The long-anticipated Schrems II decision is here! But as of yet it’s hard to tell whether it’s a game changer. The European Court of Justice judgement invalidated the Privacy Shield program that most companies used to legally transfer personal data from the European Union to the United States. However, it ruled that Standard Contractual Clauses (SCCs) are still a valid data transfer mechanism. Why was this decision made? What are the impacts on industry? And what does it mean for consumers?
We’ve been here before. In 2015, the CJEU handed down its first judgement (Schrems I) invalidating the Safe Harbor regime (European Commission Decision 2000/520). Originally set up in 2000, Safe Harbor enabled the “safe” transfer of personal data from the EU to third countries that did not have adequate data protection laws in place meeting EU standards per the Data Protection Directive (Directive 95/46/EC) and the European Charter of Fundamental Rights. In addition, the European Commission, in 2010, established Standard Contractual Clauses (SCCs) as an acceptable way for European organizations to contract with data processors in third countries that don’t meet adequacy standards (Decision 2010/87).
Maximilian Schrems, an Austrian privacy advocate and Facebook user, brought a complaint to the Irish DPA (Facebook’s and most tech companies’ “main establishment” in the EU), that despite Safe Harbor, the US government can still indiscriminately collect, process, and store Europeans’ data when transferred to the US, as evidenced by the 2013 Edward Snowden revelations. Because the US did not (and still does not) have adequate privacy law to protect people’s data, Safe Harbor instituted principles that mimicked the EU’s Data Protection Directive that companies could voluntarily certify to in order to continue importing Europeans’ data. The CJEU found that US surveillance law and practice override Safe Harbor thereby invalidating the program. A year later, the EU-US Privacy Shield (European Commission Decision 2016/1250) was born, replacing Safe Harbor and containing stronger protections particularly around third-party data sharing also known as “onward transfer”.
Schrems continued to argue that the US does not offer adequate privacy protections under the SCCs that, in his case, Ireland Facebook uses to transfer personal data to the US. The Schrems II decision thus had to take the Privacy Shield and the SCCs under consideration. The Privacy Shield was invalidated because it is an instrument that allows the transfer of Europeans’ data into a country with surveillance law that overrides it and does not offer adequate protections. The Court called out that US surveillance agencies don’t respect the principle of proportionality; they hoover up everyone’s data rather than what is expressly needed for national security. They don’t specify how they will use the data, even in broad terms, nor how long they will retain it. And Americans, let alone Europeans, don’t have sufficient means to challenge this data use in court. These are all principles now clearly enshrined in the GDPR, the GDPR is as of 2018 EU law, and therefore the Privacy Shield cannot protect Europeans’s data at the level of EU law.
However, the Court of Justice ruled that SCCs provide “effective mechanisms” to ensure privacy protections equal to EU law. This is surprising because the SCCs were written pre-GDPR and if the Privacy Shield is invalidated why wouldn’t the SCCs be invalidated too? If a standardized certification program administered by the US Department of Commerce cannot prevent surveillance overreach, how can individual contracts on a case by case basis? The Court substantiated its decision by claiming that the SCCs already require each data exporter to “verify” that the data importer can meet its contractual obligations. But in practice, how can an EU organization “verify” that a US surveillance agency won’t hoover up their data when this surveillance happens surreptitiously, indiscriminately, and without regard for any constitutional privacy protections nor any US federal privacy law since no such comprehensive law exists. Noyb has already created a model request form that a European data exporter can use to ask the data importer if they can essentially resist US surveillance law (e.g. FISA 702 and EO 12,333). While useful for organizations and consumers to put more pressure on data importers, time will tell how effective this will be.
What does this mean in practice? Industry, at least publicly, is interpreting the CJEU ruling as business as usual. The SCCs remain valid, all is not lost. Others are more skeptical on whether, in practice, the SCCs will remain valid and there is already a wide range of interpretations from DPAs and the EDPB. And this is precisely the problem with a ruling that invalidates a blanket program (no matter how inadequate) and devolves adequacy interpretation to a case by case basis, potentially causing further fracturing of the GDPR. Ideally the EDPB would be able to wrangle all of the DPAs and whip them into taking one position. We’ll see if that’s possible.
Moreover, leaving the SCCs in place, the Court allowed data flows to continue with the overreach of US surveillance law safely intact. Consumers don’t immediately gain any substantive protections. On the other hand, if SCCs had been invalidated, there would really be no legal basis for EU-US transfers. The vast majority would not be able to rely on GDPR Art. 49 derogations as consent is often difficult if not impossible to capture and the other purposes for processing are extremely limited. Aware of this, perhaps the Court decided to invalidate the Privacy Shield signaling that there are issues but stopping short of invalidating SCCs thereby prohibiting most of EU-US commerce which would of course have serious consequences for the economy.
As DPAs put out their guidance, we’ll see how the business and privacy communities will respond. Will this lead to a Privacy Shield 2.0? Will the Schrems saga continue? Or will the decision put enough pressure on the US to reform its national surveillance laws so everyone wins? Stay tuned!