16 July: the most important date of the year (for privacy people, that is…)

by: in Law

On Thursday, the Court of Justice of the European Union (CJEU) published a long-awaited tweet: Case C-311/18 #Facebook Ireland & #Schrems – Judgment to be delivered on 16th July 2020. This means that the Court in Luxembourg on 16 July will deliver its verdict in one of the most anticipated cases on privacy and data protection for years. The key question if the international flows of personal data can continue as we have come to do in recent years, or if major changes to the system are required. And that in turn may have an impact on many companies around the world.

What is the case about?
The court case is part of a long-running battle in various European courts between an Austrian privacy advocate, Max Schrems, and U.S. tech giant Facebook. It goes back to 2015, when Mr. Schrems also stood before the CJEU in a case dealing with the validity of the EU-U.S. Safe Harbor Agreement (allowing for the transfer of personal data from the EU to the U.S. under specific conditions). The Court at the time decided to nullify Safe Harbor, since it was not deemed to offer an adequate level of protection, not being essentially equivalent to the Data Protection Directive. In its ruling, the CJEU basically concluded that the U.S. legislation related to surveillance of electronic communications, as revealed by Edward Snowden and since confirmed by the U.S. administration, had too large an impact on personal data of people in the EU whose data were transferred to the U.S. Given this conclusion, Mr. Schrems raised his concern that a data transfer using so-called Standard Contractual Clauses (SCCs, an alternative legal arrangement to export personal data from the EU) would have a similar effect to a transfer under the Safe Harbor Agreement: no adequate protection would be offered. He therefore filed a complaint against Facebook - as a use-case - with the Irish Data Protection Commissioner (DPC), requesting that the transfer of personal data from Ireland to the U.S. using SCCs would be suspended. Suspension is one of the possibilities under data protection law for enforcement of the SCCs in case insufficient safeguards are available. Instead, the Irish DPC decided to file a separate case in court trying to suspend the SCCs altogether. This is the case that is now before the CJEU. The court will have to decide if the concept of model clauses can offer sufficient safeguards when transferring personal data to third countries.

Although the case is strictly speaking about the question whether or not to suspend the use of standard contractual clauses altogether, the case may also have an effect on the future of the Privacy Shield. The Privacy Shield is the Agreement between the EU and the U.S. that has come in the place of Safe Harbor. Since 2016, companies can self-certify against an extended list of criteria they will need to meet to allow for the free flow of personal data between the EU and the U.S. In addition, the Privacy Shield contains more extensive enforcement mechanisms, as well as better oversight on the U.S. side in relation to government surveillance. The oversight mechanisms for government surveillance have also been extended to data transferred from the EU to the U.S. using SCCs. This means that if the CJEU were to conclude that the safeguards offered by the U.S. specifically for data transferred using SCCs, this will likely have an immediate impact on the Court’s view of the adequate level of protection offered by the Privacy Shield. Questions asked by the judges during the hearing of the Schrems case on 9 July 2019 indicate the Court has at least an interest in the Privacy Shield, and may thus decide on its future as part of the SCC decision.

Why is this important?
In the past two decades, data has become an increasingly important asset for many companies around the world. The possibility to let data flow easily across borders helps many organisations in their business processes. Think about it: many companies have employees in multiple countries, but only one central HR department that would need access to the contact details of the employees, as well as their financial information to ensure salary payment. And think about customers: especially in these times of Corona, many European companies have turned to American service providers, from conferencing services to file storage and sharing services, that also involve the processing of personal data (contact details, IP addresses, etc.). And then of course there are the companies who have made data into their core business, from the online advertising industry to social networks. In short, without international data flows, the (online) economy will have a hard time to function properly.

You could argue that indeed these data flows should be able to take place without any problem. However, privacy and data protection in Europe are regarded as fundamental rights, and thus come with certain protections. One of these is that data cannot be exported to other countries if they can’t ensure our data is protected in a similar way as we do here in Europe. This is what we call an adequate level of protection. For some countries, the European Commission has decided they offer such an adequate level of protection across the board, thus taking away any obstacles for data flows. For other countries, only contractual safeguards between companies can be used. But how do you use a contract to protect data against interception of data by the intelligence and security services of a third country? That would be almost impossible, and that is exactly what is the problem in Mr. Schrems court case. He argues his data should not be allowed to leave the EU, because Facebook cannot ensure that the U.S. authorities will not intercept the data. By the way - in this case, the U.S. are just used as an example, because we know quite a lot about their surveillance practices since the Snowden revelations. It could be any other country in the world for that matter… 

What are the possible outcomes?
Of course, it is impossible to fully predict what the Court will say on 16 July. However, if previous judgments and the opinion of the Advocate-General in this case are seen as an indication of the direction of the verdict, it doesn’t bode well for the future of international data flows.

The most likely ruling will be that the Court upholds the system of the standard contractual clauses, meaning that contracts can still be used for international data flows. However, it is likely the Court will link this to the need for stricter assessments of the legal systems in third countries, to look for possible interferences with ‘our’ rights to privacy and data protection. Companies (and supervisory authorities) would then need to review what could go wrong with data in a third country and agree on additional safeguards to keep the data safe, like additional encryption. If a country is too risky, for example because of very active intelligence and security services, this could also mean that data should not be allowed to go to that country anymore. The supervisory authorities in this scenario would be given a bigger role to assess the situation in third countries, including an obligation to stop data flows if they are no longer satisfied with the protection of our fundamental rights. More work for the already overburdened data protection authorities…

It is interesting to see if the Court will once again give an assessment of the privacy situation in the U.S. In the 2015 judgement, the Court indicated the U.S. do not protect our personal data sufficiently, since the rules were not clear enough and because Europeans had hardly any possibility to get an independent review of the way their data was processed. The Advocate-General in his opinion seems to question the level of protection of personal data that is offered in the U.S. to data originating in Europe. He states there is no explicit need to rule - as part of this case - on the validity of the Privacy Shield, but goes on to state that if the Court were to do so, questions need to be raised on its validity “in the light of the right to respect for private life and the right to an effective remedy”.

If - and it is a big if - the Court would decide to nullify the Privacy Shield because data is not sufficiently protected in the U.S., this would have an immediate impact. It would basically mean that no data can go from the EU to the U.S., until a new agreement between the EU and the U.S. government is reached, which will not be easy with the current U.S. administration and in an election year. The standard contract option might not be a solution, since - as explained above, it largely relies upon the same U.S. safeguards to ‘protect’ personal data coming from Europe. Companies would therefore be wise to prepare for a number of scenarios, including the possibility to store data on European servers, at least for the time until a new agreement is struck between the EU and the U.S. Increasing encryption is also something to seriously consider: the better personal data is encrypted, the harder it is for third parties to access it, which means in turn it is still protected.

The verdict of the Court will be published in the course of 16 July on this website. A quicker option will likely be to follow Mr. Schrems’ Twitter account.

 Written by Paul Breitbarth, Visiting Fellow at ECPC, and Director of EU Policy and Strategy, TrustArc
 More blogs on Law Blogs Maastricht