Californians with an ear to the privacy ground have probably seen mention of the Schrems II case working its way through European courts. While we wait for what could be a groundbreaking decision, let’s take a look back at the history of this case and why it is so important to the international privacy community.
The story of Schrems II begins, unsurprisingly, with Schrems I. Long story short, the Data Protection Directive, the predecessor to the General Data Protection Regulation (GDPR), the European Union’s recent privacy law, put strict regulations regarding data collection, retention, and use, on European Economic Area (EEA) companies and companies processing the data of people in the EEA.
A chain is only as strong as its weakest link. As a result, the Data Protection Directive (as the GDPR still does) required that before data can be transferred to a country outside of the EEA, the European Commission (EC) must make a finding that that country’s laws are “adequate” to protect the data. This includes an analysis of the country’s laws, supervisory authorities, and international treaties the country is a party to.
The problem for the United States is that there was not (and still is not) a federal privacy law on par with the DPD and GDPR, rending the U.S. inadequate for data transfer, making it illegal to transfer such data from the EEA to the U.S.
At first, a solution presented itself. Rather than adopt new privacy laws in the United States, American companies could voluntarily agree to practices that would improve data security, called the “Safe Harbour Privacy Principles.” This lasted until 2015, when a lawyer and privacy activist named Max Schrems complained to the Irish supervisory authority that Safe Harbor was inadequate. As a Facebook user, Schrems argued, his data would be transferred from Ireland to the U.S., and Schrems argued that as a result of the revelations of massive internal surveillance revealed by Edward Snowden, the U.S. was no longer as secure as the EU. The Court of Justice of the European Union (CJEU) struck down Safe Harbor as inadequate.
In its decision, the CJEU pulled no punches in criticizing American government and law enforcement’s disregard for privacy laws (emphasis in original):
[T]he Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
As a result, the CJEU scrapped Safe Harbor. Shortly thereafter, the EU and U.S. agreed to another agreement, called Privacy Shield. While Privacy Shield will likely be tested in the CJEU soon, that is not the subject of Schrems II or this post.
Rather, after his victory over Safe Harbor, Schrems took aim again at Facebook and argued that their Standard Contractual Clauses (SCCs) were invalid. SCCs play an important role in international data transfers: rather than a set of protections that companies opt into like Safe Harbor, SCCs are pre-approved sets of contractual guarantees that the parties agree to on a per-case basis (typically as an addendum to a contract). In other words, even though the U.S. legal framework is seen as inadequate by the EU, Facebook is ostensibly agreeing by way of contract to abide by EU law with regard to data it receives from the EEA.
According to the Irish Times, Schrems found out after the CJEU decision that Facebook uses such SCCs, and filed another complaint to determine whether these SCCs could actually be enforced and whether they meet the EU’s privacy requirements. This case, called Schrems II, was just argued in front of the CJEU, with a “non-binding opinion” due to be handed down on December 12.
So what will happen if Schrems wins and SCCs are struck down as a viable alternative? Probably a lot of dysfunction. Companies can still rely on Privacy Shield, though that scheme is also up for review (with many speculating that it will be struck down as well, as it didn’t actually fix the major national security/surveillance concerns from Safe Harbor). There is also some concern that the CJEU may strike down Privacy Shield at the same time, even though Schrems II doesn’t actually deal with Privacy Shield.
Companies can rely on “binding corporate rules,” which is similar in concept to SCCs except take longer to implement and require approval from a supervisory authority. IAPP speculates that the EC could “modernize” the SCCs to resolve whatever problems the CJEU identifies, assuming Schrems wins. Failing one of these solutions, however, there may very well be a tangible drop in data being transferred from the EEA to the United States, at least until a new regulatory framework is adopted.
Until we know how exactly the CJEU is going to rule, regardless of which side you’re on… hold your breath.
While we wait for the CJEU’s decision, why not read more about the California Consumer Privacy Act?
Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.
Latest posts by Daniel J. Zarchy
(see all)Like this:
Like Loading...