Privacy advocates have long argued that organizations with global customers must do more than just comply with the data protection laws in their home countries.
At the heart of their argument is the fact internet technologies (and cloud services in particular) support cross-border data transfers into multiple jurisdictions.
Therefore, they believe the data protection laws in each region should apply.
Maximilian Schrems, a high-profile Austrian privacy advocate and lawyer, has brought several cases to EU courts to change rules for cross-border data transfers.
And, in some cases, he’s been very successful.
In his campaign against Facebook, Schrems successfully argued that because personal data transferred to and/or stored in the U.S. could potentially be accessed by U.S. intelligence agencies, such data activities violated EU privacy laws – including the EU’s General Data Protection Regulation (GDPR).
He is best known for a case heard by the Court of Justice of the European Union (CJEU) listed as Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, more commonly known as the Schrems II decision.
On July 16, 2020, the CJEU ruled the EU–U.S. Privacy Shield was invalid.
While the court upheld the system of standard contractual clauses (SCCs) at the time, which allowed for data transfers from the EU to other countries, the validity of SCCs was still questioned.
The impact of the Schrems II decision was essentially global, triggering a major rethink of how organizations manage compliance with data protection laws in multiple jurisdictions.
Read on to learn more about how the Schrems II decision came about and how it changed international data transfer frameworks.
Timeline of EU Data Law Reviews and the Schrems I Decision
The Schrems I decision was a significant victory for Maximilian Schrems in his long-running battle with U.S. technology businesses in various European courts, to have EU data privacy laws enforced more strictly.
Key dates related to the Schrems I decision include:
- October 24, 1995 – the European Parliament passes the Data Protection Directive to encourage the free movement of personal data, while providing protections of individual rights.
- It contains rules for adequacy of protection when data is transferred outside the EU.
- July 19, 2000 – the U.S. Department of Commerce issues its International Safe Harbor Privacy Principles and sends them to the European Commission.
- July 26, 2000 – the European Commission issues its adequacy decision on the International Safe Harbor Privacy Principles.
- June 2013 – international media begin reporting on documents brought to light by U.S. intelligence whistleblower Edward Snowden about the NSA’s surveillance of electronic communications and extensive data collection activities.
- These revelations are later confirmed by the U.S. administration.
- June 2013 to June 2014 – Maximilian Schrems files several lawsuits against Facebook in courts across Europe, claiming his personal data is not adequately protected.
- June 25, 2013 – Schrems lodges a complaint with the Irish Data Protection Commissioner (DPC) because Facebook’s European headquarters are based in Ireland.
- He wants the Irish DPC to investigate Facebook Ireland Ltd’s data transfers from its EU HQ in Ireland to its servers in the U.S., amid growing concerns about the NSA’s surveillance activities.
- July 26, 2013 – the Irish DPC rejects Schrems’ complaint as vexatious.
- Schrems then files and is granted a judicial review in the Irish High Court.
- June 18, 2014 – the Irish High Court decides to adjourn Schrems’ case and refers it to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
- March 24, 2015 – the CJEU begins hearing Schrems’ test case against Facebook (now commonly known as Schrems I).
- October 6, 2015 – the CJEU rules the Safe Harbor framework is invalid because it does not meet adequacy, not being essentially equivalent to the Data Protection Directive.
The short-lived EU–U.S. Privacy Shield Framework
Immediately following the CJEU’s decision on Schrems I, the U.S. Department of Commerce and the European Commission and Swiss Administration began co-designing the EU–U.S. Privacy Shield.
It was intended to help organizations comply with EU data protection rules when transferring personal data to the U.S. from the EU.
On July 12, 2016, the European Commission announced the EU–U.S. Privacy Shield met adequacy requirements under EU law.
On January 12, 2017, the Swiss Government also announced the Swiss–U.S. Privacy Shield framework met Swiss privacy requirements when transferring personal data to the U.S. from Switzerland (which is not an EU member).
After Schrems I: A test of standard contractual clauses for data transfer
The CJEU’s decision that the Safe Harbor Privacy Principles did not guarantee individuals in the EU protections against U.S. surveillance motivated Schrems to resubmit his complaint with the Irish DPC.
In his next filing, he raised concerns about standard contractual clauses (SCCs) used by Facebook (and other organizations), which are an alternative legal arrangement to export personal data from the EU.
He argued SCCs would have a similar effect to a transfer under the Safe Harbor framework, so no adequate protection would be offered.
In his filing, he requested transfer of personal data from Facebook Ireland to Facebook Inc. in the U.S. using SCCs be suspended.
Suspension is one of the possibilities under data protection law for enforcement of the SCCs if insufficient safeguards are available.
Instead, the Irish DPC decided to file a separate case in court trying to suspend or invalidate the use of SCCs altogether.
Timeline of the Schrems II Decision
Maximilian Schrems’ second big case against Facebook aimed to block it from relying on SCCs to sidestep EU data protection rules when transferring data to the U.S. from the EU.
The Irish Data Protection Commissioner then also brought a case against Facebook.
Below are some key dates related to what is now known as the Schrems II decision:
- December 1, 2015 – Schrems resubmits his complaint against Facebook Ireland Ltd to the Irish DPC, arguing it is relying on SCCs to transfer personal data to the U.S. from its European headquarters in Ireland.
- He also files similar complaints with data protection authorities in Germany and Belgium, which both claim some jurisdiction over Facebook.
- February to March 2017 – the Irish High Court reviews Schrems’ complaint.
- October 3, 2017 – the Irish High Court issues its judgment to refer the case to the CJEU for a preliminary hearing.
- April 12, 2018 – the Irish High Court submits an extensive referral of the case to the CJEU, detailing 11 questions for the CJEU to address.
- May 25, 2018 – the EU’s General Data Protection Regulation (GDPR) comes into force.
- Schrems then files additional complaints in Ireland that Facebook’s data transfer activities are not GDPR compliant.
- July 2019 – the CJEU begins hearing the case listed as the Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems.
- The case is popularly called Schrems II.
- December 19, 2019 – the advocate general (AG) of the CJEU, Henrik Saugmandsgaard Øe, publishes his opinion on Schrems II, stating the SCCs are valid.
- (See below for a summary of the Schrems II AG opinion.)
- July 16, 2020 – the CJEU publishes its rulings on Schrems II: the EU–U.S.
- Privacy Shield is held to be invalid; the SCCs are upheld as valid; however, the CJEU notes the SCCs needed modernizing, in line with the GDPR and other international data protection requirements.
Schrems II AG Opinion: Key Findings
The CJEU advocate general’s opinion on the Schrems II case stated SCCs are valid.
Henrik Saugmandsgaard Øe AG noted:
- SCCs provide contractual safeguards to guarantee the appropriate level of protection when personal data is transferred, regardless of the destination country.
- The purpose of SCCs is to ensure the data exporter and importer compensate for any data protection deficiencies in another country.
- Whether SCCs are adequate cannot depend on the extent of data protection guaranteed in another country.
- Under the EU Charter of Rights, if clauses could be breached or impossible to honor, any data transfers covered by SCCs should be suspended or prohibited.
- The main case brought before the CJEU related to the validity of SCCs, therefore any findings on the validity of the EU–U.S. Privacy Shield must not influence the main case.
Schrems II case summary: SCCs
The CJEU’s decision on the Schrems II case closely followed the AG’s opinion in its ruling on SCCs:
- One of the main questions of the Schrems II case was if the use of SCCs to guide international data flows should be possible at all.
- The CJEU confirmed SCCs can be used – but it has tightened the rules for their use.
- National security is recognised as a possible necessary limitation to the fundamental right to data protection, including in the SCC decision itself.
- Therefore, the existence of national surveillance laws in another country should not be problematic, in principle.
- The afforded level of protection offered by SCCs must be assessed by data exporters and importers.
- The court referenced GDPR Article 44 (the general principle for transfers), which states the level of protection of natural persons when their personal data is transferred abroad cannot be undermined – regardless of the method used to transfer personal data (e.g. adequacy decisions, contractual safeguards and binding corporate rules).
- Therefore, the guarantees included in SCCs must be essentially equivalent to the level of protection guaranteed within the EU.
- Guarantees may need to be supplemented in cases where SCCs are deemed insufficient.
- This is allowed, as long as the provisions in the SCCs are unchanged.
- If the protection guaranteed within the EU cannot be ensured when transferring data to another country – because SCCs could be breached or impossible to honor – then supervisory authorities must suspend or prohibit data transfers to the country concerned.
- SCCs need to be reviewed to provide further safeguards.
Schrems II case summary: Privacy Shield
Although the main focus of the Schrems II case was always on SCCs – and the case was filed before the GDPR was enforced – the CJEU assessed the validity of the EU–U.S. Privacy Shield adequacy decision made in July 2016 and found fault with it.
The court ruled the Privacy Shield was invalid because:
- The Privacy Shield does not meet the standards of an essentially equivalent level of protection.
- It does not guarantee the fundamental rights to privacy and data protection of EU citizens when their data is transferred to the U.S. from the EU.
- The legislation related to U.S. Government surveillance programs is too wide and vague: it does not provide clear and precise rules governing the scope and application of the measure in question.
- The court decided the risk of bulk collection and/or over-collection of personal data is too large.
- There are no minimum safeguards to effectively protect personal data against the risk of abuse.
- Based on EU case law, this is a requirement: especially related to the circumstances and conditions under which surveillance can be used.
- EU authorities cannot effectively protect personal data transferred to the U.S. because it is outside their jurisdiction.
- Individuals in Europe must be able to pursue legal remedies to get access to their personal data or ask for their data to be corrected or erased.
- However, Europeans’ right to redress relies on the ombudsperson (a mechanism created by the European Commission and the U.S. administration) to oversee data originating from the EU processed by the U.S. intelligence and security services.
- The court ruled the ombudsperson cannot fix the deficiencies of effective redress because it is a political commitment to correct any violation, without an underlying legal obligation.
- There is no cause of action open to EU citizens following a decision from the ombudsperson.
The court also provided important guidelines to assess the national security legislation in other countries.
The legislation must be sufficiently clear, detailed and foreseeable for an individual to understand what might happen to their data once it is used for national security purposes (even if that was not the intention of the data transfer).
Timeline of EU–U.S. data transfer rules proposed after the Schrems II decision
The Schrems II decision triggered several major reviews of the SCCs, aiming to strengthen the data privacy rights of EU citizens and establish a new agreement on data transfer between the U.S. and the EU.
Recent key dates include:
- November 10, 2020 – the European Data Protection Board (EDPB) releases its supplementary measures recommendations.
- November 12, 2020 – the European Commission publishes a draft of revised SCCs for public comment, accompanied by a joint statement by the EDPB and the European Data Protection Supervisor.
- June 4, 2021 – the European Commission issues modernized SCCs under the GDPR for data transfers from controllers or processors in the EU to controllers or processors outside the EU.
- It also allows an 18-month transition period for controllers and processors using older SCCs.
- March 25, 2022 – the European Commission and the U.S. announce an agreement in principle on a new Trans-Atlantic Data Privacy Framework, which would allow EU citizens to bring cases of data privacy violations to a new Data Protection Review Court.
- October 7, 2022 – U.S. President Biden releases his Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities to implement the EU–U.S. Trans-Atlantic Data Privacy Framework, which would adopt new U.S. intelligence-gathering privacy safeguards.
Stay Up to Date with Evolving International Data Privacy Standards
TrustArc is committed to keeping you up to date with the evolving international standards for data privacy.
As the pioneer in enterprise privacy certifications, our experts regularly share insights on the impact of privacy laws, including recommended actions to ensure ongoing compliance.
Organizations interested in maintaining demonstrable compliance while the EU–U.S. regulators make clarifications can verify their privacy program practices via the TRUSTe International Privacy Verification Program.
Demonstrate to customers and regulators that you are continuing to protect data in the same way PrivacyShield intended to.