The future of the EU-US Privacy relationship has been shaky as of late, due to a mix of trade tensions and court rulings. At the center of current trade tensions is the Schrems II case which invalidated the EU-US Privacy Shield and frustrated American officials and businesses. This judgement is a preliminary ruling before the EU Court of Justice, initiated by Austrian lawyer and political activist Maximilian Schrems. Schrems initially brought this complaint before the Irish Data Protection Authorities (DPA) claiming that the way Facebook transferred personal data from the EU to the US violated the privacy standards of the EU’s main data privacy law, the General Data Protections Regulation (GDPR).[1]
This particular case continued the issues from the Schrems I decision where Mr. Schrems petitioned the Irish DPA to suspend cross-border data flows from Facebook Ireland to the United States, claiming there was inadequate protection for the protection of consumer data.[2] In the wake of events related to Edward Snowden, Mr. Schrems claimed that US intelligence agencies power to surveil personal data being transferred into the US from abroad violated data privacy standards required by the EU.[3] The initial claim resulted in the Court of Justice of the European Union invalidating the former EU-US privacy framework called the Safe Harbor Framework.[4] The US and EU subsequently negotiated a new framework called the EU-US Privacy Shield to deal with transatlantic data flows.[5]
During this time, Facebook Ireland also transferred much of its data to Facebook US according to the new Privacy Shield.[6] Mr. Schrems amended his initial complaint and filed again with the Irish Data Protection Authorities, alleging that these transfers of data, even under the new Privacy Shield, still violated fundamental rights.[7] The Irish DPA referred the matter to the Irish High Court which in turn requested a preliminary ruling on the compatibility of the EU-US Privacy Shield with the GDPR and EU law generally.[8] The CJEU issues the Schrems II judgement in July of 2020, effectively invalidating the Privacy Shield as it did not adequately provide the protections required under the GDPR.[9]
The Court was asked by the High Court of Ireland to interpret and rule on the validity of several issues including what factors determine whether a non-EU country has adequate levels of protection for permitting data transfers to that country from the EU.[10] The Court also interpreted and ruled on the validity of an EU Commission Decision on the use of standard contractual clauses (SCCs) to allow cross-border data flows to third countries as well as the validity of the EU-US Privacy Shield agreement itself.[11]
Regarding the issue of what protection levels were necessary for data transfers, the Court looked at the GDPR. The GDPR requires that several elements were necessary to ensure that the third country received EU data flows are protected including adequate safeguards, enforceable rights, and effective legal remedies.[12] The Court noted that although the GDPR did not specify how to assess these elements in a country, Article 44 states that the rights guaranteed under the GDPR should not be undermined in any way when a data transfer to a third country is carried out.[13] As such, the Court determined that countries receiving data flows are required to maintain protections that are “essentially equivalent” to those found in the GDPR, although they are not required to be identical.[14] Thus, whatever third country data flows entered would need some sort of legal mechanisms to ensure that the rights regarding data privacy outlined in the EU Charter could be protected.
The Court then ruled on the issue regarding the Commission Decision on the use of SCCs, and whether these provided adequate levels of protection outside of an adequacy decision.[15] Generally, an adequacy decision must be issued by the Commission on a per country basis to ensure that that country has sufficient safeguards. However, when an adequacy decision is not present for a country, the GDPR allows for transfers if there are other levels of safeguards, including by virtue of standard contractual clauses.[16] The Court here ruled that the SCC Decision is a valid mechanism allowing for the transfer of data.[17] However, it added a stricter requirement for SCCs where countries did not meet the aforementioned essentially equivalent standard, holding that data controllers must provide additional safeguards in contractual commitments that ensure full protection of data subjects’ rights.[18] This was drawn from recital 109 of the GDPR which encourages data controllers to provide additional safeguards to supplement standard clauses when those are inadequate to cover all of the rights guaranteed by the GDPR.[19] As such, the current Decision regarding SCCs was valid, although further requirements would be imposed on data controllers to ensure compliance with the GDPR.[20]
Finally, the Court ruled on the issue of validity of the EU-US Privacy Shield. Here, two US national security laws were at issue: Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333.[21]These laws allowed intelligence agents of the United States to conduct surveillance including the collection and analyzation of personal data for reasons of national security.[22] US intelligence agencies could accordingly surveil the personal data of EU citizens whose data was being transferred to the US. The Court looked at whether there were sufficient safeguards to limit US agents in their access of EU data subjects. In doing so, the Court found that the mechanism for bringing complaints against US authorities in case of breach of these rights was insufficient.[23] The Privacy Shield allowed for an ombudsman to take complaints, however the US courts did not provide for legal action against the government regarding these national security laws.[24] Due to its inability to provide equivalent protection in the United States as in the EU, the Court held that the EU-US Privacy Shield is incompatible with the GDPR and the EU Charter and is thus invalid.[25]
The Schrems II decision has already made a massive impact on EU-US trade and created issues over the future of data transfers, largely due to the fact that the Court is extending the application of EU data privacy laws extraterritorially.[26] The Court concluded that the EU Regulations in question require that the privacy rights of individuals in the EU must be afforded the required level of protection guaranteed under the EU Charter, even when data is being transferred to a third country.[27] Unless there is an adequacy decision between the EU and a third country allowing for the free flow of data, all transfers that cannot comply with protections required under EU law must be suspended.[28] As such, any third country business or data controller outside the EU is directly affected by the EU interpretation of its laws and faces an ultimatum of either meeting an incredibly high threshold set by the CJEU or taking its business elsewhere.
The fact that the EU is essentially forcing its own data privacy laws upon other nations and allowing its courts to rule on the adequacy of foreign domestic laws is not well-received by many, especially in the United States.[29] An extraterritorial application of the GDPR in some ways signals that the EU feels its own approach to data privacy is simply superior to other regimes. This decision will likely cause much more difficulty for many businesses and disincentivize transatlantic trade, especially as digitization of information continues to become more common. The GDPR itself allows for exceptions to data privacy rights based on national security, yet the CJEU’s interpretation of similar exceptions in US law did not grant the same amount of deference. The very small chance of harm that may occur by a hypothetical abuse of US intelligence agencies should not outweigh the devastating economic impact that the invalidation of another EU-US privacy agreement will have on both economies. Accordingly, it will likely be a sticking point in future trade relations between the US and EU until a new adequacy decision is launched, or the US passes a law essentially equivalent to the GDPR. This decision has major implications that affect the not only the way the GDPR is interpreted and applied, but for the future of data privacy law in general, international trade, and EU-US relations.
[1] Schrems II landmark ruling: A detailed analysis. Norton Rose Fulbright. July 2020.
[2] Schrems I. International Association of Privacy Professionals. (2021). Retrieved December 14, 2021, from https://iapp.org/resources/article/schrems-i/.
[3] Id.
[4] Id.
[5] EU. (2020). The CJEU judgement in the Schrems II. European Parliament.
[6] Id.
[7] Id.
[8] Case C-311/18, ECLI:EU:C:2020:559 (July 16, 2020) [hereinafter Schrems II].
[9] EU. (2020). The CJEU judgement in the Schrems II. European Parliament.
[10] Schrems II.
[11] Id.
[12] Id at para. 92.
[13] Id.
[14] Id. at para. 94.
[15] Id. at para. 123.
[16] Id. at para. 128.
[17] EU. (2020). The CJEU judgement in the Schrems II. European Parliament.
[18] Id.; Schrems II. at para. 135.
[19] Id. at para. 132.
[20] EU. (2020). The CJEU judgement in the Schrems II. European Parliament.
[21] Id.
[22] Schrems II at para. 180.
[23] Id. at para. 197.
[24] Id.
[25] Id. at para. 199.
[26] Tzanou, Maria, Schrems I and Schrems II: Assessing the Case for the Extraterritoriality of EU Fundamental Rights (October 13, 2020). Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty, Hart Publishing, Forthcoming, at 18.
[27] Schrems II at para. 203.
[28] Id.
[29] Tzanou, at 19.
