On July 16, 2020, the Court of Justice of the European Union released the much anticipated judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Case C-311/18, striking down the trans-Atlantic data transfer agreement called Privacy Shield. The ruling is the latest development in the campaign by European privacy hawks to block the transfer of their information to countries with inadequate data protection laws. Here’s the story.

1. Introduction

The General Data Protection Regulation (GDPR) of the European Parliament governs the protection of natural persons regarding the processing and free movement of personal data. It provides that the transfer of such data to a third country may only take place if the third country ensures an adequate level of protection. An adequate level of protection may be grounded in a third country’s domestic law or international commitments. In the absence of an adequacy decision by the Data Protection Commissioner, a transfer may only take place if the personal data exporter in the European Union (EU) has provided appropriate safeguards. The appropriate safeguards may arise from standard data protection clauses and if data subjects (a) have enforceable rights and (b) effective legal remedies.

2. Maximillian Schrems and Edward Snowden

Maximillian Schrems is an Austrian national, residing in Vienna, and a Facebook user since 2008. As with other users in the EU, his personal data is transferred by Facebook Ireland to its servers in the United States. His first complaint filed with the Irish supervisory authority sought to prohibit transfers claiming that the law and practices in the United States did not provide sufficient protection against data access by public authorities. On October 6, 2015, the CJEU held (here) that the United States did not ensure an adequate level of protection under the former data-transfer agreement called Safe Harbour. That ruling is generally referred to as Schrems I. The genesis of Schrems I was rooted in the disclosures by former National Security Agency (NSA) contractor Edward Snowden about the pervasiveness of US national security surveillance programs. Mr Schrems’ complaint was that Facebook Ireland could be ordered by the US government to send his personal communications to the NSA. The ruling in Schrems I effectively invalidated the Safe Harbour regime.

3. Privacy Shield

Following the CJEU ruling in Schrems I, the United States and the European Union hastily negotiated a new data-transfer agreement called Privacy Shield. The posturing was that the new regime contained stronger protections that answered the CJEU’s concerns. Not so – said La Quadrature du Net, a digital rights advocacy group based in Paris (here). LQDN filed a challenge to the new agreement with the CJEU. Mr Schrems joined the attack separately by initiating a companion challenge to the standard contractual clauses used by Facebook after the collapse of Safe Harbour and before Privacy Shield was adopted. He asserted that the NSA was just as likely to scoop his data under the standard clauses as it was under the intergovernmental Safe Harbour framework. The CJEU judgment released on July 16, 2020, is now called Schrems II (here).

4. The Ruling

I will comment on three aspects of the ruling: (a) the applicability of the GDPR to the transfer of personal data to an operator in a third country; (b) whether the standard clauses vindicated Europeans’ privacy rights; and, (c) the rights of redress when personal data is accessed by state intelligence agencies such as the NSA.

First, the CJEU asserted that privacy protections under the GDPR (here) attach to personal data that is transitioned outside member states. “[A] transfer cannot fall outside the scope of the GDPR,” the court held at para 88, “on the ground that the data at issue is liable to be processed, at the time of that transfer or thereafter, by the authorities of the third country concerned, for the purposes of public security, defence and State security.” The application of the “stringent” GDPR rules, rather than “more nuanced” standards developed by the European Court of Human Rights, or contained in the constitutional law of member states, was characterized by Adjunct Professor Kenneth Propp and Professor Peter Swire in a post to Lawfare as “a nakedly extraterritorial assertion of EU jurisdiction.” (here)

Second, the court held at para 105 that the GDPR must be interpreted to mean that the appropriate safeguards, enforceable rights and effective legal remedies required by Articles 46(1) and 46(2)(c) “must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed” within the EU by the GDPR read in light of the jurisprudence under the Charter of Fundamental Rights of the European Union. (here) Article 8 of the Charter contains “the right to the protection of personal data”. An assessment of the level of protection must take into account the contractual clauses agreed between the data exporter and the data recipient, and the legal system of the third country.

Third, the court examined whether individuals whose personal data was transferred to the US under the Privacy Shield framework, and accessed by the NSA, enjoyed rights of redress in US courts. The CJEU concluded that authorization of surveillance by the US Foreign Intelligence Surveillance Court (FISC) did not constitute judicial review in every case. There are two points here, discussed by the CJEU at paras 179-180, that merit emphasis. First, the FISC does not authorize individual surveillance but, rather, bulk collection programs such as PRISM and UPSTREAM. The supervisory role of FISC does not therefore cover the issue of whether individuals are properly targeted for the acquisition of foreign intelligence information. Second, s 702 of the US FISA Amendments Act (here) does not proscribe “any limitations on the power it confers to implement surveillance programs” contrary to the principle of proportionality. The surveillance programs are not limited to what is strictly necessary.

5. The Impact

The immediate impact of the ruling appeared to be one of uncertainty although this outcome was anticipated by many in the United States and Europe. More than 5,000 companies used the Privacy Shield regime to facilitate the movement of data. In an article published in The New York Times edition of July 16, 2020, titled E.U. Court Strikes Down Trans-Atlantic Data Transfer Pact (here), Adam Satariano wryly commented that the impact was not immediately clear “beyond creating a dizzying amount of new work for corporate legal departments.” Before the decision was released, however, plans were in place to ensure the inter-regional continuity of commerce and European officials “will now try to negotiate a new deal for transferring digital information.”

Although Schrems II affects tech behemoths like Facebook and Google, it also impacts thousands of smaller multinational corporations. The data subject to EU transfer rules includes a vast array of digital communications including emails, social media posts, business records and marketing databases. According to Mr Satariano, “[b]usiness groups have called for a grace period that would allow companies to find new legal mechanisms to continue moving data.” Mr Schrems, who founded the European Center for Digital Rights in 2017, styled as NOYB (None Of Your Business), released a statement after the ruling: “It is clear,” he said, “that the US will have to seriously change their surveillance laws if US companies want to continue to play a role on the EU market.”

6. Lingering Controversy

The Schrems II ruling will reshape the tension between the overreach of the US national security apparatus and the global flow of data. No other conclusion is reasonable given the finding that US bulk data collection practices are disproportionate. The judgment also undermines standard contractual clauses by empowering national data protection authorities to prevent transfers to countries where there is a risk of access by national security agencies. The result provoked a hostile response from some national security experts who described the ruling as “European overreach”. Propp and Swire suggested that “[i]t is time for Europe to shine an enforcement spotlight on data transfers from its territory to authoritarian countries and other countries that lack the rule-of-law safeguards present in the US system.” They put China and Russia under the spotlight.

In another, somewhat vitriolic post to Lawfare (here), Stewart Baker, former NSA general counsel, found it “astonishing that a European court would assume it has authority to kill or cripple critical American intelligence programs by raising the threat of massive sanctions on American companies.” Mr Baker suggested that the US should “impose tariffs and other import restrictions” to force the EU to walk it all back. “We are always a little inclined to think,” he said, “that maybe Europeans have something to teach us about privacy and human rights, so righteous American anger about intrusion on our sovereignty has been slow to ignite. But now is the time to show Europe that the US is serious about keeping in place effective counterterrorism measures – and keeping the right to write US laws without getting permission from European governments.”

In a measured reply posted to Lawfare (here), Professor Henry Farrell and Professor Abraham Newman asserted that it isn’t the CJEU’s judgment or European privacy policies that should be revised. “What needs to change,” they said, “is how US policymakers think about national security and surveillance in a world of global information networks.” The US can no longer “behave like a unilateral, imperialist power in an interdependent world.” If Schrems II shows us anything, it is this – unilateral strategy has reached its limits. Interdependence creates vulnerabilities and, as Farrell and Newman argue, fixing these vulnerabilities will require deeper international cooperation with like-minded democracies. “America’s security isn’t being undermined by Europe’s privacy demands,” they said. “Instead, engaging these demands could provide politically robust foundations for the security architecture that both America and its allies need to confront the new threats associated with a changing world.”

7. Conclusion

There is an increasing international resistance to the US assumption that it may engage in surveillance without consequences. As pointed out by Farrell and Newman, the security-dominated relationship of the post-9/11 world has now been pushed aside by EU judges “who are more difficult to bully than the European negotiators”. The fundamental problem is not European imperialism, but American imperialism – the assumption that it can impose its national security requirements on allies without making concessions or sustaining any costs.

Didier Reynders, the European Commissioner for Justice, succinctly described Schrems II as “another stepping stone in our commitment to ensuring that personal data is fully protected in the EU and its transfers outside of the EU.” Inherent in transfer protection is the concept that EU citizens retain a privacy interest in their personal data under Article 8 after it is jettisoned by an exporter. The jurisprudence of the CJEU is therefore analogous to that of the United States Supreme Court and the Supreme Court of Canada, developed under the Fourth Amendment to the Constitution of the United States and s 8 of the Canadian Charter of Rights and Freedoms, in their landmark rulings in Carpenter v US and R v Marakah. Privacy means more than physical control.