Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement

Privacy Shield struck down

Today’s decision marks the second time the European court has struck down the data sharing agreement between the EU and the US.

The court found that Privacy Shield, like its predecessor Safe Harbour, which was struck down by the court in 2015, gave the requirements of US national security and law enforcement agencies priority over the rights of EU citizens.

Privacy Shield “condoned” interference with the fundamental rights of EU citizens when their data is transferred to the US, it said.

The European court found that US surveillance laws meant that the US did not offer privacy protections equivalent to those under EU law, ruling they were not proportionate and went beyond what was strictly necessary.

In particular, it found that US laws did not give EU citizens rights of redress through the courts if their data was misused.

The court disagreed with the European Commission that the Ombudsperson, set up in Privacy Shield to provide redress to EU citizens, provided effective redress for EU citizens. 

It said the Ombudsperson mechanism “does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law” and it failed to ensure that the Ombudsperson was independent or had the powers to make decisions that were binding on the US intelligence services.

SCCs given green light – with conditions

The court found that EU law, and General Data Protection Regulation (GDPR) in particular, applies when companies transfer data to countries outside the EU, even when that data is processed by third-party governments for national security, defence and state security.

People must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries, as they would receive in the EU under GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.

SCCs are used to transfer data from the EU to some 180 countries, including Australia, Singapore, South Korea, Brazil, India and Mexico, according to the Business Software Alliance (BSA).

Although the court found that SCCs were legally valid, it said any data transfer agreements must take into account the legal system of the country receiving the data and any access governments or public authorities have to data on EU citizens.

The court said companies had a responsibility to ensure that the companies outside the EU they plan to share data with granted privacy protection equivalent to EU law.

The receiving company has to inform the data exporter of any inability to comply with the SCC and the company sending the data is obliged to suspend data transfers if EU privacy laws are breached, it said.

The court made it clear that data protection regulators would be required to act if companies transfer data to the US or other countries without meeting European privacy safeguards.

“Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims”

Data protection authorities (DPAs) are “required to suspend or prohibit a transfer of personal data to a third country” where they believe that country cannot comply with standard data protection clauses.

The court said that regulators must act if a company exporting the data has failed to suspend data transfers itself and that data protection cannot be ensured in any other way.

Tanguy Van Overstraeten, partner and global head of privacy and data protection at law firm Linklaters, said the decision would impact large companies, which make hundreds or thousands of data transfers through standard contractual clauses.

“Large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The court has made it clear companies cannot justify them using a tick box exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed,” he said.

Van Overstraeten said it would become more difficult for companies to transfer data to countries with strong surveillance powers, including the US, India and China.

“Businesses will now look to EU regulators to propose some form of transition to allow them to move away from Privacy Shield without the threat of significant sanctions and civil compensation claims,” he said.

Max Schrems: Regulators must enforce the law

Schrems said the ruling had put an end to the discretion of data protection authorities to decide not to take action when data transfers are in breach of EU data protection law.

Schrems has been pressing the Irish Data Protection Commissioner (DPC) to take action against Facebook after filing a complaint in 2013 that Facebook Ireland was transferring personal data of EU citizens to Facebook Inc in the US, in breach of EU data protection and human rights law.

NYOB

“Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The court has clearly told the DPAs to get going and enforce the law”

Max Schrems

He argued that US surveillance programmes, including the Prism program exposed by whistleblower Edward Snowden, which extracts data from communication services companies, including Facebook, did not respect the privacy rights of non-US citizens.

“The court is not only telling the Irish DPC to do its job after seven years of inaction, but also telling all European DPAs that they have a duty to take action and cannot just look the other way. This is a fundamental shift going far beyond EU-US data transfers,” he said.

“Authorities like the Irish DPC have so far undermined the success of the GDPR by simply not processing complaints. The court has clearly told the DPAs to get going and enforce the law.”

He said that decision meant Facebook would not be able to use SCCs for EU-US data transfers, and if it continued to violate the law, the DPC would have to “take urgent action”.

Court decision will affect trade between EU and US

The Business Software Alliance, one of the parties to the case, said the court’s decision to invalidate Privacy Shield would create a barrier for electronic commerce between the US and the EU.

“Today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic,” said Thomas Boué, director general of the BSA.

“Today’s Privacy Shield decision just removed from the table one of the few, and most trusted, ways to transfer data across the Atlantic. The impacts will be felt by enterprises large and small”

“The impacts will be felt by large and small enterprises on both side of the Atlantic, when businesses are focused on recovering from the economic impacts of Covid-19 and are increasingly relying on data-driven tools and services to do so,” he said.

Renzo Marchini, partner at law firm Fieldfisher, said that although businesses could continue to use SCCs, there was “a big but” – the court has made it clear that businesses will need to ensure that any country they transfer data to offers “essentially equivalent” protection to the EU.

“How is any European business – certainly smaller ones – supposed to do that?” he said. “This is crying out for urgent guidance from regulators. It is impractical for any but the largest businesses to do this assessment.”

It is difficult to see how regulators would be able to allow data transfers to the US under standard contractual clauses, following the court’s invalidation of Privacy Shield, said Marchini. 

Caitlin Fennessy, research director at the International Association of Privacy Professionals, claimed the court’s decision would adversely impact US companies that share data with the US.

“Today’s decision effectively blocks legal transfers of personal data from the EU to the US. It will undoubtedly leave tens of thousands of US companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually,” she said.

Max Schrems said today that industry lobbying groups had exaggerated the impact of the ruling on businesses, as in practice “necessary” data flows can still continue legally under article 49 of GDPR.

“This is a solid basis for most legal transactions with the US. In simple words, the US has now been brought back to the ‘normal’ situation that the EU has with most other third countries, but lost its special access to the EU market over US surveillance,” he said.

Companies may relocate data to Europe

Data flows between the US and the EU are unlikely to dry up immediately. It is likely that the European Commission will give companies that rely on Privacy Shield a grace period to make new arrangements.

“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying its data standards can be trusted, but those in the US cannot”

Many companies are expected to switch from Privacy Shield to standard contractual clauses to continue to transfer data legally.

The European Commission is in the process of revising SCCs to take into account GDPR, and confirmed  it modify them following the European court’s decision.

European Commission Vice President Jourova said at a press conference today that the Commission will be working with the US counterparts including, US Commerce Secretary Wilbur Ross, and Attorney General William Bar, to develop robust EU-US data transfers.

Jonathan Kewley, co-head of technology at law firm Clifford Chance, said some companies were likely to respond by localising their data in Europe.

“What we are seeing here looks suspiciously like a privacy trade war, where Europe is saying its data standards can be trusted, but those in the US cannot,” he said. “We predict that the outcome could be more Europe data localisation, with more customer data staying in Europe as a result.”

Decision could affect EU-UK data transfers

Today’s decision is likely to impact data transfers between the EU and the UK following Brexit. Data transfers from the UK to the EU will be unaffected until 2024.

But it is not yet certain whether the EU concludes that the UK offers EU citizens adequate protection for their data, under the UK’s surveillance law, the Investigatory Powers Act. 

Daniel Tozer, head of data and technology at law firm Harbottle & Lewis, said the ability of companies to transfer data between the EU and the UK was uncertain following the judgment.

“This judgment raises questions about the UK’s ability to be awarded data protection ‘adequacy’ by the EU, given the UK’s own surveillance laws and its membership of the Five Eyes programme. Data transfers between the EU and the UK from 1 January 2021 could well become very challenging indeed,” he said

Jim Killock, executive director of the Open Rights Group said that, following the judgment, the UK would have to choose between maintaining the high privacy standards of the EU or lower privacy standards of the US after Brexit.

“The UK’s surveillance regime will be questioned after this judgment, as Europe has rejected Privacy Shield precisely because of concerns over surveillance. Similarly, standard contractual clauses cannot now be relied on,” he said.

Irish DPC: Data transfers to US now ‘questionable’ 

The Irish Data Protection Commission, which referred the case to the European Court of Justice, said the decision supports the concerns of the regulator and the Irish High Court that EU citizens do not receive the level of protection demanded by the EU when their data is transferred to the US.

“While the judgment most obviously captures Facebook’s transfers of data relating to Mr Schrems, it is of course the case that its scope extends far beyond that, addressing the position of EU citizens generally,” it said in a statement.

Although the court found that SCCs were valid, their use to transfer personal data to the US was now questionable, the regulator, headed by Helen Dixon, said.

“This is an issue that will require further and careful examination, not least because assessments will need to be made on a case-by-case basis,” it said.

Facebook considers implications

Eva Nagle, associate general counsel for Facebook, said the social media network was considering the implications of the court’s decision to strike down Privacy Shield.

“We welcome the decision of the Court of Justice of the European Union to confirm the validity of standard contractual clauses for transfers of data to non-EU countries. These are used by Facebook and thousands of businesses in Europe and provide important safeguards to protect the data of EU citizens,” she said.