Facebook is at the center of the “Schrems” case, which exposed contradictions between U.S. and EU data privacy rules and toppled the U.S./EU Safe Harbor (Schrems I). In Schrems II, Austrian Max Schrems challenges the adequacy of standard contractual clauses and the Privacy Shield (the replacement to the Safe Harbor). A recent opinion in Schrems II questions the adequacy of privacy protections guaranteed by the U.S. but for now preserves the Privacy Shield and standard contractual clauses as potential adequate means of transferring personal data from the EU to the U.S.
The opinion was issued on December 19, 2019 by the Advocate General (AG) of the Court of Justice of the European Union (CJEU), Henrik Saugmandsgaard Øe. To the relief of many, the opinion does not invalidate the use of standard contractual clauses or the Privacy Shield as methods for the transfer of personal data from the EU and the United States. The opinion, however, does highlight the continuing challenges that U.S. government surveillance practices pose to such transfers, and puts controllers transferring data to the U.S. in the difficult position of ensuring adequate protections despite government surveillance rights.
Under EU law, personal data generally can flow out of the EU under three mechanisms:
- If the European Commission has decided that the receiving jurisdiction has an “adequate level of protection” for personal data of EU residents;
- If the transfer comes with “appropriate safeguards,” such as by incorporating standard contractual clauses issued by the European Commission containing privacy protections or transferring to a company certified under the EU/U.S. Privacy Shield;
- In certain other cases, such as when the data subject has given consent.
Concerning the first mechanism, the AG, unsurprisingly, wrote that he has doubts about “the validity of the finding that the United States guarantees, in the context of the activities of their intelligence services … an adequate level of protection.”
The AG’s opinion largely centered on the second mechanism, mainly on standard contractual clauses. While the validity of the Privacy Shield, was called into question as part of Schrems II, the AG said the Schrems II case could be decided without adjudicating the Privacy Shield because the central question rests with standard contractual clauses. In 2010, the European Commission issued Decision 2010/87/EU, establishing standard contractual clauses as data transfer mechanisms. In Schrems II, Facebook justified its data transfers under that decision.
All Facebook users in the EU must enter into a contract with Facebook Ireland. Personal data is then transferred to and processed in Facebook, Inc.’s servers located in the U.S. Facebook Ireland relies on standard contractual clauses to justify these data flows. Max Schrems argues that Articles 7, 8, and 47 of the European Charter guarantee certain protections of personal data are violated by provisions of U.S. law requiring companies to make personal data available to American intelligence authorities.
The case originated with the Irish Data Protection Commissioner (Irish DPC). The Irish High Court sent 11 questions for preliminary ruling to the CJEU, which it wanted addressed before adjudicating Schrems’ complaint. CJEU’s ruling is expected in early 2020. While the AG opinion is not legally binding, the CJEU is expected to follow suit in its final decision.
While the AG’s opinion upheld the validity of standard contractual clauses, it does call into question how companies will be able to comply with EU privacy rules and requests for information from American intelligence services at the same time. The ultimate responsibility falls on the controllers. According to the AG’s opinion: “There is an obligation – placed on the controllers and, where the latter fail to act, on the supervisory authorities – to suspend or prohibit a transfer when, because of a conflict [between the clauses of the EU and the destination country], those clauses cannot be complied with.”
As the Irish DPC pointed out in a statement about the AG’s opinion, companies could face the added procedural complexities arising from potential fragmentation if the supervisory authorities of individual EU member states have to get involved.
With two decades of experience as a practicing attorney, Karin McGinnis, CIPP US, has handled a wide variety of privacy and data security matters for her clients, with a special emphasis on privacy and data security issues in the workplace. Ms. McGinnis’ privacy and data security experience includes counseling and litigation regarding misappropriation of trade secrets, violation of the Computer Fraud and Abuse Act and state computer trespass laws, common law privacy torts, discovery challenges posed by the Stored Communications Act, privacy of consumer financial information under Gramm-Leach-Bliley, and confidentiality rights concerning mental health consumers. Ms. McGinnis also handles a wide variety of data breach matters for her clients, including those involving PCI-DSS compliance, and has worked with the USSS and the FBI in investigating potential cyber-crime. She has assisted clients with drafting and creating data breach procedures, mobile device policies and agreements, FACTA Red Flag policies and procedures, online privacy policies, international ethics hotlines, international data transfer agreements, vendor agreements, and employee data security training. Ms. McGinnis is co-chair of the firm’s Privacy and Data Security Group.