisfied with the adequacy of SCCs, updated his complaint to the DPC, claiming that Facebook’s reliance on SCCs as a mechanism for transferring data was still invalid because those clauses do not provide adequate protection for transferring data outside the EU to the US.
In May of 2016, the Irish DPC announced that it had well founded objections concerning the validity of SCCs and that the DPC was not in the position to address the deficiencies in US law. In particular, the DPC was concerned that there is an absence of effective judicial remedy under US law for EU citizens to seek redress in situations where US security agencies have unlawfully processed their personal data, as guaranteed by Article 47 of the Charter. The DPC referred the cause to the Irish High Court. The Irish High Court agreed with the DPC’s “well founded” concerns. Since the European Commission approved the use of SCCs to transfer data from the EU to the US, the Irish High Court announced on October 3, 2017 that it would ask the CJEU to rule on the validity of SCCs, as an issue of EU law.
The Irish High Court is still considering the exact questions to be referred to the CJEU. The general parameters of the questions before the Irish High Court, and the several points of contention between the parties that were highlighted during an Irish High Court hearing on January 18, 2018, are: (a) Whether the rights of EU citizens are adequately safeguarded when their personal data is transferred to the United States using SCCs; (b) Whether the questions to the CJEU relating to the validity of SCC's should refer to their validity generally when used for transfers to any third country, or to the United States only; and (c) Whether the Privacy Shield decision was relevant to the questions to be referred to the CJEU.
Implications of the Impending CJEU decision
A CJEU decision invalidating SCCs would have a major impact on the transatlantic flow of data between the EU and other jurisdictions around the world. If the CJEU invalidates SCCs, then this would result in logistical and economical challenges for trade opportunities between the EU and US. Many businesses that operate in Europe rely on the free flow of personal data across borders -- invalidating the SCCs would potentially make that transfer unlawful under EU data protection laws. At least 89% of EU companies rely upon SCCs when transferring data to the US or other non-EU country. Furthermore, the way in which the questions are framed to the CJEU will play an important factor in the CJEU’s determination. If the questions are framed broadly and concern the transfer of data to countries beyond just the US,, then it will have a vast effect on EU companies because they would be required to halt their trading practices until switching to an accepted transfer mechanism.
Irrespective of the questions that are ultimately posed to the CJEU, it is necessary that the questions result in more clarity about the reliability in using SCCs for transatlantic data transfers. Since the GDPR has already declared that SCCs provide adequate safeguards for transferring data and has even threatened sanctions for non-compliance, it is necessary that the CJEU provides a greater degree of certainty if transatlantic data flows are to continue. If the CJEU cannot provide more certainty on the reliability of SCCs, then the Court ought to provide guidance on how a greater degree of certainty can be achieved. The CJEU will likely not issue a ruling until October 2018. For the time being, SCC's remain a valid mechanism for transferring personal data from the EU.
* * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.