Schrems II v. Privacy Shield: Data Wars?

Schrems II v. Privacy Shield: Data Wars?

by attorney Dennis G. Jansen – the@GDPR.attorney

Max Schrems has made it to the Court of Justice of the European Union (“CJEU”), again. This July, the CJEU will answer the question of whether data protection in the USA is “adequate” for EU standards, again. The decision could have a major impact on digital trade between the EU and the USA. But how did we get here?

The first time Austrian citizen Max Schrems sued regarding Facebook’s privacy practice, the case ended up at the CJEU in Schrems v. Data Protection Commissioner (Ireland), case C-362/14 decided on 6 October 2015 (“Schrems I”). Schrems had argued “the law and practice in force in [the USA] did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by the public authorities.“ (Schrems I at 28)

The Commissioner claimed “he was not required to investigate the matters raised by Mr Schrems in the complaint, he rejected it as unfounded. The Commissioner considered that there was no evidence that Mr Schrems’ personal data had been accessed by the NSA. (…) [A]nd the Commission had found in that decision that the United States ensured an adequate level of protection.” (Schrems I at 29)

The CJEU agreed with Schrems. In regards to the “Safe Harbor” legal framework of the USA (Decision 2000/520 of the European Commission) the CJEU decided: “without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.” (Schrems I at 98)

The court had explained how high the stakes are and the review standard for the European Commission is: “[I]n view of, first, the important role played by the protection of personal data in the light of the fundamental right to respect for private life and, secondly, the large number of persons whose fundamental rights are liable to be infringed where personal data is transferred to a third country not ensuring an adequate level of protection, the Commission’s discretion (…)  is reduced, with the result that review of the requirements (…) should be strict (…)” (Schrems I at 78)

Since then a lot has changed. European standard for privacy increased and integrated significantly via introduction of the General Data Protection Regulation (“GDPR”) in 2018. Many countries around the world have taken the GDPR as an inspiration and model to improve their own privacy protections.

Not the USA. The USA has been increasing global surveillance powers, especially via the CLOUD Act, also introduced in 2018. The European Commission has again decided that with a new framework now called Privacy Shield, the USA provides an adequate level of data protection. The high requirements of the GDPR did not impact this decision of the European Commission. The introduction of the CLOUD Act has also not impacted the Privacy Shield decision of the European Commission.

Schrems is now in front of the CJEU again. And the question no less than if and to what extent the USA and its companies must be quarantined for data processing. Will GDPR authorities act against the use of US providers? And that reach is constantly extending. Under some US case law, in certain cases not only all members of US corporate groups, but even an entire corporate group with not more than a subsidiary in the USA could be impacted by the CLOUD Act and other US government access.

Some expect things will go on as usual: The European Commission will create a third insufficient adequacy decision such as Safe Harbor and likely Privacy Shield. New Standard Contractual Clauses will be released to fix those if needed and all data can keep flowing to the USA and its agencies. But sooner or later courts and supervisory authorities are bound to intervene. And it might just be now.

Further, international agreements of other countries under the CLOUD Act with the USA “infect” them with direct US government access, lowering their privacy standards arguably below GDPR levels. And the UK – going beyond Brexit – has signed a CLOUD Act agreement with the USA, allowing the US government direct access to data of UK providers. Hence a kind of digital quarantine for US clouds could extend not only to the USA, but also to the UK and other countries who sign CLOUD Act agreements with the USA.

My research suggests removing US providers and their subsidiaries is a safe option for GDPR compliance. Considering the dominance of US corporations such as Amazon AWS, Google, and Facebook, woven into most data processing, removing US providers from the equation could be an immense challenge. But data (sovereignty) wars are also an immense opportunity for better privacy and other legal protections, not just for EU citizens. And all non-US providers stand to profit.

Possibly another issue not on many people’s radar yet is whether USA global surveillance powers could also impact trade secrets under the 2016 EU Directive 2016/943. Whether GAIA-X, A1 Digital, or a project of the Lidl parent group – the EU is preparing for the “worst”: More privacy and data sovereignty.

Concluding the impact of Schrems II on EEA-US trade and EEA businesses using US services should not be underestimated. Now is an ideal time to look into the decision’s possible impact and start preparing your response. Once the decision is published, time with the best experts will be a rare commodity.