In exactly one week, on the 16th of July, one of the most anticipated cases in data protection, case C-311/18 — Facebook Ireland versus Schrems — will be delivered by the EU Court of Justice (ECJ). What’s at stake is if international flows of personal data to and from the EEA can continue as is now, or if major changes will be required. The verdict in the groundbreaking "Schrems 2.0" case will dictate whether the widely used Standard Contractual Clauses (SCCs) and the EU/USA Privacy Shield will remain a valid means of transferring personal data to countries outside the EEA under the EU’s GDPR. As these mechanisms are used for a large majority of international data transfers, this may in turn have a large impact on organisations around the globe. In preparation for the case, we analyse the road so far, and what the possible outcomes could mean for your organisation in regard to data privacy.
Background and impact
The start of this case was a complaint by activist Max Schrems to the Irish Data Protection Commissioner (DPC). Mr Schrems argued that the transfer of his personal data from Facebook Ireland to its parent company Facebook Inc. in the USA on the basis of SCCs did not protect his fundamental rights under EU law. The reason being that under United States law Facebook Inc. is required to make the personal data of its users available to USA authorities.
This case is set against the backdrop of an earlier ECJ case involving Facebook initiated by Mr Schrems (also known as Schrems 1.0), which resulted in the invalidation of Privacy Shield’s predecessor, Safe Harbor. Similar issues were raised in this previous case and the United States has in response taken steps to show the adequacy of the remedies available to EU citizens (such as appointing a Privacy Ombudsman).
In December last year, the Advocate General (AG) advised the ECJ to keep SCCs a valid mechanism to transfer personal data to countries located outside the EEA (regardless of the level of data protection there). However, the AG also suggested new obligations for data protection authorities and data controllers using SCCs: data controllers should conduct a detailed examination of the circumstances surrounding each transfer and the parties processing the data before using the SCCs, while DPAs should suspend data transfers under the SCCs when they find there is a lack of protection.
While the AG does not want to take a formal decision on the validity of Privacy Shield, he did express concerns over it. His concerns were about whether the safeguards surrounding American surveillance are equivalent to those under GDPR, and if the Privacy Ombudsperson can compensate for any insufficiencies in the protection of data subjects whose personal data is transferred to the United States.
Even if the Court would not touch upon Privacy Shield, it is not out of the woods yet. Parallel to this case, French activist group La Quadrature du Net is trying to invalidate the Privacy Shield before the ECJ because the mechanism might fail to uphold fundamental EU rights in light of the USA’s mass surveillance practices.
The AG’s opinion is not binding. However, in most cases the ECJ follows the opinion of the Advocate General. Mr Schrems suggested that a difference between the AG conclusion and the final judgement of the ECJ is “very likely”, as “The [ECJ] judges seemed to be much more critical of US law and the assessment by the European Commission [on installing the Privacy Shield as a mechanism for EU/US transfers] than the Advocate General.”
Preparing your organisation for either outcome of the case
Regardless of the outcome, organisations should take action whilst waiting for the final judgement in both the Schrems v. Facebook Ireland and La Quadrature du Net v Commission cases:
▢ Inform your management about the case and why it’s important
This situation may require additional resources and manpower, on which management needs to be informed.
▢ Scour your processing register
Identify where you are relying on SCCs and the Privacy Shield, for both internal and external data transfers to scope the amount of work required.
▢ Check your contracts
The Data Processing Agreements with third party vendors relying on SCC and Privacy Shield might contain wording that switches to already existing alternative grounds (e.g. BCR, certification, for international transfer if either SCCs or Privacy Shield will be declared invalid. This might limit the scope of work significantly.
▢ Refrain from relying on SCCs and Privacy Shield - for nowWhile the outcomes in both cases remain uncertain, refrain as much as possible from using both mechanisms until more clarity is provided on the matter. If you are to rely on either mechanism, add alternatives to your contracts.
▢ Reconfigure data storage and access to data
If SCCs or Privacy Shield are declared invalid, or if organisations are required to make detailed assessments of privacy protection under laws in third countries, it could become increasingly difficult to transfer data internationally. Therefore, storing data within the EEA and limiting access to the EEA may provide a solution.
▢ Research alternative vendors in the EEA
To avoid the issue of international transfer altogether, it might be worth researching alternative vendors in the EEA.
While there is no set time frame for a decision by the ECJ, the Court issued its final decision in Schrems 1.0 within only 13 days of the AG’s opinion. When the full Court follows the direction of the AG, a final decision can thus be issued quickly. The fact that it will have taken the Court several months to reach a decision - even with a global health crisis going on - signals the importance and, possibly revolutionary outcome this case might have. However the ECJ ultimately rules in Schrems II, the judgment can be eagerly awaited as likely representing a landmark in the law of international data transfers.