If there is such a thing as a data protection hero, Max Schrems qualifies. He is the Austrian activist who has just scored his second major victory over Facebook and the European Commission, in defence of data protection rights.
This second victory is of direct relevance to the UK post-Brexit, because it sets the standards for data transfers from the EU to a third country (as the UK will become from 1 January 2021). The problem highlighted by the case is that our current surveillance laws may not meet the standards just established by the Court of Justice of the European Union (CJEU), which would cause us a severe data transfer problem from day one.
Schrems complained that Facebook Ireland, which is the data centre for Facebook in Europe, sent his data to Facebook servers in the US. In Schrems I (C‑362/14), this led to the invalidity of the then current safe harbour privacy principles (which permitted data transfers between the EU and the US), on the grounds that the US government was able to gain access to his data.
As a result, the European Commission replaced safe harbour with ‘Privacy Shield’ (2016/1250), and it was the adequacy of ‘Privacy Shield’ that formed the basis of Schrems II (C‑311/18), which has just been decided.
The case was heard by a full Grand Chamber, with four intervening parties, including the US government, and observations from 10 member state governments, including the UK. There were 11 questions referred by the Irish court to the CJEU for decision. The decision itself runs to 203 paragraphs.
Schrems won again, which is remarkable given the firepower ranged against him. The CJEU ruled that ‘Privacy Shield’ was also invalid.
In brief, EU citizens are entitled to appropriate safeguards, enforceable rights and effective legal remedies to ensure that personal data transferred to a third country are afforded a level of protection essentially equivalent to that guaranteed within the EU through the General Data Protection Regulation and the EU’s Charter of Fundamental Rights. US security agencies’ access to the data did not provide that.
After the safe harbour principles were declared invalid in Schrems I, and the case was referred back to the Irish court for further action, it emerged that Facebook Ireland transferred a large part of personal data to its US servers pursuant to standard data protection clauses, which are a permitted form of transfer to a third country (see decision 2010/87). Schrems argued that the use of such clauses did not invalidate his concerns about the lack of protection offered in the US – and he won on that ground, too.
Some of his concerns which were taken into account by the CJEU were, for instance, that the US National Security Agency (NSA) has access to data ‘in transit’ to the US, by accessing underwater cables on the floor of the Atlantic, and that it collects and retains such data before it arrives in the US, and without the NSA being subject in the US to the controls of the Foreign Intelligence Surveillance Act.
In addition, the CJEU found that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the fourth amendment to the US constitution determines in US law that the most important cause of action available to challenge unlawful surveillance does not apply to EU citizens. The US’s proposed alternative was insufficient.
This is obviously a major blow to the EU, and to EU-US relations, never mind to the billions of dollars in digital trade that are affected. It happened to come on the same day as another blow to the EU (but not to EU-US relations). This was a CJEU decision regarding another tech giant, Apple, in which the court ruled that Ireland did not have to recover the €13bn in tax advantages that it had granted Apple (cases T-778/16 and T-892/16).) For all that, the EU is still the only major player trying to regulate the major tech giants, and with the clout to do so, as both cases show.
Schrems II also highlights why the CJEU will continue to be of importance to the UK even after the transition period finishes at the end of this year. Its decisions will govern aspects of data protection and data transfers. If in due course there is the equivalent of a Schrems III, involving the standards of data protection in the UK, it is the CJEU which will decide whether our standards are appropriate for EU data to be transferred to us. For better or for worse – and there are people on either side of that debate – the soft power of the EU can have major consequences.
Jonathan Goldsmith is Law Society Council member for EU matters and a former secretary general of the Council of Bars and Law Societies of Europe. All views expressed are personal and are not made in his capacity as a Law Society Council member nor on behalf of the Law Society