Schrems II: Court of Justice of the European Union invalidates the Privacy Shield between the US and the EU
This article provides the historical context to the first ruling by the Court of Justice of the European Union (CJEU), which invalidated the Privacy Shield Program between the EU and the USA. There remain conspicuous cultural differences between Europe and the USA on technology and privacy.
Basically, the Privacy Shield Program provided the legal basis over the past four years (2016–2020) for transfer of personal data of EU-residing data subjects to USA based data processors and controllers.
WHY IS/WAS PRIVACY SHIELD IMPORTANT?
International personal data flows are an important aspect of the world digital economy. Major multinational corporations, such as Apple, Facebook, Google and Amazon, need to disseminate personal data of their users, clients, suppliers, and employees all over the world. In this context, decisions like the CJEU’s become important as they can have a significant impact on the costs of doing business internationally. Varying standards for data protection around the globe lead to legal uncertainty, which manifests itself in increased spending on legal counsel, contracts, and updates to massive international databases and information systems, for instance.
WHY DO THE US/EU NEED A SPECIAL AGREEMENT?
The regime of data privacy regulations in the EU and the USA have largely followed two different historical and philosophical paths.
The approach of the USA’s main enforcement agency, the Federal Trade Commission (FTC), favors self-regulation, varies according to industry sector, and can be described as “light touch.” Regulators in the USA prefer to let corporations police themselves with the court system for the rare instances where self-regulation fails. Or at least that’s what proponents of the American approach to data privacy (data protection in the EU) would claim.
In contrast, the European approach is “top-down” and based on fundamental rights to privacy and the protection of personal data. There is a major divergence with the American approach, which avoids discussion of federal rights of privacy or protection of personal data.
Safe Harbor (2000–2015)
The Safe Harbor (from 2000–2015) program was created to allow European personal data to be legally transferred to the USA under the EU’s 1995 Data Protection Directive. It constituted a set of seven privacy principles that enterprises voluntarily followed. The Safe Harbor Agreement, which had been in effect for nearly 15 years, was suddenly struck down by the CJEU and replaced by the Privacy Shield in 2016. This too was struck down in 2020.
The Basics of Safe Harbor
The Safe Harbor Agreement was founded on a set of principles closely related to the Organisation for Economic Co-operation and Development (OECD’s) seven principles of protection of personal data, which also influenced the GDPR (General Data Protection Regulations). By agreeing to participate in the Safe Harbor, US corporations essentially committed privacy standards nearly equivalent to those in the GDPR. To be Safe Harbor-certified, US corporations had to promise to process European personal data according to the following principles:
- Notice:Individuals must be informed that their personal data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints.
- ChoiceIndividuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer: Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security: Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity: Data must be relevant and reliable for the purpose it was collected.
- Access: Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate.
- Enforcement:There must be effective means of enforcing these rules.
The Schrems Case (2015)
The Schrems case was the culmination of several other landmark “digital rights” cases that eventually led to the invalidation of the Safe Harbor Agreement. In that sense, Schrems was the last straw on the camel’s back.
In 2013, the Austrian citizen, Max Schrems made a complaint to the Irish Data Protection Commissioner claiming that Facebook-Ireland’s transfer of EU citizens’ personal data to the USA violated the EU law. At the time, such transfers were legally valid under the Safe Harbor Agreement. Essentially, the argument made by Schrems was that in light of Edward Snowden’s leaking of classified US government surveillance programs, “there was no meaningful protection in US law or practice” for personal data transferred to the USA because the US Government could obtain access to personal data without a court order.
Initially, Schrems’ complaint was dismissed by the Irish Data Protection Authority (IDPA) because Schrems could not demonstrate that his personal data was actually impacted. Yet, just one year later, the Irish High Court ruled and concluded that Schrems did in fact have a legal standing under the EU law, due primarily to the Digital Rights Ireland holding. Thus, it did not matter if the complainant had been personally affected in order to show that his right to respect for private life (Articles 7 & 8 of the EU’s Charter of Fundamental Rights) had been infringed. The Court also expressed concerns about US law enforcement surveillance and the lack of personal data protections in the USA. In particular, that EU data subjects had no effective means of judicial review under Safe Harbor for privacy complaints. Ultimately, the Court found that the “adequacy” of the protection given to personal data in the Safe Harbor Agreement was not enough and hence declared it invalid in 2015.
On 16 July 2020, the CJEU invalidated the EU-US international data transfer framework – known as the Privacy Shield – bringing personal data protection and international data transfers to the forefront of current discussions on digital policy. In doing so, the CJEU expressed concerns over USA’s surveillance programmes and lack of protection provided for personal data. The Privacy Shield, however, was not the only option available to companies to transfer users’ personal data to the US. Many companies chose to use a set of Commission-approved standard contractual terms and conditions, and contractually bind themselves to protecting the data of their clients when transferring data outside the European Economic Area (EEA).
The CJEU upheld the validity of this second mechanism but placed substantial conditions on its usage to ensure that the destination country truly offers a level of data protection equivalent to that guaranteed by the EU. Following the Court’s decision, that the EU failed to provide further clarifications on the future of data transfers towards the USA, prolonged the uncertainty not only for the European operations of large tech firms, but also for European SMEs which benefit from global trade and US-based cloud services. In this context, the current European data transfers framework, as well as the developments following the CJEU’s decision – widely referred to as ‘Schrems II’.
INTERNATIONAL DATA TRANSFER OPTIONS FOR COMPANIES
The General Data Protection Regulation (GDPR) sets out three different mechanisms for companies that transfer the personal data of their clients outside the EEA:
EU Adequacy Decisions
The European Commission has the power to review a third country’s legal system, domestic law and international commitments to determine whether it ensures an adequate level of protection for personal data. Once a Commission’s adequacy decision is adopted, companies may transfer personal data towards a third country without any prior authorisation.
In the absence of an adequacy decision, a company may still transfer the data of its clients outside the EEA, only by providing appropriate safeguards to ensure that the protection guaranteed by the GDPR will not be undermined by the transfer. In addition, the company must ensure that data subjects have enforceable rights and effective legal remedies in the third country. Appropriate safeguards may be provided by means of:
- Standard Contractual Clauses (adopted or approved by the Commission)
- Binding Corporate Rules (approved by a competent supervisory authority)
- Codes of Conduct (approved by a competent supervisory authority)
- Certification Mechanisms
Derogations for specific situations
In exceptional circumstances, a transfer outside the EEA may take place, even if no adequacy decision and no appropriate safeguards are in place. Such transfers should be occasional and only under specific circumstances:
- If the data subject has explicitly consented to the transfer
- If the transfer is necessary for the performance or conclusion of a contract between the data subject and the company, at the former’s request and interest
- If the transfer is in the public interest
- If the transfer is necessary for the establishment, exercise or defence of legal claims
- If the transfer will protect the vital interests of the data subject
It is for the company to establish that the above conditions for a derogation are met.
US DATA TRANSFERS AFTER SCHREMS II
In the wake of Schrems II, companies may no longer benefit from a European Commission adequacy decision to transfer data to the USA. This means that intercontinental data transfers on the basis of the Privacy Shield becomes impermissible. In theory, companies that wish to continue transferring data to the USA, may still benefit from the other mechanisms provided for in the GDPR.
However, the CJEU emphasised that even when using standard contractual clauses, companies must assess the level of personal data protection offered in the US, taking into account the circumstances of each particular transfer and any supplementary protection measures they take themselves. In light of the court’s observations on US surveillance programmes and lack of redressal mechanisms for data subjects, it is uncertain whether companies can guarantee that the safeguards envisioned by the standard protection clauses are upheld and such protection is granted.
It is apparent that without further clarification on the future of EU-USA data transfers, the effectiveness of standard contractual clauses becomes questionable, especially for small companies that do not have the capacity to assess the level of protection offered by the destination country, or determine the measures they must take to assure it. Thus, by continuing transatlantic data transfers, companies risk the imposition of administrative fines by their national Data Protection Authorities (DPAs), as well as liability for any damage caused by such transfers to data subjects.
Case in point, following the CJEU’s judgment, the Irish Data Protection Commission (DPC) launched an investigation into Facebook’s data transfer practices and initially concluded that the social media platform had to stop all transfers of EU data to the USA. Facebook, which used standard contractual clauses as the legal basis for transatlantic transfers, appealed the initial decision before the Irish High Court, seeking judicial review of the investigation. The company’s argument being that the DPC has not received regulatory guidance from the EU – specifically from the European Data Protection Board (EDPB) – which would lead to more uncertainty.
To mitigate the uncertainty, the European Commission and the EDPB intend to modernise standard contractual clauses and provide companies with further guidance that will reflect the court’s conclusions. Towards this, the Commission has announced that it plans to publish a proposal for new standard contractual clauses within the year. At the same time, a third agreement between the EU and the USA focusing on US surveillance laws is possible but will take time to finalise.
IMPACT OF SCHREMS II ON INDIA
India features a sizeable business and industrial data exchanges with the countries in the EU. The information and personal data transfer chapter in India is guided by the Information Technology Act, 2000 and the Rules there under. However, increasingly, there are mounting criticisms of the level of protection and redressal mechanisms under the existing legal framework.
India ought to be ready with its own robust personal data protection regime just in case it faces an identical fate as the USA. Moreover, the square measure is that there are significant gaps within the laws of India, which can be seen with relevance to cross border data transfer as compared to the EU GDPR standards particularly with regard to government control and legal framework for unriddled access to personal data processed by businesses in India. The CJEU’s decision stresses upon the overseas country, with an independent judiciary, to specifically look into matters concerning personal data protection. Though the Personal Data Protection Bill, 2019 of India specifically deals with similar issues, it has not been made into a law as yet. The current law in India on this subject is contained in the Information Technology Act, 2000 (IT Act) and the Privacy Rules. While these laws protect “personal information” and “sensitive personal data or information”, and apply to body corporates that collect the information directly, they do not specifically apply to State or Government authorities. They also have limited applicability to the indirect recipient of information.
There are some concerns about the existing laws but not limited to:
- there is no regulator or data protection authority;
- there are no guidelines or regulatory guidance on consent;
- there are no special requirements prescribed for children/minor’s data;
- they are not applicable to State or Government authorities; and
- there is limited applicability to the indirect recipient of information.
The Personal Data Protection Bill, 2019 was introduced to address some of the issues above, as well as the fact that the Supreme Court of India held in 2017 that privacy is a fundamental right protected by Article 21 of the Indian Constitution. This legislation is making its way through the Parliamentary process, currently under consideration by the Joint Parliamentary Committee. It is anticipated it will come into effect at some point in 2021.
The Scherms judgment will not only affect the USA but also every other country that deals commercially with the EU. In that sense, it could also be a wake-up call for India to take note of and prepare for the personal data protection regime gradually developing across the world and specially in the EU. Though the SCC’s remain valid, but the CJEU has asserted that these will be considered and vetted on a case to case basis, in light of the legal regime in the host country.