Facebook Data Case: EU Bans Data Transfers to US
Maximillian Schrems is at it again. At 09:00 today (16 July 2020) the Court of Justice of the European Union (“CJEU”) delivered its judgment in the case of Data Protection Commissioner v Facebook Ireland & Schrems, better known as Schrems II. This follows the infamous case in October 2015, known as Schrems I, where the CJEU abolished Safe Harbor, he has now successfully brought down its replacement, Privacy Shield.
The case is really important because it automatically prevents businesses from relying on Privacy Shield to safely transfer data between the EU/US.
Any business relying on Privacy Shield must take immediate steps to stop doing so and must either find another lawful method of transferring personal data, or stop doing so. The decision will have significant implications for the likes of Facebook, Google, Amazon and Apple all of who rely on Privacy Shield.
Why has the CJEU taken this decision?
It is a really controversial outcome and it is impossible to separate the legal debate from the closely connected political connotations. It is also notably different to the Advocate General’s opinion which reached a different conclusion.
The CJEU has determined that Privacy Shield does not offer adequate protection to EU citizens (and for the purpose of this article, it includes the UK citizens) where their personal data is transferred to the US.
They have reached this decision because they do not believe that EU citizens have sufficient mechanism to challenge what happens to their data, in particular where it is or maybe, processed in a way not consistent with the requirements of GDPR or the EU Charter. The decision is critical of the ombudsperson system created by Privacy Shield, essentially describing it as ineffective.
What about standard contractual clauses?
The CJEU has stopped short of abolishing standard contractual clauses, which is good news for many business as they are the preferred method of transferring personal data outside of the EU. However, the CJEU has justified its decision in a way which should make many businesses feel uneasy.
The justification for keeping standard contractual clauses is that the onus is on the parties to the contract to ensure that the country in which the data recipient is located verify that the country applies its national law in a way which is essentially equivalent to GDPR. This is, in reality, very hard to establish and for any business based in the US, it is almost impossible to achieve in light of the fall out of the rest of the CJEU decision which categorically identifies US nationalistic security interests as being incompatible with GDPR.
While some US states have started to implement laws which take the US closer to a GDPR regime (notably California, with the Californian Consumer Privacy Act), none have anything which are equivalent.
Is this a political decision?
There are undoubtedly political undertones to this decision. The Privacy Shield negotiations that took place in 2015 were fraught with political tension between the US administration and the EU commission and at many times looked like agreement would not be reached.
Ultimately, the US administration would not budge on its ability to interfere with personal data processed within its jurisdiction for national security purposes. These hurdles were overcome by the introduction of the ombudsperson regime, but the CJEU has been very critical of this.
They also challenged the idea set out in Privacy Shield that US national security, public interest and law enforcement have primacy to the extent they condone interference with data.
Click here to read the CJEU press decision.
Get in touch
If you would like to discuss any of the issues raised in this article, or need any advice, please contact Matthew Holman.