What is Schrems II?
This ruling by the CJEU is more commonly known in data protection circles as Schrems.
What is it and why should we care?
In simple terms, it has huge implications for transfers of personal data from the EU to the US. For example, the American social media and retail giants who gather personal data on a massive scale in the EU typically transfer it to the US for further processing.
They have to be legally able to do that, and Privacy Shield was an umbrella US-EU agreement that enabled the transfers. Only now the CJEU has decided that Privacy Shield isn’t fit for purpose; it decided that not all personal data rights under GDPR could be upheld in the US.
Strictly speaking the personal data transfers under Privacy Shield should now stop, but the economic implications are huge and we’re still waiting for direction from the European authorities on what to do. It’s also worth noting that the US Department of Commerce has published guidance on how to facilitate data transfers, which I’ll discuss at the end.
In order to get a better understanding, and what Schrems 2 is, we need to first understand some of the General Data Protection Regulation (the GDPR), and a bit of history.
In 1995, the EU adopted the Data Protection Directive which gave data subjects additional rights over the processing and transfer of their personal data. It prohibited the transfer of data out of the EU to jurisdictions that did not provide adequate privacy protections.
In 2000, the Safe Harbor agreement was established between the US and the EU to ease the export of personal data from the EU. Companies such as Facebook could self-certify under Safe Harbor that they would protect EU personal data in line with the Directive when transferred to the US.
In 2013, Edward Snowden leaked classified information to journalists. Amongst the revelations were the facts that the NSA was harvesting personal data from social media, games and tech companies. Maximillian Schrems is an Austrian lawyer and privacy activist who, in 2013, took Facebook to court in Ireland where Facebook has its European headquarters.
In light of Snowden’s leaks he argued that Facebook’s data transfers to the US should stop. The case was referred to the Court of Justice of the European Union (CJEU) where in 2015 Safe Harbor was declared invalid because it could not provide adequate safeguards. This became known as Schrems 1.
Schrems didn’t stop there: he then argued to the Irish Data Protection Commissioner that the EU model clauses used by Facebook following the collapse of Safe Harbor were also inadequate. The European Commission has issued three sets of model clauses which are Standard Contractual Clauses (SCCs) for the transfer of personal data to inadequate jurisdictions. In 2017 Schrems’ case was referred to the CJEU.
In 2016, the US Government and the European Commission rushed in the Privacy Shield Framework, which strengthened privacy protections designed to answer the CJEU’s criticisms of Safe Harbor. Immediately French privacy activist group La Quadrature du Net launched a challenge to Privacy Shield, claiming that it also allowed mass surveillance abuses by the US Government.
In 2018, the General Data Protection Regulation was launched, harmonizing and strengthening privacy law across the EU.
In 2019, the CJEU decided to consider together the parallel questions about the US surveillance regime raised by Schrems and La Quadrature du Net.This is Schrems II.
The CJEU cited significant concerns with US surveillance law. It found that the surveillance programs authorised by the Foreign Intelligence Surveillance Court did not amount to a judicial review. It also found that surveillance conducted outside the US under Executive Order 12333 did not provide sufficient rights for foreign persons. It concluded that the Privacy Shield ombudsman was not independent of the US executive branch and that it lacked power over the US intelligence services.
But in the same ruling the CJEU declared that Standard Contractual Clauses (SCCs) were still fit for purpose. It found that SCCs provide an adequate contractual control for organisations to assess privacy protections under foreign surveillance law, e.g. it’s up to the data controller to decide if a destination country has adequate privacy law.
Which, to be frank, doesn’t really help. If the CJEU has decided that US law doesn’t provide adequate privacy protection, then using SCCs won’t make any difference, a point recently confirmed by the European Commissioner for Justice. So it’s a brave data controller who decides to carry on with data transfers to the US and it’s a brave data controller who tells their CEO to stop data transfers. Which is why everyone is waiting for guidance from the European Data Protection Board (EDPB).
The EDPB has established a taskforce to come up with recommendations for supplementary measures for data transferred to third countries i.e. the US. A German supervisory authority has already issued guidance, which includes tightly controlled encryption or pseudonymisation, or anonymisation, although they are also proposing bespoke SCCs which introduces new difficulties.
The European Commissioner for Justice is in conversation with US authorities on a new data transfer agreement. However, Europe is publically stating that US law will need to change, which could prove a stumbling block. There are encouraging signs that a Federal privacy law will eventually appear but not until at least 2021 and we don’t know what it will look like. In the meantime EU officials are revising the SCCs which could be available by the end of 2020.
It’s complicated, and to further add to the mix, there’s Binding Corporate Rules (BCRs) and there’s Article 49 derogations.
BCRs are an organisation’s rules to govern internal data transfers to jurisdictions outside of the EEA. The organisation has to demonstrate to their supervisory authority that their BCRs put in place adequate safeguards.
The CJEU didn’t mention BCRs in their ruling, but by implication BCRs must also be in doubt.
Article 49 derogations are a set of conditions for transfers to take place when the destination jurisdiction doesn’t have appropriate safeguards. For example, if the data subject gives explicit and informed consent. But these are very specific conditions and administratively burdensome.
And the American reaction? The Department of Commerce, the Department of Justice and the Director of National Intelligence have jointly published a paper that describes US privacy safeguards after Schrems II. It is intended to assist data controllers to determine whether or not there are adequate US safeguards in place for SCCs, which seems moot given the CJEU’s ruling.
However, it also reads as ‘it’s not fair!’ – its point is that the ruling was on the validity of the original Privacy Shield decision in 2016, not on US law per se, and that the evidence considered at the time was incomplete. It points out that US surveillance law has developed since then, and that there are 5 EU member states with surveillance laws incompatible with the CJEU’s ruling.
The paper satisfyingly also states the concern many data protection officers have been worrying about – how is it possible for companies using SCCs to assess the adequacy of US privacy protections? DPOs around the world are waiting to be told.
Authored by: Tim Pinnell, NQA Information Security Assurance Manager