Facebook is at the center of the “Schrems” case, which exposed contradictions between U.S. and EU data privacy rules and toppled the U.S./EU Safe Harbor (Schrems I). In Schrems II, Austrian Max Schrems challenges the adequacy of standard contractual clauses and the Privacy Shield (the replacement to the Safe Harbor). A recent opinion in Schrems II questions the adequacy of privacy protections guaranteed by the U.S. but for now preserves the Privacy Shield and standard contractual clauses as potential adequate means of transferring personal data from the EU to the U.S.
The opinion was issued on December 19, 2019 by the Advocate General (AG) of the Court of Justice of the European Union (CJEU), Henrik Saugmandsgaard Øe. To the relief of many, the opinion does not invalidate the use of standard contractual clauses or the Privacy Shield as methods for the transfer of personal data from the EU and the United States. The opinion, however, does highlight the continuing challenges that U.S. government surveillance practices pose to such transfers, and puts controllers transferring data to the U.S. in the difficult position of ensuring adequate protections despite government surveillance rights.
Under EU law, personal data generally can flow out of the EU under three mechanisms:
- If the European Commission has decided that the receiving jurisdiction has an “adequate level of protection” for personal data of EU residents;
- If the transfer comes with “appropriate safeguards,” such as by incorporating standard contractual clauses issued by the European Commission containing privacy protections or transferring to a company certified under the EU/U.S. Privacy Shield;
- In certain other cases, such as when the data subject has given consent.
Concerning the first mechanism, the AG, unsurprisingly, wrote that he has doubts about “the validity of the finding that the United States guarantees, in the context of the activities of their intelligence services … an adequate level of protection.”
The AG’s opinion largely centered on the second mechanism, mainly on standard contractual clauses. While the validity of the Privacy Shield, was called into question as part of Schrems II, the AG said the Schrems II case could be decided without adjudicating the Privacy Shield because the central question rests with standard contractual clauses. In 2010, the European Commission issued Decision 2010/87/EU, establishing standard contractual clauses as data transfer mechanisms. In Schrems II, Facebook justified its data transfers under that decision.
All Facebook users in the EU must enter into a contract with Facebook Ireland. Personal data is then transferred to and processed in Facebook, Inc.’s servers located in the U.S. Facebook Ireland relies on standard contractual clauses to justify these data flows. Max Schrems argues that Articles 7, 8, and 47 of the European Charter guarantee certain protections of personal data are violated by provisions of U.S. law requiring companies to make personal data available to American intelligence authorities.
The case originated with the Irish Data Protection Commissioner (Irish DPC). The Irish High Court sent 11 questions for preliminary ruling to the CJEU, which it wanted addressed before adjudicating Schrems’ complaint. CJEU’s ruling is expected in early 2020. While the AG opinion is not legally binding, the CJEU is expected to follow suit in its final decision.
While the AG’s opinion upheld the validity of standard contractual clauses, it does call into question how companies will be able to comply with EU privacy rules and requests for information from American intelligence services at the same time. The ultimate responsibility falls on the controllers. According to the AG’s opinion: “There is an obligation – placed on the controllers and, where the latter fail to act, on the supervisory authorities – to suspend or prohibit a transfer when, because of a conflict [between the clauses of the EU and the destination country], those clauses cannot be complied with.”
As the Irish DPC pointed out in a statement about the AG’s opinion, companies could face the added procedural complexities arising from potential fragmentation if the supervisory authorities of individual EU member states have to get involved.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached. Read About Our Practice and Meet the MVA Privacy & Data Security Team.