A highly anticipated ruling by Europe’s top court has just landed — striking down a flagship EU-US data flows arrangement called Privacy Shield.
The case — known colloquially as Schrems II (in reference to privacy activist and lawyer, Max Schrems, whose original complaints underpin the saga) — has a long and convoluted history. In a nutshell it concerns the clash of two very different legal regimes related to people’s digital data: On the one hand US surveillance law and on the other European data protection and privacy.
Putting a little more meat on the bones, the US’ prioritizing of digital surveillance — as revealed by the 2013 revelations of NSA whistleblower, Edward Snowden; and writ large in the breadth of data capture powers allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) — collides directly with European fundamental rights which give citizens rights to privacy and data protection.
The Schrems II case also directly concerns Facebook, while having much broader implications for how large scale data processing of EU citizens data can be done.
At specific issue are questions of legality around a European data transfer mechanism used by Facebook (and many other companies) for processing regional users’ data in the US — called Standard Contractual Clauses (SCCs).
Schrems challenged Facebook’s use of SCCs at the end of 2015, when he updated an earlier complaint on the same data transfer issue related to US government mass surveillance practices with Ireland’s data watchdog.
He asked the Irish Data Protection Commission (DPC) to suspend Facebook’s use of SCCs. Instead the regulator decided to take him and Facebook to court, saying it had concerns about the legality of the whole mechanism. Irish judges then referred a large number of nuanced legal questions to Europe’s top court, which brings us to today. It’s worth noting Facebook repeatedly tried and failed to block the reference to the Court of Justice.
The referral by the Irish High Court also looped in questions over a flagship European Commission data transfer agreement, called the EU-US Privacy Shield. This replaced a long standing EU-US data transfer agreement called Safe Harbor which was struck down by the CJEU in 2015 after an earlier challenge also lodged by Schrems. (Hence Schrems II.)
So part of the anticipation associated with this case relates to whether Europe’s top judges would choose to weigh in on the legality of Privacy Shield — a data transfer framework that’s being used by more than 5,300 companies at this point. And which the European Commission only put in place a handful of years ago.
Critics of the arrangement have maintained that it does not resolve the fundamental clash between US surveillance and EU data protection.
In the event the CJEU has sided with critics who have long maintained that Privacy Shield is the equivalent of lipstick on a pig. It’s certainly not a good day for the Commission (which also had a very bad day in court yesterday). We’ve reached out to the EU executive for comment.
Privacy Shield had also been under separate legal challenge — with the complainant in that case (La Quadrature du Net) arguing the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data.
On SCCs, the judges have not taken issue with the mechanism itself — but impress the obligation on data controllers to carry out an assessment of the data protection afforded by the country where the data is to be taken. If the level is not equivalent to that offered by EU law then the controller has an obligation to suspend the data transfers.
Commenting on the ruling in a statement, Schrems said: “I am very happy about the judgment. At first sight it seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”
We’ve also reached out to Facebook and the Irish DPC for comment.
This is a developing story…