Last Thursday, 16 July 2020, the European Court of Justice (CJEU) issued a decision that will reportedly “impact nearly every business, small to large”.
In this article we will outline:
- The history of the case (referred to interchangeably in legal circles as the “Privacy Shield case” and “Schrems II”).
- What the decision means from a legal perspective.
- The potential consequences of the decision for corporates.
The history of Schrems II
To start at the beginning, we must go all the way back to 2011, when a 23-year-old Austrian law student by the name of Max Schrems was spending a semester in the U.S. at Santa Clara University in Silicon Valley.
A professor at the university had invited a privacy lawyer to speak to the students.
That privacy lawyer was Ed Palmieri, lead privacy counsel for Facebook, and in the audience was Max Schrems.
Schrems later described how, listening to Palmieri to speak to the class, he was “shocked” by the lawyer’s “limited grasp” of the severity of data protection laws in Europe.
It was then that he decided his thesis paper for the class would be about Facebook’s misunderstanding of privacy law in his home continent.
In the course of his research, he discovered that Facebook’s dossiers on individual users are hundreds of pages long and included information that users thought had been deleted.
Schrems decided to publish his findings online, leading to widespread media attention, a probe by a European privacy regulator, and questions from Congress in the U.S.
While Schrem’s complaints had managed to gain the attention of the media, and prompt an initial investigation by the Irish Data Protection Commission, they didn’t cause any significant legal disruption.
That was about to change.
The catalyst – Edward Snowden
Data protection became the sudden focus of public attention in 2013, when the world first heard of U.S. whistle-blower Edward Snowden, and learned of his disclosures about U.S. state surveillance of private citizens’ data.
On 5 June 2013 a story broke in The Washington Post and The Guardian that detailed how the National Security Agency (NSA) in the U.S. had obtained direct access to the systems of Google, Facebook, Apple and other U.S. internet giants.
The story made headlines around the world and highlighted the level of exposure state agencies had to private citizens’ data, especially in the U.S.
Safe Harbor Case (also known as Schrems I)
Considering these new revelations, on 25 June 2013 Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner (DPC), as Ireland was and is the country where Facebook has its European Headquarters.
Schrem’s aim was to prohibit Facebook from transferring his data outside of the EU, from Ireland to the U.S., as a way of ensuring it wouldn’t be able to be surveilled under the Prism programme that had been exposed by Edward Snowden.
Schrems based his complaint on EU data protection law, which does not allow data transfers to non-EU countries, unless a company can guarantee there is “adequate protection” of EU citizens’ data.
This “adequate protection” definition was based on a decision from 26 July 2000, in which the European Commission enshrined in law the validity of the Safe Harbor framework.
The Safe Harbor arrangement consisted of data protection principles to which American companies could subscribe voluntarily in order to engage in cross-border data transfers.
Therefore, the protections for user data relied on the self-assessment and self-certification by private companies.
In response, Schrems filed an application for judicial review in the Irish High Court over the inaction by the Irish DPC, which was granted.
On 18 June 2014, Mr. Justice Hogan adjourned the case pending a reference to the Court of Justice of the European Union (CJEU).
The oral hearing before the CJEU was held on 24 March 2015, with the Advocate General for the case Yves Bot.
Bot delivered his opinion on 23 September 2015, declaring the Safe Harbor agreement invalid, and said that individual data protection authorities could suspend data transfers to third countries if they violated EU rights.
Following this opinion, on 6 October 2015 the CJEU ruled that the Safe Harbor framework was invalid.
However, in it’s ruling, the CJEU appeared to leave the door open to the creation of “some sort of new Safe Harbor 2.0” proposal.
Privacy Shield (AKA Safe Harbor 2.0)
In a hurried bid to replace the newly invalidated Safe Harbor arrangement, on 2 February 2016 the European Commission and the U.S. Government reached a political agreement on a new framework.
It was to be called the “EU-US Privacy Shield”.
The new arrangement would provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.
The new arrangement included commitments by the U.S. that avenues for public authorities to access personal data transferred under the new arrangement would be subject to clear conditions, limitations, and oversight, therefore preventing generalised access.
It also included that Europeans would have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.
The new Privacy Shield framework was formally adopted by the European Commission on 12 July 2016.
Immediate legal challenges to Privacy Shield
Many data privacy campaigners considered that Safe Harbor was being replaced in all but name, and began challenges to the new EU-US Privacy Shield almost immediately.
Among those legal challengers was Max Schrems, now a qualified lawyer.
Schrems’ complaint was again referred to the CJEU, by the Irish High Court on 3 October 2017, and was heard by the CJEU in July 2019.
The CJEU strikes down Privacy Shield
In a ruling on 16 July 2020, the CJEU struck down the Privacy Shield, declaring it invalid.
The decision made headlines around the world, particularly here in Ireland where the Irish Times referred to it as a “blockbuster decision that will impact nearly every business, small to large.”
The CJEU noted in its statement that “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”.
The legal perspective on the ruling
As discussed in this blog which provides a fairly succinct overview, the fact that the EU-US Privacy Shield has been struck down is hugely significant, but not necessarily surprising.
Principally, this is because Privacy Shield arguably did little to actually shield the privacy of the EU citizens it purported to be protecting.
The European Convention on Human Rights protects the right to respect for private life, the home and correspondence. This includes protecting the privacy of messages, phone calls, and emails.
Specifically pertaining to this case, these privacy rights explicitly “protect the public from unlawful and unnecessary government surveillance”.
In practice, a non-U.S. person would find it very difficult to bring a case before U.S. courts for unlawful surveillance and therefore, as noted in the CJEU decision, the Privacy Shield “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law”.
In other words, EU citizens could not use the Privacy Shield in any practical way if they were concerned about unlawful surveillance in the U.S.
Standard Contractual Clauses
In its ruling, the CJEU also made specific reference to standard contractual clauses (SCCs), which are the main alternative for companies wishing to transfer data out of the EU legally.
Prior to the ruling, companies could simply sign SCCs that provided “sufficient safeguards on data protection for the data to be transferred internationally” and then transfer the data.
However, the new ruling means that, as opposed to just having the SCC in place, the company that wishes to export EU citizens’ data out of the EU must audit the process to ensure that the SCC can actually be complied with in practice.
The consequences of the Schrems II decision for corporates
The collapse of the EU-US Privacy Shield had been somewhat anticipated by corporate law teams and therefore, while it is not the ideal ruling from their perspective, it is not in itself world shaking.
Of far greater consequence, however, is the CJEU ruling on SCCs.
This will doubtless provide a significant headache for any company who wishes to export EU citizens’ data out of the EU, because it will have to do a great deal of legwork to ensure that the SCC it wishes to use is being complied with in practice, while there are currently no specific tests in law for whether this is the case.
On the other hand, what may give potential cause for optimism for companies, is that the EU Commission has already begun preparing templates for SCCs which can be put to general use.
Though, until these are in use, companies now must make their own determination as to whether their SCCs adequately protect data to EU standards.
So, in the short-term at least, corporate legal teams must wrangle with their potential legal liabilities from SCCs, which could be significant.
The Foxrock Academy view
For law students, Schrems II is a fascinating case.
It has been almost a decade in the making, has had many twists and turns, has garnered mainstream interest across the world, and is heavily impacted by political jostling (both between intra EU countries and the EU and U.S.)
It should also not be lost on anyone that the person behind the eponymous case started it all as a keen law student, interested in the intricacies of privacy law in an international context.
We would strongly recommend any student who was interested (and we’d assume you are, having read this far!) to continue further reading on this case.
As a starting point we’ve provided a few links below.
If you have any further questions on Schrems II, or would like to find out where a career in data privacy could take you, please do not hesitate to contact us.
Or, if you would like to start a conversation with fellow readers, please leave a comment below.
The CJEU decision in brief
EU companies who want to transfer data out of the EU:
(a) can no longer rely on Privacy Shield
(b) may continue to use SCCs but now they must ensure that they are being complied with in practice.
About The Foxrock Academy
The Foxrock Academy helps students and graduates to secure internships and traineeships at prestigious corporate law firms.
It is our mission to open up the legal profession to a broader pool of talent.
We pride ourselves on our ability to guide, advise, and support candidates from a rich variety of backgrounds as they begin their professional careers.
Disclaimer: This article has been written to give readers a broad overview of the Schrems II case, and should not be construed as giving legal advice of any kind.
CJEU decision in full:
European Law Blog on the consequences of Schrems II:
Original agreement on the EU-US Privacy Shield:
Opinion of the Advocate General on Schrems II:
Irish Times articles on the case results: