Schrems II: What the latest challenge to transatlantic data transfers means for IT

When Max Schrems asked the Irish Data Protection Commissioner to stop Facebook Ireland transferring his personal information to the U.S. in 2013, he couldn’t have foreseen that it would put the personal data processing operations of thousands of other businesses in legal jeopardy.

Schrems’ 2013 complaint went all the way to the European Union’s top court, which in 2015 unexpectedly struck down the Safe Harbor Agreement on transatlantic data transfers. Thousands of businesses that had relied on this to justify their export of customers’ and employees’ personal data from the EU to the U.S. for processing suddenly had to seek alternate legal justification — or find data hosting and processing resources inside the EU.

The demise of Safe Harbor

EU data protection law says that personal information can’t be exported to a regime offering less protection than it has in the EU. Various legal mechanisms exist to extend that protection, including binding corporate rules for intra-group transfers, or standard contract clauses approved by the European Commission. Safe Harbor was one of these — essentially a declaration that, as long as businesses followed certain rules, the European Commission considered that U.S. law provided adequate protection.

After months of uncertainty following its demise, it was replaced by Privacy Shield, a new agreement between EU and U.S. administrations allowing transatlantic data transfers to resume.

However, it turned out that Facebook had never relied on Safe Harbor at all but rather on standard contract clauses to protect its data transfers under EU privacy law.

Schrems duly revised his original complaint about Facebook’s processing of his data to target standard contract clauses, and that complaint has once again made its way to the Court of Justice of the European Union amid speculation that it too could threaten businesses’ export of personal data to the U.S.

Judgment in this new case, which has become known as “Schrems II,” isn’t expected until early in 2020, but a public hearing on July 9 gave hints about how things could turn out.

Interestingly, Schrems isn’t the plaintiff in the case, but a defendant. The plaintiff is the Irish DPC, which filed suit against him and Facebook as a legal maneuver to obtain a ruling on matters of law raised by his complaint.

At stake is whether the U.S. government undertakes mass processing of the personal data of EU citizens when that data is held in the U.S., whether that form of surveillance is legal under EU privacy law, and whether standard contract clauses on data transfers provide adequate privacy protection for EU citizens.

Standard contract clauses in the crosshairs

Schrems and the DPC agree that U.S. surveillance laws breach fundamental EU privacy rights: Where they differ is on what can be done about it. Schrems wants the DPC to stop individual data transfers where standard contract clauses provide insufficient legal protection; the DPC says it has no power to do so.

The EU is seeking to make improvements in this area. European Commissioner for Justice Vĕra Jourová said on June 13: “We are already working to modernize standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.”

Facebook, meanwhile, says that there’s no problem with its data transfers as the European Commission has already ruled, through its acceptance of the Privacy Shield data-sharing framework that replaced Safe Harbor, that U.S. surveillance laws pose no threat to EU citizens’ fundamental rights.

The adequacy of Privacy Shield, though, is the target of another legal challenge the court is mulling, this one from a group of French NGOs.

And there’s the rub: If the CJEU decides to take a very broad view of the French case or of the second Schrems complaint, as it did with his first, it could decide to invalidate the standard contract clauses used by Facebook and others, and Privacy Shield too.

Actions for CIOs

For CIOs and general counsel, then, it could be 2015 all over again. Some processing of EU citizens’ personal information in the U.S. could be outlawed overnight, leaving businesses to either stop it, find somewhere else to do it, or take a gamble on the consequences.

While there’s still time, CIOs need to figure out what personal information their organizations hold on EU citizens, whether they are processing it outside the EU, and what consent or legal justification they have for that processing. On the bright side, as long as their organization is in compliance with the EU’s General Data Protection Regulation (GDPR), which entered force on May 25, 2018, they should already have many of the answers at their fingertips.

The European Data Protection Board has produced a handy guide to the derogations provided by Article 49 of the GDPR that will help CIOs decide what to do next.

Some processing of personal information is always allowed, such as to comply with a contract to provide goods or services to the person concerned, or if the person has consented to the data transfer and has been made aware of the privacy risks involved. Again, organizations in compliance with GDPR will already have a record of which data they can transfer under these derogations.

For the rest, there are still a few months left in which to prepare technological responses to a potential data disaster that may never happen.