Schrems II: court upholds supremacy of GDPR but demolishes EU-US Privacy Shield

The decision could impact how EU users’ data is transferred to the US, Brexit UK and all other non-members of the 27-country bloc.

The ruling follows a legal battle started in 2013 by Austrian privacy activist Max Schrems who lodged a complaint with the Irish Data Protection Commissioner about use of his data that Facebook transferred to its servers in the United States. He argued US law did not offer sufficient protection against state surveillance.

Following a CJEU ruling in 2015 that the then Safe Harbour Agreement was invalid and did not adequately protect European citizens, companies operating in Europe switched to standard contractual clauses (SCCs) to ensure they could still move data across the Atlantic. The EU and US also developed the Privacy Shield mechanism to replace Safe Harbour.

In this week’s ruling, for what has been dubbed the Schrems II case, the court said SCCs were a valid way to transfer data but the CJEU invalidated Privacy Shield. 

Mr Schrems said in an updated blog post on 17 July: “The CJEU has made it clear in its ruling that even within the SCCs a data flow must be stopped if a US company falls under this surveillance law. This applies to practically all IT companies (such as Microsoft, Apple, Google or Facebook) that all fall under FISA 702. Just because there is this “stop” within the SCCs that makes it impossible to use them in such cases, the SCCs were not declared invalid. The statement that a data flow to the USA under the SCCs remains legal is therefore wrong. This would only be possible if a US company is not subject to any monitoring laws. Consequently this is also not a “half win”, as 100% of the outsourcing that may be subject to US surveillance is not allowed – no matter if under Privacy Shield or SCCs.”

Announcing its decision the court said: “[It] considers, first of all, that EU law, and in particular the GDPR, applies to the transfer of personal data for commercial purposes by an economic operator established in a member state to another economic operator established in a [non-member] third country, even if, at the time of that transfer or thereafter, that data may be processed by the authorities of the third country in question for the purposes of public security, defence and state security.

“The court adds that this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR.”

The statement went on: “Data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”

The CJEU also specified DPAs in EU countries are required to suspend or prohibit transfer of personal data to a third country where they consider standard data protection clauses are not or cannot be complied with in that country, and protection of the data as required by EU law cannot be ensured by other means.

On the question of surveillance, the court said: “Limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

Schrems said: “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market…

“As the EU will not change its fundamental rights to please the NSA [National Security Agency], the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”

Schrems also said the court decision means all DPAs in the EU “have a duty to take action” and ensure the GDPR is fully enforced “and [they] cannot just look the other way.”

Consensual data flows and those required for matters like contracts can continue across the Atlantic, under Article 49 of the GDPR, he added.

“The court explicitly highlighted that the invalidation of the Privacy Shield will not create a ‘legal vacuum’ as crucially necessary data flows can be still undertaken. The US is now simply put back to an average country with no special access to EU data,” he said.

Jacob O’Brien, a lawyer at Brandsmiths told PrivSec: “A lot of experts have long criticised the Privacy Shield framework as being unsatisfactory. The decision in Schrems has confirmed what a lot of people have long suspected, and it will have very significant consequences for controllers of data within the EU. A huge number of businesses rely on Privacy Shield to ensure the smooth transfer of personal data to the US. 

“These businesses will now need to investigate alternative methods for transferring data in a lawful way. The significant financial cost associated with seeking alternative methods for transferring data is just one part of the issue that has now been created for businesses, the process management and additional labour resource to implement and manage the change could be a more significant impact on the business.”