The Data Must Flow: Schrems II and a Roadblock in the Commoditization of Data

A recent decision from the Court of Justice significantly complicates the ability of U.S. companies to transfer EU citizens’ personal data from the EU to the United States.

The Court of Justice of the European Union in Luxembourg.  Photo: Cédric Puisney.

The Court of Justice of the European Union in Luxembourg. Photo: Cédric Puisney.

BY: Vineet Surapaneni, Staff member

 

Before the modern internet era, an international company’s primary concern may have been transporting its raw materials and finished products across borders and oceans.  Nowadays, such companies are less concerned with physical commodities such as copper and crude oil and more concerned with a new commodity: data.  Access to user data is vital to many companies’ bottom lines, which is why the Court of Justice of the European Union’s (CJEU) recent decision in Data Protection Commission v. Facebook Ireland and Maximillian Schrems (Schrems II) sent shockwaves across the global economy. 

The saga began with Edward Snowden’s 2013 disclosure of classified National Security Administration material, which revealed the existence of U.S. national security surveillance programs.  The revelation that the United States was monitoring, or had access to, the personal data of non-Americans prompted Max Schrems, then a law school student, to file a complaint with the Irish Data Protection Commissioner (DPC).  Schrems argued that the U.S.-EU Safe Harbor Framework violated EU laws related to data privacy and that Facebook, with its European headquarters in Ireland, should be prohibited from transferring his personal data (and the personal data of all EU citizens who use Facebook) outside the European Economic Area (EEA).  The Safe Harbor Framework detailed privacy protections that companies like Facebook had to follow when transferring personal user data out of the EEA, including self-certification of compliance with certain privacy principles.  While the Irish DPC rejected Schrems’ complaint, the Irish High Court granted Schrems’ subsequent application for judicial review and, in 2014, referred the case to the CJEU.

In 2015, the CJEU found in Schrems I that the Safe Harbor Framework did not afford adequate protections to personal data transfers from U.S. government interference and failed to provide EU citizens a means of judicial redress in the event of interference.  Because the Safe Harbor Framework failed to conform to EU privacy law and the EU Charter of Fundamental Rights, which both afford EU citizens the right to privacy, data protection, and a fair trial, the Safe Harbor Framework was invalidated. 

In response to Safe Harbor’s invalidation, companies including Facebook utilized standard contractual clauses (SCCs) — contracts specifically designed to authorize data transfer — to continue the flow of data out of the EEA.  In 2016, the U.S. and EU quickly negotiated and implemented Privacy Shield, a framework meant to correct Safe Harbor’s deficiencies.  Despite this effort, companies could still self-certify that they had adhered to privacy principles and transfer data from the EEA.  Following its adoption, over 5,300 U.S. companies conducted data transfers from the EEA under the direction of Privacy Shield. 

Following the CJEU’s decision in Schrems I and the implementation of Privacy Shield, Schrems filed an amended complaint with the Irish DPC, again challenging Facebook’s transfer of personal user data out of the EEA to the U.S. and arguing that Facebook could not use SCCs to fulfill its privacy obligations under EU law because the U.S. government could still access his personal data, whether it was transferred under SCCs or another mechanism.  The DPC held that U.S. law did not provide adequate remedies, namely judicial redress, to EU citizens, and that SCCs did not cure this defect in U.S. law.  The DPC asked the Irish High Court to refer questions on the sufficiency of SCCs to the CJEU, which it did in 2018. 

The CJEU released its decision in Schrems II on July 16, 2020.  The CJEU’s opinion detailed the impact of the EU’s General Data Protection Regulation (GDPR) on the data transfer out of the EEA.  GDPR, adopted by the EU Parliament in 2016 and implemented in 2018, provides that EU privacy protections for personal data travel with the data — personal data can only be transferred out of the EEA if the non-EEA country has “an adequate level of data protection” that is “essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter.”  If the country does not provide this level of protection, then the data transfer cannot occur.  The CJEU held that SCCs could continue to allow data transfers, but only if the entities transferring data ensured that the non-EEA country’s data protection guarantees meet the standards of the EU Charter and its privacy laws. 

The CJEU then went beyond the initial complaint and discussed the validity of Privacy Shield, which it found lacking.  The CJEU found that EU citizens whose data was transferred to the United States under Privacy Shield did not have rights of redress in U.S. courts.  Though the United States and the EU had implemented an administrative remedy in the form of a designated ombudsperson — a U.S. undersecretary of state — the CJEU found this insufficient because the undersecretary would not be independent of the U.S. government and would not have the power to take corrective action.  For these reasons, the CJEU found Privacy Shield invalid, but left SCCs standing (at least for now, and only so long as the privacy laws of the destination country meet the EU and CJEU’s standards). 

After the decision, the United States quickly indicated that it plans to work with the EU to “limit the negative consequences [of the decision] to the $7.1 trillion transatlantic economic relationship.”  In the meantime, the timeline for compliance is unclear; while European data protection authorities have issued guidance, the CJEU has not announced whether companies will enjoy a grace period in which to ensure compliance.  The Irish DPC has already begun notifying companies that they must suspend data transfers; as a result, Facebook filed on September 11, 2020 an application for judicial review of the suspension order.  The invalidation of both Safe Harbor and Privacy Shield signals that the CJEU’s problem with data transfers to the United States is not skin-deep — it appears unlikely that the court would approve of any sort of blanket data transfer agreement absent substantial changes to U.S. data privacy law and national security surveillance programs. 

The Schrems II decision was a surprise, leaving thousands of U.S. companies that had participated in Privacy Shield in the lurch, thrust into an uncertain legal position which jeopardizes their data transfers and, by association, their business models.  Those companies would now also think twice about resorting to SCCs, because doing so would make them responsible for ensuring that legal protections in the destination country are in accordance with EU laws and that surveillance in the destination country is limited “to what is strictly necessary.”  An alternative may be keeping all of EU citizens’ data within the EU, but this solution would not only be expensive for companies to maintain but would likely fragment service offerings by region.  Another solution for companies might be to wait it out, since it is likely that the United States and EU will attempt to negotiate some third framework to govern data transfers.  For his part, Max Schrems believes that enforcing compliance with EU data protections is less a legal issue than a means of sending a message that companies cannot ignore data privacy laws.  It is not inconceivable that American companies will have to compete against homegrown EU competitors that will not be subject to data transfer restrictions and, therefore, will be able to offer superior services to EU citizens.

Whatever the short-term impact, it is clear that companies will have to rethink how they utilize personal data as they navigate an increasingly complex compliance environment, perhaps by setting up local servers in the EU, fragmenting their service offerings or even withdrawing from the EU altogether.

Vineet Surapaneni is a second-year student at Columbia Law School and a Staff member of the Columbia Journal of Transnational Law.  He graduated from the University of Texas at Austin in 2014. 

 
Joshua Bean