The Schrems Decisions: Cross-border Data Transfers

Max Schrems

Max Schrems is an Austrian lawyer, author, and activist.  Specifically, he is an activist regarding privacy rights and their enforcement.   He is the co-founder of NOYB – European Center for Digital Rights.  NOYB is an acronym for ‘none of your business’ and the organization is focused on supporting the GDPR and information privacy in general.

Schrems I

In 2013, Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner (DPC).  The complaint stemmed from Facebook’s transfer of data from Ireland to the United States.  One of the primary concerns raised was that with the PRISM mass surveillance program, data that was sent to the US would be intercepted by American intelligence agencies.

This interception of personal data is (and was) antithetical to EU data protection law.  Data transfers were to non-EU countries were supposed to be prohibited unless a company could guarantee “adequate protection.”

This was the standard in place from the EU-US Safe Harbor Principles.  The European Commission had previously found that the Safe Harbor Principles would provide “adequate protection,” thereby allowing businesses to transfer data to the US as long as they complied with the Safe Harbor Principles.

The Irish DPC rejected Schrems’s complaint, but Schrems applied to the Irish High Court for judicial review.  The Irish High Court accepted his application.  In 2014, the Irish High Court adjourned the case pending a referral to the Court of Justice of the European Union (CJEU).  The Irish High Court determined that EU privacy law pre-empted Irish privacy law, so the CJEU would be the correct body to analyze whether the Safe Harbor Principles provided adequate protection under EU privacy law.

During a hearing in front of the CJEU, the lawyer for the European Commission (ostensibly defending the Safe Harbor Principles) acknowledged that the European Commission could not guarantee that there would be adequate safeguards for the protection of data.

On September 23, 2015, the Advocate General for the court, Yves Bot, declared the Safe Harbor agreement invalid and indicated that data protection authorities (DPAs) could suspend data transfers to non-EU countries if the transfers would violate EU rights.

Privacy Shield

The means by which businesses transferred data to the United States from the EU had come crashing down, but businesses still had massive interconnectivity between the EU and the United States.  Alternative methods of achieving data transferability were more costly and had the potential to hurt economies on both sides of the Atlantic.

The importance of reducing the transaction costs of transferring data from the EU to the US was recognized and led to the establishment of the EU-US Privacy Shield.  See the timeline below.

Schrems II

The hastily drafted Privacy Shield framework took into account the shortcomings of the Safe Harbor framework and we all lived happily ever after, transferring data from the EU to the US, right?  Not exactly.  The complaint that Schrems originally filed with the Irish DPC and which subsequently went to the Irish High Court after Schrems applied for and received judicial review led to multiple spin-off litigations.  One of the spin-off litigations led to the invalidation of the Safe Harbor framework by the CJEU.  Another spin-off led once again to review by the CJEU, this time to review the case and answer eleven questions related to the validity of Standard Contractual Clauses (SCCs) and Privacy Shield.

In its review, the CJEU invalidated the EU-US Privacy Shield on July 16, 2020.  The CJEU also ruled that Data Protection Authorities (DPAs) must stop data transfers made under SCCs when the company is subject to overbroad surveillance (like Facebook).

Aftermath

The Schrems complaint against Facebook Ireland Ltd ultimately has led to the invalidation of the Safe Harbor framework and the Privacy Shield framework, which had each been the primary means of transferring data from the EU to the US.  Companies can still use SCCs to transfer data to the United States, but not all companies can do so (e.g. Facebook).  Data transfers to non-EEA countries are possible using other means, but they are pretty niche.  These include binding corporate rules, an approved code of conduct, an approved certification mechanism, a legally binding and enforceable instrument between public authorities, or additional methods which are subject to the authorization of the relevant DPA. (In the interests of full disclosure, there are also some derogations [exceptions] which allow for data transfers, but they are not generally applicable and truly are the exception, not the norm.)

For practical purposes, companies now have to rely on SCCs in order to transfer data from the EU to the US.  SCCs are far from being bulletproof, as some companies such as Facebook are prohibited from using SCCs due to the company’s subjection to overbroad surveillance.  One aspect of the analysis is whether data subjects will receive meaningful protection stemming from the SCCs or whether US intelligence agencies are likely to collect the company’s data in bulk.

On the one hand, SCCs are a life preserver for companies based in the United States that do business in the EU.  On the other hand, they represent an added cost of doing business.  They also represent an uncertainty that most businesspeople would love to avoid.

Clarip can’t give you any certainty about the continued viability of SCCs, but we can help you reduce compliance costs. We can map your data flows with our Automated Data Mapping tool.  We can see what data you are transferring and where it goes with our Data Risk Intelligence Scan.  Consult with Clarip, so we can help you find the perfect fit at the right price for your data privacy goals.  Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.